From patchwork Thu Jul 25 15:31:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13742034 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6971C3DA49 for ; Thu, 25 Jul 2024 15:32:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C88D66B0082; Thu, 25 Jul 2024 11:32:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C38386B0083; Thu, 25 Jul 2024 11:32:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AFF446B0085; Thu, 25 Jul 2024 11:32:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 9207A6B0082 for ; Thu, 25 Jul 2024 11:32:12 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id F113E1A11CC for ; Thu, 25 Jul 2024 15:32:11 +0000 (UTC) X-FDA: 82378666062.14.7B383D5 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by imf30.hostedemail.com (Postfix) with ESMTP id 0C9E38002A for ; Thu, 25 Jul 2024 15:32:09 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=dp+3JTG3; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf30.hostedemail.com: domain of jannh@google.com designates 209.85.128.52 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721921528; a=rsa-sha256; cv=none; b=jpHBblhOsdLApyq0OU8mvs4vQJQOlX2BGiS7mzzquZWhE9AhOuH1gtzLqUDZy+FOdBH/GD V+Vuu9h++9OYMYFqGPjPS71U35Uk1yx7OesZCdp2QJJAxBTcuzoKmzaHhsoyX3bKbo4ls+ Gv74l6bJWZ3BYll+TsFHfZY+ZcAJ45A= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=dp+3JTG3; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf30.hostedemail.com: domain of jannh@google.com designates 209.85.128.52 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1721921528; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=abZrxQokkz2pYLFW8Emrfi2Wptsc7Kc1VGz7XRPEMEU=; b=uP7NfB9fESuy8ZZSQIK5C2gNhBW0SzMnOmtpN1L8W+I0s2bK4giX1UMBEJE5+wnb0QxpOx gdxCMxUk+SQ+M9tWCHDwewAX3Gn48gtDRvvKUq8drg8g+e+dC7crYjNuER6yVKC0qgtJjA bU+j57Dy4cj2rZ5A/nMi5Be6XSgJgzo= Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-428063f4d71so49155e9.1 for ; Thu, 25 Jul 2024 08:32:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1721921528; x=1722526328; darn=kvack.org; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=abZrxQokkz2pYLFW8Emrfi2Wptsc7Kc1VGz7XRPEMEU=; b=dp+3JTG391h8mw3cGMl3iiwKPq8EJayeSsXjz+B64+jut1TJUBciz4q4fJQpE/n7s/ 1tXVDMs4chMFth/knKebpMIkluioydi/+t0wg7jvl64hI6FonGGuj+Nn12il1RKbRrpU mOaccfTE2cRTQVV7eyZBXtwrcqyB12xvvO7mceuj/cNeC6XV4KYow6ymYqDcQsAgZUH3 N3Fzx9ss4nH/omgRk0GlguDuZp7XLhlla5ls59zJT/4z8BdduORgDkBC2ApSN8ETd1Dv MBQcy69NzJRvBYKvFLuc3qc1hJqrv5p7PcJDTfzDU1O64xGfkS8FynBQmQgxGzeLUo13 DUSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721921528; x=1722526328; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=abZrxQokkz2pYLFW8Emrfi2Wptsc7Kc1VGz7XRPEMEU=; b=qOxPLasFaUeRLgSSiNBUAyEhHEJcw7RKmJqP8C6vFcnBvN8gUOV9ORNaYVChIPg8CS o7yGvVXKsl0Ag3aKTuYoRn+0NPohvnJtBpTMMwXCnfSKgjj5jGiFCcwgPUl6jiceH1PN YPdIAW+6GevmW4dKLPooHtNnBnWQ4DWM8C6qY6hMB4Bk5AUUEi2qUeHHlisoqxkCfkSp IpHlfW1MO5D7vTcP+fE6nv/hjcJML50qIE1QFAWdhH/S9ptQplqc3tAO4hEaG3WRZdh0 kOApVII04gFA/BSk660tjXqrDhzqXGivqwfTTq5UiN+GsGNgB1JETYnRAU4r1VuyFGrs ixFw== X-Forwarded-Encrypted: i=1; AJvYcCUuZrqTHIYR792LesUEhEkkzORppwr8KKAs4JsAZLYpGJ+6zE1uXv18Sy2V/LZInuoEUCd3wxydaTFb4Fr/ZttnrCs= X-Gm-Message-State: AOJu0Yy8QhFRMvn/mrZlk76Quj5Zxy3UOK+Wv3w92Y0NhDiqMQnY1ItC GE11IzFrJijo2HeX6e6bGWSdY0vq/b9OWGd3P/WCt8jf05dRjbjkz0x3EBRxVw== X-Google-Smtp-Source: AGHT+IE/H9XDkG2Q5ACqFGfvWQBys4MMpCedRzQf9hCedIC5QW1I2hJ7DWfcARrlioaiNHX+6R+w7A== X-Received: by 2002:a05:600c:3b05:b0:426:5ef2:cd97 with SMTP id 5b1f17b1804b1-42803ffa18amr1547735e9.2.1721921526693; Thu, 25 Jul 2024 08:32:06 -0700 (PDT) Received: from localhost ([2a00:79e0:9d:4:8b71:b285:2625:c911]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-428079448d0sm30274615e9.21.2024.07.25.08.32.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jul 2024 08:32:06 -0700 (PDT) From: Jann Horn Subject: [PATCH v3 0/2] allow KASAN to detect UAF in SLAB_TYPESAFE_BY_RCU slabs Date: Thu, 25 Jul 2024 17:31:33 +0200 Message-Id: <20240725-kasan-tsbrcu-v3-0-51c92f8f1101@google.com> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIANVvomYC/1XMQQ7CIBRF0a00fyyGUgq0I/dhOqAIlKhgoBJNw 97FJg4c3pe8s0HS0ekEY7NB1NklF3yN7tCAWqS3GrlLbSCYUMxJh64ySY/WNEf1RDNvezng1nD OoF4eURv32rnzVHtxaQ3xveuZfNcfRP+hTBBGtDdiEJhRysTJhmBv+qjCHaZSyge6iIx9qQAAA A== To: Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: Marco Elver , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Jann Horn X-Mailer: b4 0.15-dev X-Rspam-User: X-Rspamd-Queue-Id: 0C9E38002A X-Rspamd-Server: rspam01 X-Stat-Signature: jrx15b1k5117jmzsci44rdr88w88zyrp X-HE-Tag: 1721921529-355974 X-HE-Meta: U2FsdGVkX18JTZb/P6XqQJwWDzA9gZ2rVHK9rrrETba04SgPHvEs5W/vuJV0ef5hjAuYTLaX20MI8A0DLXn6/v1kKTpE9nc3hcCGQkECpV+DATny1dd6Byujnc7SquA5QK+duxPddWNoK096TVXCCrR/nDJDMioS1hOLbEBxbBeFWYSdyQZWzYpWLME3Xx316LthodUFBrrdQF+f/JM09p/yofMwUrdK/1oswWgckonaiKX9qUjLlmXUzEm5gzXeDXiQV5JY+s+IPB9Oc33AaPx8QeJywYsnZs8n3sYZXJy6gs+kFhF/3kwQ7EtqokHxpletSqBTiFrjfMEPOAhg+E6ytKWlMyXxhxJpPS8DNTqqK8QCjtBp43XrSerpHcIFf9lnHg2ZbRr0M7TT9BjfMeXe02As0sIir6QWPcAD7KHLfUgzU7zCVTvyl4X1/Ax2S+LkKptdlX45JgHTHWeRpmuwK/ggBxfMeIUMYd92MP8Sop2KD/qAxfd/rOtpWeBBSr5RK9rl5uD1XguuQg56bNXjXm4HmQpvpUl/71OJIjAGnsbCF0Ylo1aTotdPHZcZi5cacehKA2jhxxdArQi0EYqicx3JRnZ1IKze30IYKYm+fTgvO/F505Y23M+jBFAGzDmZ4GAjg7ktcJgNR0qXsCMBhzY9uHQZQCuOuBU1Rj0vi1owZ+Q8fSYMzYEVL509Dt0u7wbqokHexZUMT9rUnZWmUZzVXwfvaq5VdHPdQasc9KnO5SLRYuJDfg92Kol5K6P/qauu6HVmQOCE6DNnbt/qQ+IB3GHS+aJQ7BUsKWC5LSzEzcCLls+r7feVurHV5vjPa+QXUySBdG+f97nnzQ4zdEg+Sw9pJK9XR3yzGdq5XiEbSIZq97K9Jtb+511YGKYNxX2z59Wvql3ouBKBBcXHde13/Smb4YZSNd9Fw0y0pC7o35MV4ieTMC+g5BOyr0jOZvERnyQJueEfzms 52UZQle7 Ed9YEOwW3+LHGAJ+hZ9jlb32wu01bymdw75oXCyjX7bd8WYpNRgqtQ5fU6B8uQk1L8ZQKzDBREU1GWSUiV5YjPDdw4b2CPBMY/LPNl8isBIDcWlAeNvU8ua5MiDiR/SxvzJ8Erht/bvNMhHQ/d3E2NOXehTgpUvsV9vnnoXuxACgHP+OJRc/if6sQr4N6FgWsthK+4d1lE2Q/jh4LgllJbCQVFjgCzaieQkUUcJBKE+uiWVy4TkSJ3LMZCd6VRb3Q5W6STZ8MXPjGAfqcW1lSO1dyX0AQO1g4wJEq+vc46YJ/sWNZYaAXAmrpDzgHY5BEoMrQ5ZlwljbyulvCdApczVRyGH63P8v52UeidNRlDhtospWAYiUYFie/Z5zLoUwAyxuHJ9wXCClVnOvkP+uWsAFazAmAi1pYAqqY5Xwogz7rpqkpxNV5Yb43TtWDOWwepMf3z9mZoRdQF6qo8IMFgFSnMg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi! The purpose of the series is to allow KASAN to detect use-after-free access in SLAB_TYPESAFE_BY_RCU slab caches, by essentially making them behave as if the cache was not SLAB_TYPESAFE_BY_RCU but instead every kfree() in the cache was a kfree_rcu(). This is gated behind a config flag that is supposed to only be enabled in fuzzing/testing builds where the performance impact doesn't matter. Output of the new kunit testcase I added to the KASAN test suite: ================================================================== BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3ae/0x4d0 Read of size 1 at addr ffff888106224000 by task kunit_try_catch/224 CPU: 7 PID: 224 Comm: kunit_try_catch Tainted: G B N 6.10.0-00003-g065427d4b87f #430 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xce/0x670 [...] kasan_report+0xa5/0xe0 [...] kmem_cache_rcu_uaf+0x3ae/0x4d0 [...] kunit_try_run_case+0x1b3/0x490 [...] kunit_generic_run_threadfn_adapter+0x80/0xe0 kthread+0x2a5/0x370 [...] ret_from_fork+0x34/0x70 [...] ret_from_fork_asm+0x1a/0x30 Allocated by task 224: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xef/0x2b0 kmem_cache_rcu_uaf+0x10d/0x4d0 kunit_try_run_case+0x1b3/0x490 kunit_generic_run_threadfn_adapter+0x80/0xe0 kthread+0x2a5/0x370 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 0: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x57/0x80 slab_free_after_rcu_debug+0xe3/0x220 rcu_core+0x676/0x15b0 handle_softirqs+0x22f/0x690 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6a/0x80 asm_sysvec_apic_timer_interrupt+0x1a/0x20 Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0x8e/0xa0 kmem_cache_free+0x10c/0x420 kmem_cache_rcu_uaf+0x16e/0x4d0 kunit_try_run_case+0x1b3/0x490 kunit_generic_run_threadfn_adapter+0x80/0xe0 kthread+0x2a5/0x370 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888106224000 which belongs to the cache test_cache of size 200 The buggy address is located 0 bytes inside of freed 200-byte region [ffff888106224000, ffff8881062240c8) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106224 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000040(head|node=0|zone=2) page_type: 0xffffefff(slab) raw: 0200000000000040 ffff88810621c140 dead000000000122 0000000000000000 raw: 0000000000000000 00000000801f001f 00000001ffffefff 0000000000000000 head: 0200000000000040 ffff88810621c140 dead000000000122 0000000000000000 head: 0000000000000000 00000000801f001f 00000001ffffefff 0000000000000000 head: 0200000000000001 ffffea0004188901 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106223f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106223f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888106224000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106224080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff888106224100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ok 38 kmem_cache_rcu_uaf Signed-off-by: Jann Horn --- Changes in v2: Patch 1/2 is new; it's some necessary prep work for the main patch to work, though the KASAN integration maybe is a bit ugly. Patch 2/2 is a rebased version of the old patch, with some changes to how the config is wired up, with poison/unpoison logic added as suggested by dvyukov@ back then, with cache destruction fixed using rcu_barrier() as pointed out by dvyukov@ and the test robot, and a test added as suggested by elver@. Changes in v3: - in patch 1/2, integrate akpm's fix for !CONFIG_KASAN build failure - in patch 2/2, as suggested by vbabka, use dynamically allocated rcu_head to avoid having to add slab metadata - in patch 2/2, add a warning in the kconfig help text that objects can be recycled immediately under memory pressure - Link to v2: https://lore.kernel.org/r/20240724-kasan-tsbrcu-v2-0-45f898064468@google.com --- Jann Horn (2): kasan: catch invalid free before SLUB reinitializes the object slub: Introduce CONFIG_SLUB_RCU_DEBUG include/linux/kasan.h | 30 +++++++++++++++---- mm/Kconfig.debug | 29 ++++++++++++++++++ mm/kasan/common.c | 60 +++++++++++++++++++++++++++---------- mm/kasan/kasan_test.c | 44 +++++++++++++++++++++++++++ mm/slab_common.c | 12 ++++++++ mm/slub.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++----- 6 files changed, 230 insertions(+), 28 deletions(-) --- base-commit: 0c3836482481200ead7b416ca80c68a29cfdaabd change-id: 20240723-kasan-tsbrcu-b715a901f776