[RFC,v3,26/36] kmsan: use __msan_memcpy() where possible.

Message ID	20191122112621.204798-27-glider@google.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=DNi/=ZO=kvack.org=owner-linux-mm@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C4F1020672 Date: Fri, 22 Nov 2019 12:26:11 +0100 In-Reply-To: <20191122112621.204798-1-glider@google.com> Message-Id: <20191122112621.204798-27-glider@google.com> Mime-Version: 1.0 References: <20191122112621.204798-1-glider@google.com> Subject: [PATCH RFC v3 26/36] kmsan: use __msan_memcpy() where possible. From: glider@google.com To: Vegard Nossum <vegard.nossum@oracle.com>, Dmitry Vyukov <dvyukov@google.com>, linux-mm@kvack.org Cc: glider@google.com, viro@zeniv.linux.org.uk, adilger.kernel@dilger.ca, akpm@linux-foundation.org, andreyknvl@google.com, aryabinin@virtuozzo.com, luto@kernel.org, ard.biesheuvel@linaro.org, arnd@arndb.de, hch@infradead.org, hch@lst.de, darrick.wong@oracle.com, davem@davemloft.net, dmitry.torokhov@gmail.com, ebiggers@google.com, edumazet@google.com, ericvh@gmail.com, gregkh@linuxfoundation.org, harry.wentland@amd.com, herbert@gondor.apana.org.au, iii@linux.ibm.com, mingo@elte.hu, jasowang@redhat.com, axboe@kernel.dk, m.szyprowski@samsung.com, elver@google.com, mark.rutland@arm.com, martin.petersen@oracle.com, schwidefsky@de.ibm.com, willy@infradead.org, mst@redhat.com, monstr@monstr.eu, pmladek@suse.com, cai@lca.pw, rdunlap@infradead.org, robin.murphy@arm.com, sergey.senozhatsky@gmail.com, rostedt@goodmis.org, tiwai@suse.com, tytso@mit.edu, tglx@linutronix.de, gor@linux.ibm.com, wsa@the-dreams.de Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	Add KernelMemorySanitizer infrastructure \| expand [RFC,v3,00/36] Add KernelMemorySanitizer infrastructure [RFC,v3,01/36] stackdepot: check depot_index before accessing the stack slab [RFC,v3,02/36] stackdepot: build with -fno-builtin [RFC,v3,03/36] kasan: stackdepot: move filter_irq_stacks() to stackdepot.c [RFC,v3,04/36] stackdepot: reserve 5 extra bits in depot_stack_handle_t [RFC,v3,05/36] kmsan: add ReST documentation [RFC,v3,06/36] kmsan: gfp: introduce __GFP_NO_KMSAN_SHADOW [RFC,v3,07/36] kmsan: introduce __no_sanitize_memory and __SANITIZE_MEMORY__ [RFC,v3,08/36] kmsan: reduce vmalloc space [RFC,v3,09/36] kmsan: add KMSAN bits to struct page and struct task_struct [RFC,v3,10/36] kmsan: add KMSAN runtime [RFC,v3,11/36] kmsan: stackdepot: don't allocate KMSAN metadata for stackdepot [RFC,v3,12/36] kmsan: define READ_ONCE_NOCHECK() [RFC,v3,13/36] kmsan: make READ_ONCE_TASK_STACK() return initialized values [RFC,v3,14/36] kmsan: x86: sync metadata pages on page fault [RFC,v3,15/36] kmsan: add tests for KMSAN [RFC,v3,16/36] crypto: kmsan: disable accelerated configs under KMSAN [RFC,v3,17/36] kmsan: x86: disable UNWINDER_ORC under KMSAN [RFC,v3,18/36] kmsan: disable LOCK_DEBUGGING_SUPPORT [RFC,v3,20/36] kmsan: x86: increase stack sizes in KMSAN builds [RFC,v3,21/36] kmsan: disable KMSAN instrumentation for certain kernel parts [RFC,v3,22/36] kmsan: mm: call KMSAN hooks from SLUB code [RFC,v3,23/36] kmsan: call KMSAN hooks where needed [RFC,v3,24/36] kmsan: disable instrumentation of certain functions [RFC,v3,25/36] kmsan: unpoison \|tlb\| in arch_tlb_gather_mmu() [RFC,v3,26/36] kmsan: use __msan_memcpy() where possible. [RFC,v3,27/36] kmsan: hooks for copy_to_user() and friends [RFC,v3,28/36] kmsan: enable KMSAN builds [RFC,v3,29/36] kmsan: handle /dev/[u]random [RFC,v3,30/36] kmsan: virtio: check/unpoison scatterlist in vring_map_one_sg() [RFC,v3,31/36] kmsan: disable strscpy() optimization under KMSAN [RFC,v3,32/36] kmsan: add iomap support [RFC,v3,33/36] kmsan: dma: unpoison memory mapped by dma_direct_map_page() [RFC,v3,34/36] kmsan: disable physical page merging in biovec [RFC,v3,35/36] kmsan: ext4: skip block merging logic in ext4_mpage_readpages for KMSAN [RFC,v3,36/36] net: kasan: kmsan: support CONFIG_GENERIC_CSUM on x86, enable it for KASAN/KMSAN

Message ID

20191122112621.204798-27-glider@google.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C4F1020672
Date: Fri, 22 Nov 2019 12:26:11 +0100
In-Reply-To: <20191122112621.204798-1-glider@google.com>
Message-Id: <20191122112621.204798-27-glider@google.com>
Mime-Version: 1.0
References: <20191122112621.204798-1-glider@google.com>
Subject: [PATCH RFC v3 26/36] kmsan: use __msan_memcpy() where possible.
From: glider@google.com
To: Vegard Nossum <vegard.nossum@oracle.com>,
 Dmitry Vyukov <dvyukov@google.com>, linux-mm@kvack.org
Cc: glider@google.com, viro@zeniv.linux.org.uk, adilger.kernel@dilger.ca,
	akpm@linux-foundation.org, andreyknvl@google.com, aryabinin@virtuozzo.com,
	luto@kernel.org, ard.biesheuvel@linaro.org, arnd@arndb.de, hch@infradead.org,
	hch@lst.de, darrick.wong@oracle.com, davem@davemloft.net,
	dmitry.torokhov@gmail.com, ebiggers@google.com, edumazet@google.com,
	ericvh@gmail.com, gregkh@linuxfoundation.org, harry.wentland@amd.com,
	herbert@gondor.apana.org.au, iii@linux.ibm.com, mingo@elte.hu,
	jasowang@redhat.com, axboe@kernel.dk, m.szyprowski@samsung.com,
	elver@google.com, mark.rutland@arm.com, martin.petersen@oracle.com,
	schwidefsky@de.ibm.com, willy@infradead.org, mst@redhat.com,
 monstr@monstr.eu,
	pmladek@suse.com, cai@lca.pw, rdunlap@infradead.org, robin.murphy@arm.com,
	sergey.senozhatsky@gmail.com, rostedt@goodmis.org, tiwai@suse.com,
	tytso@mit.edu, tglx@linutronix.de, gor@linux.ibm.com, wsa@the-dreams.de
Content-Type: text/plain; charset="UTF-8"
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

Add KernelMemorySanitizer infrastructure | expand

Commit Message

Alexander Potapenko Nov. 22, 2019, 11:26 a.m. UTC

Unless stated otherwise (by explicitly calling __memcpy()) we want all
memcpy() calls to call __msan_memcpy() so that shadow and origin values
are updated accordingly.

Bootloader must still the default string functions to avoid crashes.

Signed-off-by: Alexander Potapenko <glider@google.com>
To: Alexander Potapenko <glider@google.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: linux-mm@kvack.org
---
v3:
 - use default string functions in the bootloader

Change-Id: Ib2512ce5aa8d457453dd38caa12f58f002166813
---
 arch/x86/boot/compressed/misc.h  | 1 +
 arch/x86/include/asm/string_64.h | 9 ++++++++-
 include/linux/compiler.h         | 9 ++++++++-
 include/linux/string.h           | 2 ++
 4 files changed, 19 insertions(+), 2 deletions(-)

Comments

Andrey Konovalov Nov. 29, 2019, 3:13 p.m. UTC | #1

On Fri, Nov 22, 2019 at 12:27 PM <glider@google.com> wrote:
>
> Unless stated otherwise (by explicitly calling __memcpy()) we want all
> memcpy() calls to call __msan_memcpy() so that shadow and origin values
> are updated accordingly.

Why do we only do this for memcpy() but not for memove() and others?

>
> Bootloader must still the default string functions to avoid crashes.

must still use

>
> Signed-off-by: Alexander Potapenko <glider@google.com>
> To: Alexander Potapenko <glider@google.com>
> Cc: Vegard Nossum <vegard.nossum@oracle.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: linux-mm@kvack.org
> ---
> v3:
>  - use default string functions in the bootloader
>
> Change-Id: Ib2512ce5aa8d457453dd38caa12f58f002166813
> ---
>  arch/x86/boot/compressed/misc.h  | 1 +
>  arch/x86/include/asm/string_64.h | 9 ++++++++-
>  include/linux/compiler.h         | 9 ++++++++-
>  include/linux/string.h           | 2 ++
>  4 files changed, 19 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h
> index c8181392f70d..dd4bd8c5d97a 100644
> --- a/arch/x86/boot/compressed/misc.h
> +++ b/arch/x86/boot/compressed/misc.h
> @@ -12,6 +12,7 @@
>  #undef CONFIG_PARAVIRT_XXL
>  #undef CONFIG_PARAVIRT_SPINLOCKS
>  #undef CONFIG_KASAN
> +#undef CONFIG_KMSAN
>
>  /* cpu_feature_enabled() cannot be used this early */
>  #define USE_EARLY_PGTABLE_L5
> diff --git a/arch/x86/include/asm/string_64.h b/arch/x86/include/asm/string_64.h
> index 75314c3dbe47..d3c76d910c23 100644
> --- a/arch/x86/include/asm/string_64.h
> +++ b/arch/x86/include/asm/string_64.h
> @@ -11,7 +11,13 @@
>     function. */
>
>  #define __HAVE_ARCH_MEMCPY 1
> +#if defined(CONFIG_KMSAN)
> +#undef memcpy
> +/* __msan_memcpy() is defined in compiler.h */
> +#define memcpy(dst, src, len) __msan_memcpy(dst, src, len)
> +#else
>  extern void *memcpy(void *to, const void *from, size_t len);
> +#endif
>  extern void *__memcpy(void *to, const void *from, size_t len);
>
>  #define __HAVE_ARCH_MEMSET
> @@ -64,7 +70,8 @@ char *strcpy(char *dest, const char *src);
>  char *strcat(char *dest, const char *src);
>  int strcmp(const char *cs, const char *ct);
>
> -#if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
> +#if (defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)) || \
> +       (defined(CONFIG_KMSAN) && !defined(__SANITIZE_MEMORY__))
>
>  /*
>   * For files that not instrumented (e.g. mm/slub.c) we
> diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> index 99d40f31a2c3..9ce11f4f4cb2 100644
> --- a/include/linux/compiler.h
> +++ b/include/linux/compiler.h
> @@ -179,6 +179,13 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
>
>  #include <uapi/linux/types.h>
>
> +#ifdef CONFIG_KMSAN
> +void *__msan_memcpy(void *dst, const void *src, u64 size);
> +#define __DO_MEMCPY(res, p, size) __msan_memcpy(res, p, size)
> +#else
> +#define __DO_MEMCPY(res, p, size) __builtin_memcpy(res, p, size)
> +#endif
> +
>  #define __READ_ONCE_SIZE                                               \
>  ({                                                                     \
>         switch (size) {                                                 \
> @@ -188,7 +195,7 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
>         case 8: *(__u64 *)res = *(volatile __u64 *)p; break;            \
>         default:                                                        \
>                 barrier();                                              \
> -               __builtin_memcpy((void *)res, (const void *)p, size);   \
> +               __DO_MEMCPY((void *)res, (const void *)p, size);        \
>                 barrier();                                              \
>         }                                                               \
>  })
> diff --git a/include/linux/string.h b/include/linux/string.h
> index b6ccdc2c7f02..5d8ce09cba2e 100644
> --- a/include/linux/string.h
> +++ b/include/linux/string.h
> @@ -363,6 +363,7 @@ __FORTIFY_INLINE void *memset(void *p, int c, __kernel_size_t size)
>         return __builtin_memset(p, c, size);
>  }
>
> +#ifndef CONFIG_KMSAN
>  __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
>  {
>         size_t p_size = __builtin_object_size(p, 0);
> @@ -377,6 +378,7 @@ __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
>                 fortify_panic(__func__);
>         return __builtin_memcpy(p, q, size);
>  }
> +#endif
>
>  __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
>  {
> --
> 2.24.0.432.g9d3f5f5b63-goog
>

Alexander Potapenko Dec. 5, 2019, 3:46 p.m. UTC | #2

On Fri, Nov 29, 2019 at 4:13 PM Andrey Konovalov <andreyknvl@google.com> wrote:
>
> On Fri, Nov 22, 2019 at 12:27 PM <glider@google.com> wrote:
> >
> > Unless stated otherwise (by explicitly calling __memcpy()) we want all
> > memcpy() calls to call __msan_memcpy() so that shadow and origin values
> > are updated accordingly.
>
> Why do we only do this for memcpy() but not for memove() and others?
Hm, interesting.
Looks like I simply forgot to add memset() and memmove(). Could have
costed us some false negatives.
> >
> > Bootloader must still the default string functions to avoid crashes.
>
> must still use
Ack
>
> >
> > Signed-off-by: Alexander Potapenko <glider@google.com>
> > To: Alexander Potapenko <glider@google.com>
> > Cc: Vegard Nossum <vegard.nossum@oracle.com>
> > Cc: Dmitry Vyukov <dvyukov@google.com>
> > Cc: linux-mm@kvack.org
> > ---
> > v3:
> >  - use default string functions in the bootloader
> >
> > Change-Id: Ib2512ce5aa8d457453dd38caa12f58f002166813
> > ---
> >  arch/x86/boot/compressed/misc.h  | 1 +
> >  arch/x86/include/asm/string_64.h | 9 ++++++++-
> >  include/linux/compiler.h         | 9 ++++++++-
> >  include/linux/string.h           | 2 ++
> >  4 files changed, 19 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h
> > index c8181392f70d..dd4bd8c5d97a 100644
> > --- a/arch/x86/boot/compressed/misc.h
> > +++ b/arch/x86/boot/compressed/misc.h
> > @@ -12,6 +12,7 @@
> >  #undef CONFIG_PARAVIRT_XXL
> >  #undef CONFIG_PARAVIRT_SPINLOCKS
> >  #undef CONFIG_KASAN
> > +#undef CONFIG_KMSAN
> >
> >  /* cpu_feature_enabled() cannot be used this early */
> >  #define USE_EARLY_PGTABLE_L5
> > diff --git a/arch/x86/include/asm/string_64.h b/arch/x86/include/asm/string_64.h
> > index 75314c3dbe47..d3c76d910c23 100644
> > --- a/arch/x86/include/asm/string_64.h
> > +++ b/arch/x86/include/asm/string_64.h
> > @@ -11,7 +11,13 @@
> >     function. */
> >
> >  #define __HAVE_ARCH_MEMCPY 1
> > +#if defined(CONFIG_KMSAN)
> > +#undef memcpy
> > +/* __msan_memcpy() is defined in compiler.h */
> > +#define memcpy(dst, src, len) __msan_memcpy(dst, src, len)
> > +#else
> >  extern void *memcpy(void *to, const void *from, size_t len);
> > +#endif
> >  extern void *__memcpy(void *to, const void *from, size_t len);
> >
> >  #define __HAVE_ARCH_MEMSET
> > @@ -64,7 +70,8 @@ char *strcpy(char *dest, const char *src);
> >  char *strcat(char *dest, const char *src);
> >  int strcmp(const char *cs, const char *ct);
> >
> > -#if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
> > +#if (defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)) || \
> > +       (defined(CONFIG_KMSAN) && !defined(__SANITIZE_MEMORY__))
> >
> >  /*
> >   * For files that not instrumented (e.g. mm/slub.c) we
> > diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> > index 99d40f31a2c3..9ce11f4f4cb2 100644
> > --- a/include/linux/compiler.h
> > +++ b/include/linux/compiler.h
> > @@ -179,6 +179,13 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
> >
> >  #include <uapi/linux/types.h>
> >
> > +#ifdef CONFIG_KMSAN
> > +void *__msan_memcpy(void *dst, const void *src, u64 size);
> > +#define __DO_MEMCPY(res, p, size) __msan_memcpy(res, p, size)
> > +#else
> > +#define __DO_MEMCPY(res, p, size) __builtin_memcpy(res, p, size)
> > +#endif
> > +
> >  #define __READ_ONCE_SIZE                                               \
> >  ({                                                                     \
> >         switch (size) {                                                 \
> > @@ -188,7 +195,7 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
> >         case 8: *(__u64 *)res = *(volatile __u64 *)p; break;            \
> >         default:                                                        \
> >                 barrier();                                              \
> > -               __builtin_memcpy((void *)res, (const void *)p, size);   \
> > +               __DO_MEMCPY((void *)res, (const void *)p, size);        \
> >                 barrier();                                              \
> >         }                                                               \
> >  })
> > diff --git a/include/linux/string.h b/include/linux/string.h
> > index b6ccdc2c7f02..5d8ce09cba2e 100644
> > --- a/include/linux/string.h
> > +++ b/include/linux/string.h
> > @@ -363,6 +363,7 @@ __FORTIFY_INLINE void *memset(void *p, int c, __kernel_size_t size)
> >         return __builtin_memset(p, c, size);
> >  }
> >
> > +#ifndef CONFIG_KMSAN
> >  __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
> >  {
> >         size_t p_size = __builtin_object_size(p, 0);
> > @@ -377,6 +378,7 @@ __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
> >                 fortify_panic(__func__);
> >         return __builtin_memcpy(p, q, size);
> >  }
> > +#endif
> >
> >  __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
> >  {
> > --
> > 2.24.0.432.g9d3f5f5b63-goog
> >

diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h
index c8181392f70d..dd4bd8c5d97a 100644
--- a/arch/x86/boot/compressed/misc.h
+++ b/arch/x86/boot/compressed/misc.h
@@ -12,6 +12,7 @@ 
 #undef CONFIG_PARAVIRT_XXL
 #undef CONFIG_PARAVIRT_SPINLOCKS
 #undef CONFIG_KASAN
+#undef CONFIG_KMSAN
 
 /* cpu_feature_enabled() cannot be used this early */
 #define USE_EARLY_PGTABLE_L5
diff --git a/arch/x86/include/asm/string_64.h b/arch/x86/include/asm/string_64.h
index 75314c3dbe47..d3c76d910c23 100644
--- a/arch/x86/include/asm/string_64.h
+++ b/arch/x86/include/asm/string_64.h
@@ -11,7 +11,13 @@ 
    function. */
 
 #define __HAVE_ARCH_MEMCPY 1
+#if defined(CONFIG_KMSAN)
+#undef memcpy
+/* __msan_memcpy() is defined in compiler.h */
+#define memcpy(dst, src, len) __msan_memcpy(dst, src, len)
+#else
 extern void *memcpy(void *to, const void *from, size_t len);
+#endif
 extern void *__memcpy(void *to, const void *from, size_t len);
 
 #define __HAVE_ARCH_MEMSET
@@ -64,7 +70,8 @@  char *strcpy(char *dest, const char *src);
 char *strcat(char *dest, const char *src);
 int strcmp(const char *cs, const char *ct);
 
-#if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
+#if (defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)) || \
+	(defined(CONFIG_KMSAN) && !defined(__SANITIZE_MEMORY__))
 
 /*
  * For files that not instrumented (e.g. mm/slub.c) we
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 99d40f31a2c3..9ce11f4f4cb2 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -179,6 +179,13 @@  void ftrace_likely_update(struct ftrace_likely_data *f, int val,
 
 #include <uapi/linux/types.h>
 
+#ifdef CONFIG_KMSAN
+void *__msan_memcpy(void *dst, const void *src, u64 size);
+#define __DO_MEMCPY(res, p, size) __msan_memcpy(res, p, size)
+#else
+#define __DO_MEMCPY(res, p, size) __builtin_memcpy(res, p, size)
+#endif
+
 #define __READ_ONCE_SIZE						\
 ({									\
 	switch (size) {							\
@@ -188,7 +195,7 @@  void ftrace_likely_update(struct ftrace_likely_data *f, int val,
 	case 8: *(__u64 *)res = *(volatile __u64 *)p; break;		\
 	default:							\
 		barrier();						\
-		__builtin_memcpy((void *)res, (const void *)p, size);	\
+		__DO_MEMCPY((void *)res, (const void *)p, size);	\
 		barrier();						\
 	}								\
 })
diff --git a/include/linux/string.h b/include/linux/string.h
index b6ccdc2c7f02..5d8ce09cba2e 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -363,6 +363,7 @@  __FORTIFY_INLINE void *memset(void *p, int c, __kernel_size_t size)
 	return __builtin_memset(p, c, size);
 }
 
+#ifndef CONFIG_KMSAN
 __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
 {
 	size_t p_size = __builtin_object_size(p, 0);
@@ -377,6 +378,7 @@  __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
 		fortify_panic(__func__);
 	return __builtin_memcpy(p, q, size);
 }
+#endif
 
 __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
 {

[RFC,v3,26/36] kmsan: use __msan_memcpy() where possible.

Commit Message

Comments

Patch