From patchwork Mon Aug 19 21:35:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Maurer X-Patchwork-Id: 13769024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 298C6C3DA4A for ; Mon, 19 Aug 2024 21:36:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B311A6B008C; Mon, 19 Aug 2024 17:36:01 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AE1116B0092; Mon, 19 Aug 2024 17:36:01 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9CFE06B0093; Mon, 19 Aug 2024 17:36:01 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 7C1876B008C for ; Mon, 19 Aug 2024 17:36:01 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 017E41215A9 for ; Mon, 19 Aug 2024 21:36:00 +0000 (UTC) X-FDA: 82470302922.30.E1D370E Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) by imf16.hostedemail.com (Postfix) with ESMTP id 35957180007 for ; Mon, 19 Aug 2024 21:35:59 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=ZE3ituyN; spf=pass (imf16.hostedemail.com: domain of 3vrrDZgcKCH8ppdxuhujrrjoh.frpolqx0-ppnydfn.ruj@flex--mmaurer.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3vrrDZgcKCH8ppdxuhujrrjoh.frpolqx0-ppnydfn.ruj@flex--mmaurer.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1724103343; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=DLZP/QF5cmnVPLPNbpw6BEPvqDqvHQJMieoIEn+0YgI=; b=uBdiauA7YNTAkeLzjrk6jGu3IaD4NIBaRU1HBzsYat4XG9Op4IlFgPYpg4Un2bRFKN+0Sl d5siIXh9+qthZnq6q1fF4eH0L9EAqap8B56TQ+OiBO/vQE7c0pycGem41afwKc/Zr5WgIk udsdql8hbAMKI3x5e5PyGsZyYHnz3Zo= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=ZE3ituyN; spf=pass (imf16.hostedemail.com: domain of 3vrrDZgcKCH8ppdxuhujrrjoh.frpolqx0-ppnydfn.ruj@flex--mmaurer.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3vrrDZgcKCH8ppdxuhujrrjoh.frpolqx0-ppnydfn.ruj@flex--mmaurer.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1724103343; a=rsa-sha256; cv=none; b=pqWmhVKgYkhWRKcQtl/en8zTyMtqIiK5rBcD683L8s4Xf0rr/8eQ8me26bdaJ4/Lu1YlAc LqreqSc1mYQwouY86GEjlOShxqNFNN/a0chKx5xDJ1M57coYUyUBRZgcH/CRTEm13Eqdch Mg4lgs7ZwbHGxoSx5NOSeLhdCbPdDsM= Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-6b052c5939cso43872417b3.1 for ; Mon, 19 Aug 2024 14:35:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1724103358; x=1724708158; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=DLZP/QF5cmnVPLPNbpw6BEPvqDqvHQJMieoIEn+0YgI=; b=ZE3ituyNAPXC1Dkbz06+PTFzZaNRPSdJhDpoEtt10iFVmpHEdTaGdYXqYRLRfJXxR4 yy1qiNm+aWSNANt88sf9TsevS1YJBKuhOmYUq9vbsbVqYQepMAIrRcw+KQYDp3DPKXKf nFMeQwYwhKLJpg5VmIGCzbj6kM5ZU+EZlR8+HibGEfIMGzX/QbfP5CkwYktIRuquqxEJ 4AKZ2hJK27zQvX/XuaCt/DblJSZnZFSh+/7ZbCV7NLeGbyEqtZ6wV/Z8b0i4JQ4m30y1 AB0Rs3nXG4VzoWOs8ZCrFhYlDinpn7vZYWBijPFUNZskqU3Wdl410Yv6yjWFOsTpVtZj oIkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724103358; x=1724708158; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DLZP/QF5cmnVPLPNbpw6BEPvqDqvHQJMieoIEn+0YgI=; b=RAW/DYNNne/KPBnE8IzR3oTKH+/+uL3EnEQB+1LgBqd1N44HVh8n1TC0I/xARPJRTr z4Yt0vTfO/15jbCbWngkYarmrVa1RqcfID9Ypt76oHF9xBwH+LZkxS2xMSpI3y1MrWKa 0EE2BiXUjiaF5qvrqQnWeQjBKSlNiheVNuJonXBuzwwG40YmZE8seiDkg2slFJr0NDgS G7C+vtp3pfvuOkvEUseQQoj8k63Fx20fXA5qbb72vvsh0pVNV1dBRGM6RpL6YLQDyxHd DamLZ1XnxTNwTceobyvVWxdX3WVsCg7hWEjGcGDmZs+jeDPCKriFfFtGqIlDRjt8p7Sz iJKQ== X-Forwarded-Encrypted: i=1; AJvYcCW3xIOXN1b8KF9PHwdCISXz+9PYQYo1PhwEKQndD9dqzSANRX4XojwSM47t+ArSxkJo6uvCXh/uIg==@kvack.org X-Gm-Message-State: AOJu0Ywi6yk2uXbUiQzcmxSIcPd2Dy4LMgMLm05UTBWg2Da6AgYRR0cn XHIK+/uwY8nkEZHWy9umMK8XdvymEdvUnEtTEQaN+S8Dnp1SfRppxbqFsvEmTUokLQNIM6uEogv 39R7BVg== X-Google-Smtp-Source: AGHT+IFZS2xXJL0usEpl7aC1i9T/njX/Lp67FzLHxgLhINWz6El3o0+qNCa3oemMpCX7xuFSKtHBgm4HGnGG X-Received: from anyblade.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:1791]) (user=mmaurer job=sendgmr) by 2002:a05:690c:4d82:b0:644:c4d6:add0 with SMTP id 00721157ae682-6bdcdcb9effmr348377b3.1.1724103358288; Mon, 19 Aug 2024 14:35:58 -0700 (PDT) Date: Mon, 19 Aug 2024 21:35:22 +0000 In-Reply-To: <20240819213534.4080408-1-mmaurer@google.com> Mime-Version: 1.0 References: <20240819213534.4080408-1-mmaurer@google.com> X-Mailer: git-send-email 2.46.0.184.g6999bdac58-goog Message-ID: <20240819213534.4080408-5-mmaurer@google.com> Subject: [PATCH v3 4/4] kasan: rust: Add KASAN smoke test via UAF From: Matthew Maurer To: dvyukov@google.com, ojeda@kernel.org, andreyknvl@gmail.com, Andrey Ryabinin , Andrew Morton , Alex Gaynor , Wedson Almeida Filho Cc: aliceryhl@google.com, samitolvanen@google.com, kasan-dev@googlegroups.com, linux-mm@kvack.org, glider@google.com, Matthew Maurer , Vincenzo Frascino , Boqun Feng , Gary Guo , " =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= " , Benno Lossin , Andreas Hindborg , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org X-Rspam-User: X-Stat-Signature: 643g7w63m38d3stjrzasshsgosmh8nzg X-Rspamd-Queue-Id: 35957180007 X-Rspamd-Server: rspam11 X-HE-Tag: 1724103359-799881 X-HE-Meta: U2FsdGVkX1/lHm8+Iscoo3roUUQHSV4BPXd2vqXX4M1FXdL5cF3uCU/Slg6lEBJP+qcwdnUazGFo0flhM2h6UiQOaPJNbfBvBuMnLiZo/XSCI95fcSv31l2qlUjTMLepELmOvWjY7M9gmyuK5WGfB2pJHG4VY24ixs8iEnUaUVxI7JmKxf3Rwnx3P6tECYPTDY1/Sf2T1n1AXzk1u4OuRmbA3mxa1RuyZSm+UgwrK4jybXjAnuIQZhHhtKobrLdi6MaDdRmTjyGkq/6mWaOq4dpq0KR0MlT0sgkolyq7p2PGUMATT4lDwWVOS0NawMQRcPhpcljFCHAmU480UGYM5v1MIUKRxCskIGlHj3g+T7MhdNADQtGVZB6VWGrdIS50TutX6ttF08eYMfUPYMpFZ9FahDozHAZpcuOsGbMQutGjBRvbwxFafyaRHSvcpxgEe26n2n/m4LlYa9dN7s18oDOSNzNSyZaob8glOJ13yaj44qKzyOHLCDVWsshNxppX5EJOz5RXmJ9/lxwvmqIyPSrU2iRQRv58ZV6RipBnKcXI36hLEsqT+THQfHl05zT6vQW3a1RpT1rifRHoZBt27dlnCS51NyaY3DsoxqTXAN7P/3RknmmUzDSS92wmk5681haYwFCZL0HJ6mxKln1zEu4yOfqvBXYFcOJA2HagLEX6MWwxNgkg1Gw7CXhXNxsHE8G2XeWy2738diaoD58Ksb7xkVFrRkRHJJe0cWEORNJpq5Cg3dyEwIZaTq1IZO4WDYksLQ8PGqw3mxmq0Xgvesf5l6AKweGStE5xs6BEJ2brxIiDYXAsfqUpph7waDlafkISui+xm0CtSfWj4yUCiRA4giNRXoaEXSnREWFMz1uhJZivmX+3vtf1RIPzr0tdh6CEWR9SgrDK6XA+vMg5UFnQhhoSCHckppl5Hb7HWoQ5BoBBj5dKUCPgNKsaWG1eMnUgBD1jFWGIZY6U1sy oOeor6X0 khm1x/D5k1oFABaAF3yBS+c3znNzFvGOCP/pcG7cT7hZ9V8NwDiIlWeZtigGY60J0tDoxx4AeUCxK3QV40EDV6liSFJ+twaq6pE5bWJiVHtEfdqXlEWXVPNek3P19ZprRPeQvB43R99jHHxGX5DAv8/AErYZiG8NjjujZl4FC0I6JlC1+B07zPUqifaR12gdTlLB/DSta2oIs0RDbfWHGkQ09si3QhplyjAspgisQ+ADTPCK8JxFyHz/IqDDuFSCl45BLpvrt4wWZNgC3ReSyXMQojBPWzugSuVwAITeWoSp55aryTQIgy6fzJ+g4H0S4uh+hov2rSuWsy9SmiNrHtDFHF2sfdWau2O2hoNFH053Jv7O+HXtMiI+WFKwwZKaemkmE9uQVD8WXBvY8TaDAtvCI7QfnLmU8nsA22GylLDw8TIQSHJEtWDU2V6zyHi4kMpm6bboKakR44I6bEr44tx3g+8RCyjYW0ZrCKVEW1OtHBxPTmNqiThtGJwm5KcEs/cp974vIozBSaN5iHifXt03syiS+HDR+9eZnGBUTXQ0aB8TuLjt3rIgEcWLsmA8SKgxi6IgeWYxFkZP2ptCEa0iqQo6oGqYLv9vjViG7nvlEULBF1aQWIANgFg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Adds a smoke test to ensure that KASAN in Rust is actually detecting a Rust-native UAF. There is significant room to expand this test suite, but this will at least ensure that flags are having the intended effect. Signed-off-by: Matthew Maurer --- mm/kasan/Makefile | 9 ++++++++- mm/kasan/kasan.h | 1 + mm/kasan/{kasan_test.c => kasan_test_c.c} | 11 +++++++++++ mm/kasan/kasan_test_rust.rs | 19 +++++++++++++++++++ 4 files changed, 39 insertions(+), 1 deletion(-) rename mm/kasan/{kasan_test.c => kasan_test_c.c} (99%) create mode 100644 mm/kasan/kasan_test_rust.rs diff --git a/mm/kasan/Makefile b/mm/kasan/Makefile index 7634dd2a6128..d718b0f72009 100644 --- a/mm/kasan/Makefile +++ b/mm/kasan/Makefile @@ -44,7 +44,8 @@ ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX CFLAGS_KASAN_TEST += -fno-builtin endif -CFLAGS_kasan_test.o := $(CFLAGS_KASAN_TEST) +CFLAGS_kasan_test_c.o := $(CFLAGS_KASAN_TEST) +RUSTFLAGS_kasan_test_rust.o := $(RUSTFLAGS_KASAN) CFLAGS_kasan_test_module.o := $(CFLAGS_KASAN_TEST) obj-y := common.o report.o @@ -54,3 +55,9 @@ obj-$(CONFIG_KASAN_SW_TAGS) += init.o report_sw_tags.o shadow.o sw_tags.o tags.o obj-$(CONFIG_KASAN_KUNIT_TEST) += kasan_test.o obj-$(CONFIG_KASAN_MODULE_TEST) += kasan_test_module.o + +kasan_test-objs := kasan_test_c.o + +ifdef CONFIG_RUST +kasan_test-objs += kasan_test_rust.o +endif diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index fb2b9ac0659a..e5205746cc85 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -566,6 +566,7 @@ static inline void kasan_kunit_test_suite_end(void) { } bool kasan_save_enable_multi_shot(void); void kasan_restore_multi_shot(bool enabled); +char kasan_test_rust_uaf(void); #endif diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test_c.c similarity index 99% rename from mm/kasan/kasan_test.c rename to mm/kasan/kasan_test_c.c index 7b32be2a3cf0..3a81e85a083f 100644 --- a/mm/kasan/kasan_test.c +++ b/mm/kasan/kasan_test_c.c @@ -1899,6 +1899,16 @@ static void match_all_mem_tag(struct kunit *test) kfree(ptr); } +/* + * Check that Rust performing a use-after-free using `unsafe` is detected. + * This is a smoke test to make sure that Rust is being sanitized properly. + */ +static void rust_uaf(struct kunit *test) +{ + KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf()); +} + + static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(kmalloc_oob_right), KUNIT_CASE(kmalloc_oob_left), @@ -1971,6 +1981,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(match_all_not_assigned), KUNIT_CASE(match_all_ptr_tag), KUNIT_CASE(match_all_mem_tag), + KUNIT_CASE(rust_uaf), {} }; diff --git a/mm/kasan/kasan_test_rust.rs b/mm/kasan/kasan_test_rust.rs new file mode 100644 index 000000000000..7239303b232c --- /dev/null +++ b/mm/kasan/kasan_test_rust.rs @@ -0,0 +1,19 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Helper crate for KASAN testing +//! Provides behavior to check the sanitization of Rust code. +use kernel::prelude::*; +use core::ptr::addr_of_mut; + +/// Trivial UAF - allocate a big vector, grab a pointer partway through, +/// drop the vector, and touch it. +#[no_mangle] +pub extern "C" fn kasan_test_rust_uaf() -> u8 { + let mut v: Vec = Vec::new(); + for _ in 0..4096 { + v.push(0x42, GFP_KERNEL).unwrap(); + } + let ptr: *mut u8 = addr_of_mut!(v[2048]); + drop(v); + unsafe { *ptr } +}