From patchwork Sun Sep 22 14:57:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sabyrzhan Tasbolatov X-Patchwork-Id: 13809141 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C1A8CF9C64 for ; Sun, 22 Sep 2024 14:57:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 59B776B007B; Sun, 22 Sep 2024 10:57:24 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 578916B0082; Sun, 22 Sep 2024 10:57:24 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4397E6B0085; Sun, 22 Sep 2024 10:57:24 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 2BD9E6B007B for ; Sun, 22 Sep 2024 10:57:24 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 91ED88030A for ; Sun, 22 Sep 2024 14:57:23 +0000 (UTC) X-FDA: 82592677566.29.3DF6075 Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) by imf23.hostedemail.com (Postfix) with ESMTP id AAC1B140029 for ; Sun, 22 Sep 2024 14:57:21 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=XHFooSq1; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf23.hostedemail.com: domain of snovitoll@gmail.com designates 209.85.167.42 as permitted sender) smtp.mailfrom=snovitoll@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727016947; a=rsa-sha256; cv=none; b=O/+XukW2nr8q/IW/0t9WS2I6LByAiq/i68ys593ecuDHWBntE4iUIid/6QjRdZ/P5w1USy iOYs1FU0Lz9rcQluCz5VGmHerQX1tEaCedeUPuF2naNWhd72hcWXN+092QTBMGVEJ05jXQ J6stZwK5cUf9b0rjl87vvMJ4YE+4Ihg= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=XHFooSq1; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf23.hostedemail.com: domain of snovitoll@gmail.com designates 209.85.167.42 as permitted sender) smtp.mailfrom=snovitoll@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727016947; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=rSsoTcyLR4PNClY5/YmWaWnU/WLJii7j4C/vMtkK7Zc=; b=i+jhIYKCNOnysFVvyHfMDUV435Ly9ggO6cXkahOGMfoyD9RPa56Skd10jl8fmNi3G3yfPL /+4rrEBqQXviN3w78MIQGOY6rSOo4ckUS3h9gJNLS6+dswqephkDLuKHHhAttQlcroEFmo pADX0gR6kNvhi5gp78OxYQ2i/DaAOd8= Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-53653ee23adso3065533e87.3 for ; Sun, 22 Sep 2024 07:57:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1727017040; x=1727621840; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rSsoTcyLR4PNClY5/YmWaWnU/WLJii7j4C/vMtkK7Zc=; b=XHFooSq1UETqaxxyMM6Ehl/+J33P1jF7oIa4BprM2DUh0b543AhEQ5eMbInpAFFMxv 9SIEj9dWo7A9Xn1adqNp5tjptaEhkBU6jc5pwyFD2KbLxeHC/sInfzJJL/FPxcjDpEc6 R4Sw5f8Q36LIQe8KBqYAHwfu6DWmt7YvQncSCHzkiUm1xPSzP//iR1TNQfWxag9F4TQQ on/YkK90jhiQWM6MhJSliNzymXgcxBmImaPIsvUYAbKwJkun+Z3L+7g3AMRol+r+NH4x lxIAB0rneF0bEakOReH/WAZsPuZd6jxgk0ustpUuZht1m0ud68QLBQ1+BnDnQYwXaNNM R+GA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727017040; x=1727621840; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rSsoTcyLR4PNClY5/YmWaWnU/WLJii7j4C/vMtkK7Zc=; b=llxaMZfGLiQyy4pvPju3XSpaZSGIH/M6PZY87v0sSTuXiq+3ZXEU0OyepkVIlF2vQh hZqd8nEbriRCMvVrxCqhFwjLs3CqSGIEeZQ2cdQvkDsHxiOGyNBy56x2u3p8QAEEfdC+ pqMH3LBL4LlLCI8PCdp4MxGiVFRbrMOKIBworx/VTyz3ozBFZsVf+eMjX1Ys7JxmNzUW F7oM68d/OH4mKN9ne8nYf6yOTI66pFGrP865vvDLbEDS+Z4POSXuh/1ms3ZxNRhWn5iy Pz7HBkhbhAhWYIM4YoZRgWvKcPa3DP9cJrxs8l3fPMf/NiCBN/4Gz/a/o/F2kexFyPMo WDpQ== X-Forwarded-Encrypted: i=1; AJvYcCWQsyp2WZx3iol0+OxjL17Lr0W/CKYjXTAj9Dc4rpds7eDwN4A9zwgFT6K+76RnDfNxJZoMUdzT0A==@kvack.org X-Gm-Message-State: AOJu0YyjPzAjlXMNL8GOy2UfjJzI+cZguJX7IhnVkW7a1qhDfFuo+Yzc r+LhMP6NENm/Qcls5hh+xoe+h66UICm4Q1ArZMrDs1Xdu+KAqSgE X-Google-Smtp-Source: AGHT+IHqiI1fBzujD85oTu2M/fwbwiMRTYRKDhGgNK+Uzgpel5CxDnekag+DjuMbx5NIvxqNrHspGA== X-Received: by 2002:a05:6512:1107:b0:52c:dd3d:85af with SMTP id 2adb3069b0e04-536ad17d3ecmr3752178e87.25.1727017039468; Sun, 22 Sep 2024 07:57:19 -0700 (PDT) Received: from work.. (2.133.25.254.dynamic.telecom.kz. [2.133.25.254]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-536870968f3sm2960765e87.126.2024.09.22.07.57.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Sep 2024 07:57:18 -0700 (PDT) From: Sabyrzhan Tasbolatov To: andreyknvl@gmail.com Cc: akpm@linux-foundation.org, bp@alien8.de, brauner@kernel.org, dave.hansen@linux.intel.com, dhowells@redhat.com, dvyukov@google.com, glider@google.com, hpa@zytor.com, kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mingo@redhat.com, ryabinin.a.a@gmail.com, snovitoll@gmail.com, tglx@linutronix.de, vincenzo.frascino@arm.com, x86@kernel.org Subject: [PATCH v5] mm: x86: instrument __get/__put_kernel_nofault Date: Sun, 22 Sep 2024 19:57:57 +0500 Message-Id: <20240922145757.986887-1-snovitoll@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: AAC1B140029 X-Stat-Signature: d3dtkmcsx8efa3f9ouddfogoa9huhag4 X-Rspam-User: X-HE-Tag: 1727017041-912579 X-HE-Meta: U2FsdGVkX19GZA2H0yCmKfeJgBrMejULA5r+bMErE+ZI2PbBl0QbejeDVpIw0I60Gdma8J0uVo1pw5AzyTk/2G3vUffkIFu8dLT4qT9tG2hD7yw9vLSnBGe6m4Hzbp/HNpTbSulMLUrj4C0xF7QqSOIRwVht/CHmC8H37dmnXG1T7xvsmnYsImwfrfWOXMkzv/rILnmUrUUukfcNizIIfSyeJPpkzZK37iHo0tlBPVJXUd3vHyrYCxSMr1/YCCLQO/g9dhujzFXV+WTiM708Z/h5Gk39Edtjo4bowO5WyhkvdSTY/bhwZc2KZW5Fe/CBNkSYXPKcpYIfVshOGM2ey3AfK2pxpPMO94/Jz52dn8uORK9pWR5Uqz3y4Mlf75C6Q0IHdecEHZk1EdycEwBnjREA1KXaUZ080kzTa/N8ecbmqgkKKbENNrsYD6g4Pu5Oy9NLBsyBWU8ZH7QnqgAmYIMw4wDz+KHYX1NjGl7k+TIv6/lqXiRm1yxkfIsPdEkKBb0wxRu5ZEOfk+o+d/Rp/+X0OjQJjv7+17AXFFz/CUUfYFF/uSgeESRivFy07MNPCM8TEcpwcie2spuUQh5Z+TbHtvIF6foSUaNMpkO1e/LkbpRnAJ43uHs9KGFZ4LYZtfVQYL8uLO6bJ9XX5N1sb3dJbNoqc0esNcqtuV7faaRuYTzmLrjJNslGcbB8t+C+XmpAEzb+5gbr/gXvUAR9zgnWG9Cu+0uRQFKFENYw3dWr/GxHubkTTENSqAETPvXGtgamGvl+YFhgisKzY3HtaVN5wC0sBtE40Fj8wMhuxvmuxeVrK3tQ9x/h4b9gGOy0qbLZ3y9oE8oh7yljGaxA2iE7IhHqYC2nuOgo95t/hK98/cb9n/1rlmSuMVyP47qDYQJxo7EUaPhXbFiIHu47OkCMj92whnAqregdNFEV4nLHHWNkg9Kze1iugOxYGMltDF9R9LYaVtCj7qON2RT tcOQ43S0 i2kNxUOlTin6LR+wHDglJw+CWTowQpu/OFYO2f8kZmq1+mwf96VyryjLGSvyD8E5zE4yxYiPz6fOA8TIyNSuP7Pk74waCko394vIFtG96O678a3GPVakKSpB3038dCmYIaccTNS/EFkeeenmbFSUEmA/NqvIso8hY9bMGDhOyiSkf2S6Q+xeGti8urgvq70AJI3jiAe6U/4kUj+kCGq7xUUtHQ2OLRk/6y0W3Wm/9gps1uzvdRVp4neqqHXFWY5OR3rx0q1+nQLq9J/j1gwJ8KFFgAlzhY4N07dh8hT60J1pJcwkw5lTB6awB/FR+1MtGenuGmMRJ5V3TaT+QpvcqUh5fLx2w/y8AwkEEPm4ODq5TP2RoU/FtFra4yqEBnqYhhqPkWjqR1mvx8jFPOzdaQNFOuFXXFAQ55USe0TATociInyv+2xQ71RCCUL9rIJqgzcwRygSxU6w4kx3OMoKNIGH3Mn1ae4rtcZp76hW+QQLaS+Qtao7xjnMQtI7YkcVm9owCWGhcyHslHdo= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Instrument copy_from_kernel_nofault(), copy_to_kernel_nofault(), strncpy_from_kernel_nofault() where __put_kernel_nofault, __get_kernel_nofault macros are used. __get_kernel_nofault needs instrument_memcpy_before() which handles KASAN, KCSAN checks for src, dst address, whereas for __put_kernel_nofault macro, instrument_write() check should be enough as it's validated via kmsan_copy_to_user() in instrument_put_user(). copy_from_to_kernel_nofault_oob() kunit test triggers 4 KASAN OOB bug reports as expected, one for each copy_from/to_kernel_nofault call. Reported-by: Andrey Konovalov Closes: https://bugzilla.kernel.org/show_bug.cgi?id=210505 Signed-off-by: Sabyrzhan Tasbolatov --- v3: changed kunit test from UAF to OOB case and git commit message. v4: updated a grammar in git commit message. v5: copy_from_to_kernel_nofault_oob() works only for x86 arch, remove instrument_get_user() from __get_user_size on !CONFIG_CC_HAS_ASM_GOTO_OUTPUT --- arch/x86/include/asm/uaccess.h | 3 +++ mm/kasan/kasan_test.c | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 3a7755c1a441..e8e5185dd65c 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -620,6 +620,7 @@ do { \ #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT #define __get_kernel_nofault(dst, src, type, err_label) \ + instrument_memcpy_before(dst, src, sizeof(type)); \ __get_user_size(*((type *)(dst)), (__force type __user *)(src), \ sizeof(type), err_label) #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT @@ -627,6 +628,7 @@ do { \ do { \ int __kr_err; \ \ + instrument_memcpy_before(dst, src, sizeof(type)); \ __get_user_size(*((type *)(dst)), (__force type __user *)(src), \ sizeof(type), __kr_err); \ if (unlikely(__kr_err)) \ @@ -635,6 +637,7 @@ do { \ #endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT #define __put_kernel_nofault(dst, src, type, err_label) \ + instrument_write(dst, sizeof(type)); \ __put_user_size(*((type *)(src)), (__force type __user *)(dst), \ sizeof(type), err_label) diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c index 567d33b493e2..c369a5b1c6a7 100644 --- a/mm/kasan/kasan_test.c +++ b/mm/kasan/kasan_test.c @@ -1944,6 +1944,28 @@ static void match_all_mem_tag(struct kunit *test) kfree(ptr); } +static void copy_from_to_kernel_nofault_oob(struct kunit *test) +{ + char *ptr; + char buf[128]; + size_t size = sizeof(buf); + + KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_X86); + + ptr = kmalloc(size - KASAN_GRANULE_SIZE, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); + + KUNIT_EXPECT_KASAN_FAIL(test, + copy_from_kernel_nofault(&buf[0], ptr, size)); + KUNIT_EXPECT_KASAN_FAIL(test, + copy_from_kernel_nofault(ptr, &buf[0], size)); + KUNIT_EXPECT_KASAN_FAIL(test, + copy_to_kernel_nofault(&buf[0], ptr, size)); + KUNIT_EXPECT_KASAN_FAIL(test, + copy_to_kernel_nofault(ptr, &buf[0], size)); + kfree(ptr); +} + static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(kmalloc_oob_right), KUNIT_CASE(kmalloc_oob_left), @@ -2017,6 +2039,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(match_all_not_assigned), KUNIT_CASE(match_all_ptr_tag), KUNIT_CASE(match_all_mem_tag), + KUNIT_CASE(copy_from_to_kernel_nofault_oob), {} };