From patchwork Fri Nov 19 14:22:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Elver X-Patchwork-Id: 12629015 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1737C433EF for ; Fri, 19 Nov 2021 14:22:57 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 4B49F61502 for ; Fri, 19 Nov 2021 14:22:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 4B49F61502 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id C80936B00A6; Fri, 19 Nov 2021 09:22:46 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C592C6B00A8; Fri, 19 Nov 2021 09:22:46 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B49056B00A9; Fri, 19 Nov 2021 09:22:46 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0065.hostedemail.com [216.40.44.65]) by kanga.kvack.org (Postfix) with ESMTP id A7C796B00A6 for ; Fri, 19 Nov 2021 09:22:46 -0500 (EST) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 6EA338A9C9 for ; Fri, 19 Nov 2021 14:22:36 +0000 (UTC) X-FDA: 78825895512.09.DF516E1 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) by imf11.hostedemail.com (Postfix) with ESMTP id 1BF05F00020E for ; Fri, 19 Nov 2021 14:22:35 +0000 (UTC) Received: by mail-wm1-f73.google.com with SMTP id j25-20020a05600c1c1900b00332372c252dso4825284wms.1 for ; Fri, 19 Nov 2021 06:22:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=X7iq6ptC+Z8R2N/iJA3x0lSwxpZSVZxJX+z9qBEEm6o=; b=kyZ4PLG/XYsiyQbRGghuZw+BAVravwngY/VRQtxVLKLZZvzcaWvS4E8novlr+MaNPI TRjoSAUN/Hmf6Gy82UOkIZc2u8aByAYf2Oh9xVQVpdMi0yZIXeHg1w0xYvUixbp05XcE Rzu7/vDnOtTfG58KRt0bmgW3MaUK/0UATmTPCRosCmRPtHO2JD/xpJwOMtwianRLuARC VDQHa2z8445T116+IPcdscTplzNaR7NOhaaaYZZ0o3q5+4tYiqjcTogH6nXZv6d0jDhC f0V79MDUnzP9eu6qw0V/sG0LvqNUHUnkP8Otejo7chXrcDJhZoC/K1nko32Y36+cWz0i rjKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=X7iq6ptC+Z8R2N/iJA3x0lSwxpZSVZxJX+z9qBEEm6o=; b=Q/h4DovkxkqSFEfyKfyIxQPWYM8/xgEp82PTapUUlNcce+CF83nqKGB84n78JBcOnc vHLw2Y0NMcZMQunawOx+eeTqlqSlXxnsUrscQ+uQ6XV/UwTEKHpW+u/t9L6Go3XhCh7U NBk71bROmnG68jxBa+zNqVrf8+IcDcmsL6ixRDiIEYkrI3crJRAsEDeLzlXMeUoyE06j jMHATenKokh5t3u/8+fCYcqI+St1FpY9nYQbG346KfF4NjQrT2s4OyCgIIoaHe1u4LwC qO+SrGlzVXiTl1GyWPfbq31dqF5PQ5XaeRrwaqA7d8bxwDeF6wepVbbskaf8DxRSvTGi FfRQ== X-Gm-Message-State: AOAM530R+vMiytdKDZemheK7/bVHu2YK1JwWz4FrT7oIf3BhzWq7Xw4r L8lgD+XlIK57+bcM6uofaeywy3wuyQ== X-Google-Smtp-Source: ABdhPJyutIT3rm9nEOyXN9YN3OjryYyPQtrUVjbpIa6PH4X20PBXJKWvLP+impTG/0LVMRqNVnrr+AkhDg== X-Received: from elver.muc.corp.google.com ([2a00:79e0:15:13:24a0:cdec:f386:83d0]) (user=elver job=sendgmr) by 2002:a1c:9d48:: with SMTP id g69mr3458wme.188.1637331754628; Fri, 19 Nov 2021 06:22:34 -0800 (PST) Date: Fri, 19 Nov 2021 15:22:18 +0100 Message-Id: <20211119142219.1519617-1-elver@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.34.0.rc2.393.gf8c9666880-goog Subject: [PATCH 1/2] kasan: add ability to detect double-kmem_cache_destroy() From: Marco Elver To: elver@google.com, Andrew Morton Cc: Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 1BF05F00020E X-Stat-Signature: em5xa9i6e63ck9tkit5qagr4gko7wbdf Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b="kyZ4PLG/"; spf=pass (imf11.hostedemail.com: domain of 3KrOXYQUKCAMhoyhujrrjoh.frpolqx0-ppnydfn.ruj@flex--elver.bounces.google.com designates 209.85.128.73 as permitted sender) smtp.mailfrom=3KrOXYQUKCAMhoyhujrrjoh.frpolqx0-ppnydfn.ruj@flex--elver.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-HE-Tag: 1637331755-843317 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Because mm/slab_common.c is not instrumented with software KASAN modes, it is not possible to detect use-after-free of the kmem_cache passed into kmem_cache_destroy(). In particular, because of the s->refcount-- and subsequent early return if non-zero, KASAN would never be able to see the double-free via kmem_cache_free(kmem_cache, s). To be able to detect a double-kmem_cache_destroy(), check accessibility of the kmem_cache, and in case of failure return early. While KASAN_HW_TAGS is able to detect such bugs, by checking accessibility and returning early we fail more gracefully and also avoid corrupting reused objects (where tags mismatch). A recent case of a double-kmem_cache_destroy() was detected by KFENCE: https://lkml.kernel.org/r/0000000000003f654905c168b09d@google.com , which was not detectable by software KASAN modes. Signed-off-by: Marco Elver Acked-by: Vlastimil Babka Reviewed-by: Andrey Konovalov --- mm/slab_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index e5d080a93009..4bef4b6a2c76 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -491,7 +491,7 @@ void kmem_cache_destroy(struct kmem_cache *s) { int err; - if (unlikely(!s)) + if (unlikely(!s || !kasan_check_byte(s))) return; cpus_read_lock(); From patchwork Fri Nov 19 14:22:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Elver X-Patchwork-Id: 12629017 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32741C433F5 for ; Fri, 19 Nov 2021 14:23:14 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id DB06F61213 for ; Fri, 19 Nov 2021 14:23:13 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org DB06F61213 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 41E046B00A8; Fri, 19 Nov 2021 09:22:49 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3CC256B00AA; Fri, 19 Nov 2021 09:22:49 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 295DD6B00AB; Fri, 19 Nov 2021 09:22:49 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0242.hostedemail.com [216.40.44.242]) by kanga.kvack.org (Postfix) with ESMTP id 19C8C6B00A8 for ; Fri, 19 Nov 2021 09:22:49 -0500 (EST) Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id D27AE8BED4 for ; Fri, 19 Nov 2021 14:22:38 +0000 (UTC) X-FDA: 78825895680.01.D8B1BD5 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) by imf10.hostedemail.com (Postfix) with ESMTP id 62B6E60019BF for ; Fri, 19 Nov 2021 14:22:37 +0000 (UTC) Received: by mail-ed1-f74.google.com with SMTP id w4-20020aa7cb44000000b003e7c0f7cfffso8533160edt.2 for ; Fri, 19 Nov 2021 06:22:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=IEIj8/RLwMC8pWEHCeAMmji/+yQZYVPCoiXY0EfgE4k=; b=dd6fdpFKQhgB8y6tFQDaNj/9mD5oFs/5cTtxRClH0UCf6n2JDhhry+q2bruK1H8UZR jmaVn1t9ZtDKMm4fGm+w8BB+TIYRG6WdpPTzQsSZO4n9NUmKv5jAWa/PxdVet623lgL7 SFLyz4j1JpdvnBV2xZnczdzUbvM0FM+ZR/7ghh1Eywtoy4Lju7d1poc54kO7CbRYfJi/ OrXDH6LnqnLGMudrJGhn5JWDEUcKB2K0ThmKxn8EoKcgD/F3Gy5MTxJmTfyjOc5U6d40 H1fpoWoXddyMcVlZp2xRz0vErEIN2hzw/n7DSWxk/344eCSnv+3zo64SBuD+/TkmkPWe CFFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=IEIj8/RLwMC8pWEHCeAMmji/+yQZYVPCoiXY0EfgE4k=; b=RQuQiitydEwMNu2uvmdg8ywE8PnISNyjt+HRuvmjVvIhTXj78oCwAqy+gT4dTi0BM9 tHqhG8HPDT7p76JuVB8lCJ1BtYRCY0fwh3743wozc2jpKk+MARCoTUOPHbFj8+HHi8G2 ZSOO8M9uH4NLNGhlzJlzoTZ4BdmWAz0FT8V6gqzXAfsh3R64cMDCYiUNVI7oDWDqfgUu fkUvhfYSXG8jhTd7ecxAttd1fn/LnPlLf/GPBv4UCGV1xpFn33sOzbj+vE6Prw7CxE5L mrtxE8Hq83iTxT8Ocq88PChaKt18LZ2Tw5/hU0jEqNH50X471OHuFf3QQJEbY/YyiBPA lOKA== X-Gm-Message-State: AOAM531ZNmUDVneL4w+LWDY3wbvvGuRDzj7SoAaZ/i3fMeu8wZI0vFC+ joiLZ+PlXxHLqbH+IMsTVs3lSq4+zQ== X-Google-Smtp-Source: ABdhPJzDdsQ6WmsTnEwG19frgMnerT1R6j778ldtfgMgTu0p47v8bteljUjpyoiEUpp9C7OsWMaUWzfKxQ== X-Received: from elver.muc.corp.google.com ([2a00:79e0:15:13:24a0:cdec:f386:83d0]) (user=elver job=sendgmr) by 2002:a05:6402:2210:: with SMTP id cq16mr25134631edb.32.1637331757116; Fri, 19 Nov 2021 06:22:37 -0800 (PST) Date: Fri, 19 Nov 2021 15:22:19 +0100 In-Reply-To: <20211119142219.1519617-1-elver@google.com> Message-Id: <20211119142219.1519617-2-elver@google.com> Mime-Version: 1.0 References: <20211119142219.1519617-1-elver@google.com> X-Mailer: git-send-email 2.34.0.rc2.393.gf8c9666880-goog Subject: [PATCH 2/2] kasan: test: add test case for double-kmem_cache_destroy() From: Marco Elver To: elver@google.com, Andrew Morton Cc: Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org X-Rspamd-Server: rspam11 X-Rspamd-Queue-Id: 62B6E60019BF X-Stat-Signature: 3swci7ezbuxh337kxh736y9xmfbnohn1 Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=dd6fdpFK; spf=pass (imf10.hostedemail.com: domain of 3LbOXYQUKCAYkr1kxmuumrk.iusrot03-ssq1giq.uxm@flex--elver.bounces.google.com designates 209.85.208.74 as permitted sender) smtp.mailfrom=3LbOXYQUKCAYkr1kxmuumrk.iusrot03-ssq1giq.uxm@flex--elver.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-HE-Tag: 1637331757-588076 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Add a test case for double-kmem_cache_destroy() detection. Signed-off-by: Marco Elver Reviewed-by: Andrey Konovalov --- lib/test_kasan.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 40f7274297c1..4da4b214ed06 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -866,6 +866,16 @@ static void kmem_cache_invalid_free(struct kunit *test) kmem_cache_destroy(cache); } +static void kmem_cache_double_destroy(struct kunit *test) +{ + struct kmem_cache *cache; + + cache = kmem_cache_create("test_cache", 200, 0, 0, NULL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); + kmem_cache_destroy(cache); + KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_destroy(cache)); +} + static void kasan_memchr(struct kunit *test) { char *ptr; @@ -1183,6 +1193,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(ksize_uaf), KUNIT_CASE(kmem_cache_double_free), KUNIT_CASE(kmem_cache_invalid_free), + KUNIT_CASE(kmem_cache_double_destroy), KUNIT_CASE(kasan_memchr), KUNIT_CASE(kasan_memcmp), KUNIT_CASE(kasan_strings),