From patchwork Mon Aug 12 23:29:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Maurer X-Patchwork-Id: 13761134 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01C5DC3DA7F for ; Mon, 12 Aug 2024 23:29:31 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 15EA66B008A; Mon, 12 Aug 2024 19:29:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 0E8396B008C; Mon, 12 Aug 2024 19:29:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id ECA816B0095; Mon, 12 Aug 2024 19:29:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id C9ED16B008A for ; Mon, 12 Aug 2024 19:29:30 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 7CF45A5DAB for ; Mon, 12 Aug 2024 23:29:30 +0000 (UTC) X-FDA: 82445187300.13.6E39F18 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) by imf30.hostedemail.com (Postfix) with ESMTP id AA7C980017 for ; Mon, 12 Aug 2024 23:29:28 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=LzIWd14K; spf=pass (imf30.hostedemail.com: domain of 315q6ZgcKCDQccQkhUhWeeWbU.SecbYdkn-ccalQSa.ehW@flex--mmaurer.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=315q6ZgcKCDQccQkhUhWeeWbU.SecbYdkn-ccalQSa.ehW@flex--mmaurer.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723505357; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=upOwpMTeo+ntHO/NqVQFtbSuOi1aXqqXOiMSFMXzMsU=; b=qS/qorS14pabvAyGwATv/Lg7Zoh3bV2/5CYFbMZZ2qb2ZBFbWmqeE55b8E4qpBR3motqTi 9Khi5VE7/+DNEfGt2IkX7HoZV2d9w7hyv8wdba1Mr++n/9yjyMcFK2VbBsF2SHWQ1s5vov lKOvTfXuYVzLazSoi/OJBv30LaEn16o= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=LzIWd14K; spf=pass (imf30.hostedemail.com: domain of 315q6ZgcKCDQccQkhUhWeeWbU.SecbYdkn-ccalQSa.ehW@flex--mmaurer.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=315q6ZgcKCDQccQkhUhWeeWbU.SecbYdkn-ccalQSa.ehW@flex--mmaurer.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723505357; a=rsa-sha256; cv=none; b=b/lMAbW8Ws6E8Y4n80ui304o19uzEHHw5uanBk8cjl3iOvgbTO1nyt9STJICXS0ZA0iP5R uQ+AQBqWXF81vGaAHXwUvEOCQMpafSLwWMZ8lrp6+Wef/qkna/Nmvh+R/YEkee2QDlnjWA Wn+WOwK78NeaggSGahXiMLGVraaexpE= Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-650ab31aabdso100858877b3.3 for ; Mon, 12 Aug 2024 16:29:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1723505367; x=1724110167; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=upOwpMTeo+ntHO/NqVQFtbSuOi1aXqqXOiMSFMXzMsU=; b=LzIWd14KjMsLu3wZpQAULRBOPpWW5KiPIYPzpAuWw9Hyd2c3+VYraVorqgIkbtJq0g hLUGQELGWHq03Ll9MDX/egoBdjBL+MAsEgtkr69q42sqIOA4SHOEmf3/imcsZnjcP3cN JeNMLq2U1GrufkAXXX0RN2n1TS9UPgkPigT4VRfJehIfAvcLvQ7lsQC9SdSRoenvbw4y ldHTAQ8LHZ0zjsUVpLiuEPBNbbq8yv4uLVz1ERNYxtfh5xH79J1EE5BGXlkp9fE9ahQG ocGB8sCiauk++pyJrEV/iadd36GD0ThhH8+CttuYapUHwEN7PrjClSrQ7th664Mqudj6 h4+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723505367; x=1724110167; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=upOwpMTeo+ntHO/NqVQFtbSuOi1aXqqXOiMSFMXzMsU=; b=gE5DQ1Nzz9M+oxHw7b4d9MSeNgdySOjbJCMnXQL1at5SKFjLqFTXe3GzoL7X5XVC+l TuVV/CY8mNRCgbqJQhlcp+kNevlrSZRWFYMYfbhYyg7i9WQwUYj44iaBZvWrzqD9mGCG YZtQ5WojWk7btuyiJs9eu4qGMXVYooppVMzOMaYIm63y75PlqF9Mh0Vc5s8OTD3C7bKu /+lCTYF68jTMDMI//B3uH0ZvAF1zbHJBaqSXuTWtk+Ww9nCqHYPXWY6j0wR92G/fJIsF OMKchpUpqOCTcsomGB4v7qH6tMFwUpeysGaAV0j/AMHFnKiZSxBu87Yr+rrc54CivLq3 /3pQ== X-Forwarded-Encrypted: i=1; AJvYcCWgzdMogbHkU39Wn8cRbOqeq+eiYCnWd2ZmOA3tpbspROqBVKQrvInCQ8CY4pgi09Z7EVp3eP/Oznjvizm7UUh7Lug= X-Gm-Message-State: AOJu0Yy0+VACqFlJ8UB7fz434iBAn5DPkMZmZ77ZuR/FEToUK81/QtCH mIb4KhyOYwtvou5w/yfs5vJHLm8uDGF/lLHP+6fSwTzdWX9zHuvybnKjz56uFDl4/QBUChrhDbg CjLIetw== X-Google-Smtp-Source: AGHT+IEbI2xHXS1NFNlXCt2+JC+OCS4CUJP3dnvdvqLavIiiV4QA03cxFw2gUqrwIFrDOo44dUgxsS61/+Y1 X-Received: from anyblade.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:1791]) (user=mmaurer job=sendgmr) by 2002:a25:5f09:0:b0:e0e:4a15:cc1e with SMTP id 3f1490d57ef6-e113c80de33mr25468276.0.1723505367499; Mon, 12 Aug 2024 16:29:27 -0700 (PDT) Date: Mon, 12 Aug 2024 23:29:03 +0000 In-Reply-To: <20240812232910.2026387-1-mmaurer@google.com> Mime-Version: 1.0 References: <20240812232910.2026387-1-mmaurer@google.com> X-Mailer: git-send-email 2.46.0.76.ge559c4bf1a-goog Message-ID: <20240812232910.2026387-4-mmaurer@google.com> Subject: [PATCH v2 3/3] kasan: rust: Add KASAN smoke test via UAF From: Matthew Maurer To: dvyukov@google.com, ojeda@kernel.org, Andrey Ryabinin , Andrew Morton , Alex Gaynor , Wedson Almeida Filho Cc: aliceryhl@google.com, samitolvanen@google.com, Matthew Maurer , Alexander Potapenko , Andrey Konovalov , Vincenzo Frascino , Boqun Feng , Gary Guo , " =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= " , Benno Lossin , Andreas Hindborg , linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, rust-for-linux@vger.kernel.org X-Rspam-User: X-Stat-Signature: zguio9z9j4n6qesds6kcgyeg1hmgkwzk X-Rspamd-Queue-Id: AA7C980017 X-Rspamd-Server: rspam11 X-HE-Tag: 1723505368-186762 X-HE-Meta: U2FsdGVkX18AtAZKLYVsPAPvHwIgDoLntLgKwLf8R2KFeJHFRnmoZLsGSCaENztvxtzt0XE9eDXaAOyfOXeSJGGFV+Doac1jElGGiskI4CdyUs6ZKQCNjibtCcs+YMLzvRGm9I9MeLbaqPVCRNmQT4Ov3ta3WJtcYaZo4iplJNahKhrMnPSBCAgYNcWFYTPlfCLR2d0RAJqm7DsPACqk19+hAvwWoNS+Pw2mRXRAlmYJg4Varg0Zn2liVyZ2lFj3tqsZ9Jkfotczbm8JWMt9ORtXN8g2L2L84L8SRFxqAWXwguVIayaw+2ZM7Sf+uTwW+rbtYDomkKKMbHvkMO+WGZg2i7eOb3g7nBNHOxEBvCS5vNstrq+D2hIRGHihbuLLopNs6aIk6rIfCuk+xRntbFzG8/50MYHIp32VXkGRhr7XJLo0uBGB1YVbzYc0Eh2186WTaro2OhYcuKm6T1jvaxopp011CI8C9xFWteUSo6pPMKv/xDv4i/VuR13Tn4HjvzF7ZqiEnenThCm1n3rAT6VaVsnVLC3c4603lf2351MeMeUJejM9X3H2JI2MzwsHfWHfOaEgVkunSssbGKQRJdMZidpuhpNpn8d9vazD1CIcFJ7UtcDNLFqi978Rtef3ZvIokAyc4ee389rnDEEreAmLiIi5RoKLY6R7Nrw8Qm8Qhk5nr6GTOG1oyvJoFjz6vSlw3y/bsUY2x5V2usZKBpdy6H0QCQ3OAJvNrhhpwUk0jHYi1xR46t2lfXwGzxT8NuSWMJv10NFo0W5bTjfFXb4N3LNhizzY2XySTDLLvAzgIImALphjBMIrNlBWd7+uRostP8vUSEIdPu+lIqeM8hiO/VQfQfEgTBf4TIfTQk+FonJZ9OJbibXpmfQVlVpvdCE39SjfGwB7BbVmzhsIi1qu4cR44t48VW2LQYGTI4wSq9SKl7uwJ49yijsSoHhX+mrmLhIWerYRqHkwGJW FG1VqpRS dWs53z0U8bN25+Jgwssm7cmIcgsB9SW9prS2ZvoQxrgYNTjgC0uYPuVQI9SpSR4nCMIGjga15u/UmQbJlRgZkeAyYL0TGt0U7r3HXTDY1ZgeoZkTWn3tKmtAYREcsoqnzu5ym8ntcg1LMY+H0NVc6FvqjcoOloAL7KJMD2pGDytJ73h/aYshqkW2dxH/B4en36VTVCuIZoaiEl4XCODsTlkE4HLu3XzawqN0xusQ0wRY2gr3WYG8AslQLktTpsbN6BP2jYkwrmiV6G1qEHhbem10Tm1DnVHsIU9R3yYMLhuTQAJGaRAjd6zglFcNCQhDRF0XNwb6V+jzZM4M9V58eixm9rMPVImSNdFFZBzedwMd2PVBxs1Eipw/yfqN4gYXeoPONth9S9F+GVmKzBKL0rXZzqGGpJiAju76DYJ9Agf2knGoColF6N7zanvsjBwGoom6a3mbfXUbQ/smfOT093tZJGVec8/BaXthFps3ANb1KFqjycnKANoIwt8f2MhEMKPzDK/Wo/A/l2QMK5bu1u7sPhaOJAYoz5itlPRhQEtaWYWjoWtCk6rsz88+nxD/LYe/vNhC4HcRgEOxNKC0vQ7b0dA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Adds a smoke test to ensure that KASAN in Rust is actually detecting a Rust-native UAF. There is significant room to expand this test suite, but this will at least ensure that flags are having the intended effect. Signed-off-by: Matthew Maurer --- mm/kasan/Makefile | 9 ++++++++- mm/kasan/{kasan_test.c => kasan_test_c.c} | 13 +++++++++++++ mm/kasan/kasan_test_rust.rs | 17 +++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) rename mm/kasan/{kasan_test.c => kasan_test_c.c} (99%) create mode 100644 mm/kasan/kasan_test_rust.rs diff --git a/mm/kasan/Makefile b/mm/kasan/Makefile index 7634dd2a6128..d718b0f72009 100644 --- a/mm/kasan/Makefile +++ b/mm/kasan/Makefile @@ -44,7 +44,8 @@ ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX CFLAGS_KASAN_TEST += -fno-builtin endif -CFLAGS_kasan_test.o := $(CFLAGS_KASAN_TEST) +CFLAGS_kasan_test_c.o := $(CFLAGS_KASAN_TEST) +RUSTFLAGS_kasan_test_rust.o := $(RUSTFLAGS_KASAN) CFLAGS_kasan_test_module.o := $(CFLAGS_KASAN_TEST) obj-y := common.o report.o @@ -54,3 +55,9 @@ obj-$(CONFIG_KASAN_SW_TAGS) += init.o report_sw_tags.o shadow.o sw_tags.o tags.o obj-$(CONFIG_KASAN_KUNIT_TEST) += kasan_test.o obj-$(CONFIG_KASAN_MODULE_TEST) += kasan_test_module.o + +kasan_test-objs := kasan_test_c.o + +ifdef CONFIG_RUST +kasan_test-objs += kasan_test_rust.o +endif diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test_c.c similarity index 99% rename from mm/kasan/kasan_test.c rename to mm/kasan/kasan_test_c.c index 7b32be2a3cf0..28821c90840e 100644 --- a/mm/kasan/kasan_test.c +++ b/mm/kasan/kasan_test_c.c @@ -30,6 +30,7 @@ #include #include "kasan.h" +#include "kasan_test_rust.h" #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE) @@ -1899,6 +1900,17 @@ static void match_all_mem_tag(struct kunit *test) kfree(ptr); } +/* + * Check that Rust performing a uaf using `unsafe` is detected. + * This is an undirected smoke test to make sure that Rust is being sanitized + * appropriately. + */ +static void rust_uaf(struct kunit *test) +{ + KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf()); +} + + static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(kmalloc_oob_right), KUNIT_CASE(kmalloc_oob_left), @@ -1971,6 +1983,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(match_all_not_assigned), KUNIT_CASE(match_all_ptr_tag), KUNIT_CASE(match_all_mem_tag), + KUNIT_CASE(rust_uaf), {} }; diff --git a/mm/kasan/kasan_test_rust.rs b/mm/kasan/kasan_test_rust.rs new file mode 100644 index 000000000000..6f4b43ea488c --- /dev/null +++ b/mm/kasan/kasan_test_rust.rs @@ -0,0 +1,17 @@ +//! Helper crate for KASAN testing +//! Provides behavior to check the sanitization of Rust code. +use kernel::prelude::*; +use core::ptr::addr_of_mut; + +/// Trivial UAF - allocate a big vector, grab a pointer partway through, +/// drop the vector, and touch it. +#[no_mangle] +pub extern "C" fn kasan_test_rust_uaf() -> u8 { + let mut v: Vec = Vec::new(); + for _ in 0..4096 { + v.push(0x42, GFP_KERNEL).unwrap(); + } + let ptr: *mut u8 = addr_of_mut!(v[2048]); + drop(v); + unsafe { *ptr } +}