2020-07-06 02:23:36

by Walter Wu

[permalink] [raw]
Subject: [PATCH v2] kasan: fix KASAN unit tests for tag-based KASAN

We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
memory access. They need to be fixed.

With tag-based KASAN, the state of each 16 aligned bytes of memory is
encoded in one shadow byte and the shadow value is tag of pointer, so
we need to read next shadow byte, the shadow value is not equal to tag
value of pointer, so that tag-based KASAN will detect out-of-bounds
memory access.

Signed-off-by: Walter Wu <[email protected]>
Cc: Andrey Ryabinin <[email protected]>
Cc: Dmitry Vyukov <[email protected]>
Cc: Alexander Potapenko <[email protected]>
Cc: Matthias Brugger <[email protected]>
Cc: Andrey Konovalov <[email protected]>
Cc: Andrew Morton <[email protected]>
---

changes since v1:
- Reduce amount of non-compiled code.
- KUnit-KASAN Integration patchset are not merged yet. My patch should
have conflict with it, if needed, we can continue to wait it.

---

lib/test_kasan.c | 81 ++++++++++++++++++++++++++++++++++++++----------
1 file changed, 64 insertions(+), 17 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index e3087d90e00d..660664439d52 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -40,7 +40,11 @@ static noinline void __init kmalloc_oob_right(void)
return;
}

- ptr[size] = 'x';
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ ptr[size] = 'x';
+ else
+ ptr[size + 5] = 'x';
+
kfree(ptr);
}

@@ -92,7 +96,11 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
return;
}

- ptr[size] = 0;
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ ptr[size] = 0;
+ else
+ ptr[size + 6] = 0;
+
kfree(ptr);
}

@@ -162,7 +170,11 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
return;
}

- ptr2[size2] = 'x';
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ ptr2[size2] = 'x';
+ else
+ ptr2[size2 + 13] = 'x';
+
kfree(ptr2);
}

@@ -180,7 +192,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
kfree(ptr1);
return;
}
- ptr2[size2] = 'x';
+
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ ptr2[size2] = 'x';
+ else
+ ptr2[size2 + 2] = 'x';
+
kfree(ptr2);
}

@@ -216,7 +233,11 @@ static noinline void __init kmalloc_oob_memset_2(void)
return;
}

- memset(ptr+7, 0, 2);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr+7, 0, 2);
+ else
+ memset(ptr+15, 0, 2);
+
kfree(ptr);
}

@@ -232,7 +253,11 @@ static noinline void __init kmalloc_oob_memset_4(void)
return;
}

- memset(ptr+5, 0, 4);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr+5, 0, 4);
+ else
+ memset(ptr+15, 0, 4);
+
kfree(ptr);
}

@@ -249,7 +274,11 @@ static noinline void __init kmalloc_oob_memset_8(void)
return;
}

- memset(ptr+1, 0, 8);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr+1, 0, 8);
+ else
+ memset(ptr+15, 0, 8);
+
kfree(ptr);
}

@@ -265,7 +294,11 @@ static noinline void __init kmalloc_oob_memset_16(void)
return;
}

- memset(ptr+1, 0, 16);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr+1, 0, 16);
+ else
+ memset(ptr+15, 0, 16);
+
kfree(ptr);
}

@@ -281,7 +314,11 @@ static noinline void __init kmalloc_oob_in_memset(void)
return;
}

- memset(ptr, 0, size+5);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr, 0, size+5);
+ else
+ memset(ptr, 0, size+7);
+
kfree(ptr);
}

@@ -415,7 +452,11 @@ static noinline void __init kmem_cache_oob(void)
return;
}

- *p = p[size];
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ *p = p[size];
+ else
+ *p = p[size + 8];
+
kmem_cache_free(cache, p);
kmem_cache_destroy(cache);
}
@@ -497,6 +538,7 @@ static noinline void __init copy_user_test(void)
char __user *usermem;
size_t size = 10;
int unused;
+ size_t oob_size;

kmem = kmalloc(size, GFP_KERNEL);
if (!kmem)
@@ -511,26 +553,31 @@ static noinline void __init copy_user_test(void)
return;
}

+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ oob_size = 1;
+ else
+ oob_size = 7;
+
pr_info("out-of-bounds in copy_from_user()\n");
- unused = copy_from_user(kmem, usermem, size + 1);
+ unused = copy_from_user(kmem, usermem, size + oob_size);

pr_info("out-of-bounds in copy_to_user()\n");
- unused = copy_to_user(usermem, kmem, size + 1);
+ unused = copy_to_user(usermem, kmem, size + oob_size);

pr_info("out-of-bounds in __copy_from_user()\n");
- unused = __copy_from_user(kmem, usermem, size + 1);
+ unused = __copy_from_user(kmem, usermem, size + oob_size);

pr_info("out-of-bounds in __copy_to_user()\n");
- unused = __copy_to_user(usermem, kmem, size + 1);
+ unused = __copy_to_user(usermem, kmem, size + oob_size);

pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
- unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
+ unused = __copy_from_user_inatomic(kmem, usermem, size + oob_size);

pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
- unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
+ unused = __copy_to_user_inatomic(usermem, kmem, size + oob_size);

pr_info("out-of-bounds in strncpy_from_user()\n");
- unused = strncpy_from_user(kmem, usermem, size + 1);
+ unused = strncpy_from_user(kmem, usermem, size + oob_size);

vm_munmap((unsigned long)usermem, PAGE_SIZE);
kfree(kmem);
--
2.18.0


2020-07-06 06:21:18

by Dmitry Vyukov

[permalink] [raw]
Subject: Re: [PATCH v2] kasan: fix KASAN unit tests for tag-based KASAN

On Mon, Jul 6, 2020 at 4:21 AM Walter Wu <[email protected]> wrote:
>
> We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
> memory access. They need to be fixed.
>
> With tag-based KASAN, the state of each 16 aligned bytes of memory is
> encoded in one shadow byte and the shadow value is tag of pointer, so
> we need to read next shadow byte, the shadow value is not equal to tag
> value of pointer, so that tag-based KASAN will detect out-of-bounds
> memory access.
>
> Signed-off-by: Walter Wu <[email protected]>
> Cc: Andrey Ryabinin <[email protected]>
> Cc: Dmitry Vyukov <[email protected]>
> Cc: Alexander Potapenko <[email protected]>
> Cc: Matthias Brugger <[email protected]>
> Cc: Andrey Konovalov <[email protected]>
> Cc: Andrew Morton <[email protected]>
> ---
>
> changes since v1:
> - Reduce amount of non-compiled code.
> - KUnit-KASAN Integration patchset are not merged yet. My patch should
> have conflict with it, if needed, we can continue to wait it.
>
> ---
>
> lib/test_kasan.c | 81 ++++++++++++++++++++++++++++++++++++++----------
> 1 file changed, 64 insertions(+), 17 deletions(-)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index e3087d90e00d..660664439d52 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -40,7 +40,11 @@ static noinline void __init kmalloc_oob_right(void)
> return;
> }
>
> - ptr[size] = 'x';
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + ptr[size] = 'x';
> + else
> + ptr[size + 5] = 'x';
> +

Hi Walter,

Would if be possible to introduce something like:

#define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : 8)

and then add it throughout as

ptr[size + OOB_TAG_OFF] = 'x';

?
The current version results in quite some amount of additional code
that needs to be read, extended and maintained in the future. So I am
thinking if it's possible to minimize it somehow...

> kfree(ptr);
> }
>
> @@ -92,7 +96,11 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
> return;
> }
>
> - ptr[size] = 0;
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + ptr[size] = 0;
> + else
> + ptr[size + 6] = 0;
> +
> kfree(ptr);
> }
>
> @@ -162,7 +170,11 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
> return;
> }
>
> - ptr2[size2] = 'x';
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + ptr2[size2] = 'x';
> + else
> + ptr2[size2 + 13] = 'x';
> +
> kfree(ptr2);
> }
>
> @@ -180,7 +192,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
> kfree(ptr1);
> return;
> }
> - ptr2[size2] = 'x';
> +
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + ptr2[size2] = 'x';
> + else
> + ptr2[size2 + 2] = 'x';
> +
> kfree(ptr2);
> }
>
> @@ -216,7 +233,11 @@ static noinline void __init kmalloc_oob_memset_2(void)
> return;
> }
>
> - memset(ptr+7, 0, 2);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr+7, 0, 2);
> + else
> + memset(ptr+15, 0, 2);
> +
> kfree(ptr);
> }
>
> @@ -232,7 +253,11 @@ static noinline void __init kmalloc_oob_memset_4(void)
> return;
> }
>
> - memset(ptr+5, 0, 4);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr+5, 0, 4);
> + else
> + memset(ptr+15, 0, 4);
> +
> kfree(ptr);
> }
>
> @@ -249,7 +274,11 @@ static noinline void __init kmalloc_oob_memset_8(void)
> return;
> }
>
> - memset(ptr+1, 0, 8);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr+1, 0, 8);
> + else
> + memset(ptr+15, 0, 8);
> +
> kfree(ptr);
> }
>
> @@ -265,7 +294,11 @@ static noinline void __init kmalloc_oob_memset_16(void)
> return;
> }
>
> - memset(ptr+1, 0, 16);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr+1, 0, 16);
> + else
> + memset(ptr+15, 0, 16);
> +
> kfree(ptr);
> }
>
> @@ -281,7 +314,11 @@ static noinline void __init kmalloc_oob_in_memset(void)
> return;
> }
>
> - memset(ptr, 0, size+5);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr, 0, size+5);
> + else
> + memset(ptr, 0, size+7);
> +
> kfree(ptr);
> }
>
> @@ -415,7 +452,11 @@ static noinline void __init kmem_cache_oob(void)
> return;
> }
>
> - *p = p[size];
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + *p = p[size];
> + else
> + *p = p[size + 8];
> +
> kmem_cache_free(cache, p);
> kmem_cache_destroy(cache);
> }
> @@ -497,6 +538,7 @@ static noinline void __init copy_user_test(void)
> char __user *usermem;
> size_t size = 10;
> int unused;
> + size_t oob_size;
>
> kmem = kmalloc(size, GFP_KERNEL);
> if (!kmem)
> @@ -511,26 +553,31 @@ static noinline void __init copy_user_test(void)
> return;
> }
>
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + oob_size = 1;
> + else
> + oob_size = 7;
> +
> pr_info("out-of-bounds in copy_from_user()\n");
> - unused = copy_from_user(kmem, usermem, size + 1);
> + unused = copy_from_user(kmem, usermem, size + oob_size);
>
> pr_info("out-of-bounds in copy_to_user()\n");
> - unused = copy_to_user(usermem, kmem, size + 1);
> + unused = copy_to_user(usermem, kmem, size + oob_size);
>
> pr_info("out-of-bounds in __copy_from_user()\n");
> - unused = __copy_from_user(kmem, usermem, size + 1);
> + unused = __copy_from_user(kmem, usermem, size + oob_size);
>
> pr_info("out-of-bounds in __copy_to_user()\n");
> - unused = __copy_to_user(usermem, kmem, size + 1);
> + unused = __copy_to_user(usermem, kmem, size + oob_size);
>
> pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
> - unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
> + unused = __copy_from_user_inatomic(kmem, usermem, size + oob_size);
>
> pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
> - unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
> + unused = __copy_to_user_inatomic(usermem, kmem, size + oob_size);
>
> pr_info("out-of-bounds in strncpy_from_user()\n");
> - unused = strncpy_from_user(kmem, usermem, size + 1);
> + unused = strncpy_from_user(kmem, usermem, size + oob_size);
>
> vm_munmap((unsigned long)usermem, PAGE_SIZE);
> kfree(kmem);
> --
> 2.18.0
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200706022150.20848-1-walter-zh.wu%40mediatek.com.

2020-07-06 07:00:57

by Walter Wu

[permalink] [raw]
Subject: Re: [PATCH v2] kasan: fix KASAN unit tests for tag-based KASAN

On Mon, 2020-07-06 at 08:19 +0200, Dmitry Vyukov wrote:
> On Mon, Jul 6, 2020 at 4:21 AM Walter Wu <[email protected]> wrote:
> >
> > We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
> > memory access. They need to be fixed.
> >
> > With tag-based KASAN, the state of each 16 aligned bytes of memory is
> > encoded in one shadow byte and the shadow value is tag of pointer, so
> > we need to read next shadow byte, the shadow value is not equal to tag
> > value of pointer, so that tag-based KASAN will detect out-of-bounds
> > memory access.
> >
> > Signed-off-by: Walter Wu <[email protected]>
> > Cc: Andrey Ryabinin <[email protected]>
> > Cc: Dmitry Vyukov <[email protected]>
> > Cc: Alexander Potapenko <[email protected]>
> > Cc: Matthias Brugger <[email protected]>
> > Cc: Andrey Konovalov <[email protected]>
> > Cc: Andrew Morton <[email protected]>
> > ---
> >
> > changes since v1:
> > - Reduce amount of non-compiled code.
> > - KUnit-KASAN Integration patchset are not merged yet. My patch should
> > have conflict with it, if needed, we can continue to wait it.
> >
> > ---
> >
> > lib/test_kasan.c | 81 ++++++++++++++++++++++++++++++++++++++----------
> > 1 file changed, 64 insertions(+), 17 deletions(-)
> >
> > diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> > index e3087d90e00d..660664439d52 100644
> > --- a/lib/test_kasan.c
> > +++ b/lib/test_kasan.c
> > @@ -40,7 +40,11 @@ static noinline void __init kmalloc_oob_right(void)
> > return;
> > }
> >
> > - ptr[size] = 'x';
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + ptr[size] = 'x';
> > + else
> > + ptr[size + 5] = 'x';
> > +
>
> Hi Walter,
>
> Would if be possible to introduce something like:
>
> #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : 8)
>

It is good suggestion. Thanks.

> and then add it throughout as
>
> ptr[size + OOB_TAG_OFF] = 'x';
>
> ?
> The current version results in quite some amount of additional code
> that needs to be read, extended and maintained in the future. So I am
> thinking if it's possible to minimize it somehow...
>

Ok, I will send next patch by your suggestion.

Thanks.

> > kfree(ptr);
> > }
> >
> > @@ -92,7 +96,11 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
> > return;
> > }
> >
> > - ptr[size] = 0;
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + ptr[size] = 0;
> > + else
> > + ptr[size + 6] = 0;
> > +
> > kfree(ptr);
> > }
> >
> > @@ -162,7 +170,11 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
> > return;
> > }
> >
> > - ptr2[size2] = 'x';
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + ptr2[size2] = 'x';
> > + else
> > + ptr2[size2 + 13] = 'x';
> > +
> > kfree(ptr2);
> > }
> >
> > @@ -180,7 +192,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
> > kfree(ptr1);
> > return;
> > }
> > - ptr2[size2] = 'x';
> > +
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + ptr2[size2] = 'x';
> > + else
> > + ptr2[size2 + 2] = 'x';
> > +
> > kfree(ptr2);
> > }
> >
> > @@ -216,7 +233,11 @@ static noinline void __init kmalloc_oob_memset_2(void)
> > return;
> > }
> >
> > - memset(ptr+7, 0, 2);
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + memset(ptr+7, 0, 2);
> > + else
> > + memset(ptr+15, 0, 2);
> > +
> > kfree(ptr);
> > }
> >
> > @@ -232,7 +253,11 @@ static noinline void __init kmalloc_oob_memset_4(void)
> > return;
> > }
> >
> > - memset(ptr+5, 0, 4);
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + memset(ptr+5, 0, 4);
> > + else
> > + memset(ptr+15, 0, 4);
> > +
> > kfree(ptr);
> > }
> >
> > @@ -249,7 +274,11 @@ static noinline void __init kmalloc_oob_memset_8(void)
> > return;
> > }
> >
> > - memset(ptr+1, 0, 8);
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + memset(ptr+1, 0, 8);
> > + else
> > + memset(ptr+15, 0, 8);
> > +
> > kfree(ptr);
> > }
> >
> > @@ -265,7 +294,11 @@ static noinline void __init kmalloc_oob_memset_16(void)
> > return;
> > }
> >
> > - memset(ptr+1, 0, 16);
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + memset(ptr+1, 0, 16);
> > + else
> > + memset(ptr+15, 0, 16);
> > +
> > kfree(ptr);
> > }
> >
> > @@ -281,7 +314,11 @@ static noinline void __init kmalloc_oob_in_memset(void)
> > return;
> > }
> >
> > - memset(ptr, 0, size+5);
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + memset(ptr, 0, size+5);
> > + else
> > + memset(ptr, 0, size+7);
> > +
> > kfree(ptr);
> > }
> >
> > @@ -415,7 +452,11 @@ static noinline void __init kmem_cache_oob(void)
> > return;
> > }
> >
> > - *p = p[size];
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + *p = p[size];
> > + else
> > + *p = p[size + 8];
> > +
> > kmem_cache_free(cache, p);
> > kmem_cache_destroy(cache);
> > }
> > @@ -497,6 +538,7 @@ static noinline void __init copy_user_test(void)
> > char __user *usermem;
> > size_t size = 10;
> > int unused;
> > + size_t oob_size;
> >
> > kmem = kmalloc(size, GFP_KERNEL);
> > if (!kmem)
> > @@ -511,26 +553,31 @@ static noinline void __init copy_user_test(void)
> > return;
> > }
> >
> > + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > + oob_size = 1;
> > + else
> > + oob_size = 7;
> > +
> > pr_info("out-of-bounds in copy_from_user()\n");
> > - unused = copy_from_user(kmem, usermem, size + 1);
> > + unused = copy_from_user(kmem, usermem, size + oob_size);
> >
> > pr_info("out-of-bounds in copy_to_user()\n");
> > - unused = copy_to_user(usermem, kmem, size + 1);
> > + unused = copy_to_user(usermem, kmem, size + oob_size);
> >
> > pr_info("out-of-bounds in __copy_from_user()\n");
> > - unused = __copy_from_user(kmem, usermem, size + 1);
> > + unused = __copy_from_user(kmem, usermem, size + oob_size);
> >
> > pr_info("out-of-bounds in __copy_to_user()\n");
> > - unused = __copy_to_user(usermem, kmem, size + 1);
> > + unused = __copy_to_user(usermem, kmem, size + oob_size);
> >
> > pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
> > - unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
> > + unused = __copy_from_user_inatomic(kmem, usermem, size + oob_size);
> >
> > pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
> > - unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
> > + unused = __copy_to_user_inatomic(usermem, kmem, size + oob_size);
> >
> > pr_info("out-of-bounds in strncpy_from_user()\n");
> > - unused = strncpy_from_user(kmem, usermem, size + 1);
> > + unused = strncpy_from_user(kmem, usermem, size + oob_size);
> >
> > vm_munmap((unsigned long)usermem, PAGE_SIZE);
> > kfree(kmem);
> > --
> > 2.18.0
> >
> > --
> > You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> > To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/kasan-dev/20200706022150.20848-1-walter-zh.wu*40mediatek.com__;JQ!!CTRNKA9wMg0ARbw!zqGS_g-oLI7o6850GjV_P7YQPr8SufdeC8fbnt27o4WtvhX5PZ8-eZ6BWyF3bwm7Tizipw$ .