Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2469263ybd; Mon, 24 Jun 2019 07:01:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqyF5Ltr2k1VO6K256YVwdk8/VTgB6yGxrgvXUE46UFPWeDwbOag2k37FRRi9O+G7PubE0oy X-Received: by 2002:a17:90a:5884:: with SMTP id j4mr26147146pji.142.1561384865450; Mon, 24 Jun 2019 07:01:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561384865; cv=none; d=google.com; s=arc-20160816; b=GlFFpJb/e/IQoRyUaO4MmUye88utHFpubkhC+7m1f19o4Agpgl9W9oaZTaRJZTHSFp rgE+pe18OxPOoMNtQPMRmzJ3lF4DgUTghpZXbFx2XOksFd2sLq8q1dF6y0aqT52PiJRe AWeMFKeIwt+hu+fQIvZJxb2ECIBx7TuHeoZONiN+8fpG201oaHkn0ODFSJJ0WKC2EpCt VK07XXLIUC6TA97ZBsitQzgdtV7qeWvz10TBE4acxkDQveaInuvbg6BLi2ERh5iYCko5 4u99N3v+kH8EyzSCUGkJRpORTyAh0l7CS3k4AdJ8+ee/CbnhJNcYg+vh8vi6RmhloNjE vlCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=4sCioPXlb29uCUXcWaSeu3ouKfJt5j/bFJ2w/CyNw2c=; b=gjqFYe9YGileZ9KINi/Qb2dMM9nHI6UChG52mBi02yaQnCXkD2S+fU8LSmVasPPtqt 98Ppiz3CM3IXJFocile3/YQu7Tx8au3XbterfVsuM6lz693MBHWZX0zzuG9/sM6yRe1C mYGMe6g/qu69O3Re/mr6oFCN0VJPGe7NMmiYTSvOaNhfgX/Z2x8xKuOHTtHOcPyFZTOi GaRuK+SM6aiFlIrbdZHEHVae0bGFqnHk+S4IlCM/iJGcBrcGtVKC0zK0xzOM5jbS5dlI wTr6A4TvHDue9QeHkJ4DEbu2VBc00UYTZFC4ocBR4xRG1G4k72ux0Ur0T7StyCehZN/T ajrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sm2RVRXA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w4si3013183plz.323.2019.06.24.07.00.49; Mon, 24 Jun 2019 07:01:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sm2RVRXA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729761AbfFXLq0 (ORCPT + 99 others); Mon, 24 Jun 2019 07:46:26 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:40047 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726418AbfFXLqZ (ORCPT ); Mon, 24 Jun 2019 07:46:25 -0400 Received: by mail-pl1-f195.google.com with SMTP id a93so6755974pla.7 for ; Mon, 24 Jun 2019 04:46:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4sCioPXlb29uCUXcWaSeu3ouKfJt5j/bFJ2w/CyNw2c=; b=sm2RVRXAjwVlXYZLx7geioGtk+BR242iTE1ahR9xHr0PmrJjewpjBjtvnvs/qIFqp/ abD3pOu/UOwmqUWwwoz0bkUvBMFuuWaXQFhjAYGad/dxwR0f4Yp/p4RLynZO0bl6cB1V 1ZyAUXh+Yd4XNJ06zBDrmW/UCque+MpGgUQtsNQ1tt+eMg+1fKBtRcLSMQ+q/Tbpty5b jCWWBeJWWo8u045J3E9ZVtqB0tk/dsl2ryXKOqdlynQ8YipfI1qGXIScDJ1RhHHu7w6Y 9C1bXNH2/eJ6LC0wnSD0Henu0S2E6xfL7xnFb63mnmeByrHaxchCLGPrHiJdecHasvM4 TMZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4sCioPXlb29uCUXcWaSeu3ouKfJt5j/bFJ2w/CyNw2c=; b=sH2jzA951KTM7msjqssylk+4MkcztGGvFE0tHdJ01PZsOFi8LtfWfAlg9CKkTV0KSS yDrMS1Qn6qtmqZwwpF20gjNeunrFYOP7AvskVDKejcXBdc/8sXSmp3OlxElcDXGNPyQl igKXUb9u9p8myex+wT6LUoXv4bl3UyB7vbKk0AWvEniP/mpLDqZyJJcin5J0LvsuU8WP A/SEmF0uPHjNuVwP1nqywu66PdTdCLbR9CC/XSRqq6jStaW0lgYIqsBH9yDOA9iFUBu1 c34wxjiUB3tlRDWuKszBrAgds1FbW+V6QnWrlUhZJzFR2RVOopS9C37ISkFxlx3D6CuL QfVg== X-Gm-Message-State: APjAAAUU57/lLaYrZBIuIbvsygW6wLVw/qFNY+WRZASHYHcqtxEv4JDd Qweebn7mWjoru7sgLSOMpb9bAul1gCorGxfmdYyiXw== X-Received: by 2002:a17:902:4183:: with SMTP id f3mr31396406pld.336.1561376784423; Mon, 24 Jun 2019 04:46:24 -0700 (PDT) MIME-Version: 1.0 References: <20190624110532.41065-1-elver@google.com> In-Reply-To: <20190624110532.41065-1-elver@google.com> From: Andrey Konovalov Date: Mon, 24 Jun 2019 13:46:12 +0200 Message-ID: Subject: Re: [PATCH] mm/kasan: Add shadow memory validation in ksize() To: Marco Elver Cc: Andrey Ryabinin , Dmitry Vyukov , Alexander Potapenko , LKML , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , kasan-dev , Linux Memory Management List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 24, 2019 at 1:05 PM Marco Elver wrote: > > ksize() has been unconditionally unpoisoning the whole shadow memory region > associated with an allocation. This can lead to various undetected bugs, > for example, double-kzfree(). > > kzfree() uses ksize() to determine the actual allocation size, and > subsequently zeroes the memory. Since ksize() used to just unpoison the > whole shadow memory region, no invalid free was detected. > > This patch addresses this as follows: > > 1. For each SLAB and SLUB allocators: add a check in ksize() that the > pointed to object's shadow memory is valid, and only then unpoison > the memory region. > > 2. Update kasan_unpoison_slab() to explicitly unpoison the shadow memory > region using the size obtained from ksize(); it is possible that > double-unpoison can occur if the shadow was already valid, however, > this should not be the general case. > > Tested: > 1. With SLAB allocator: a) normal boot without warnings; b) verified the > added double-kzfree() is detected. > 2. With SLUB allocator: a) normal boot without warnings; b) verified the > added double-kzfree() is detected. > > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199359 > Signed-off-by: Marco Elver > Cc: Andrey Ryabinin > Cc: Dmitry Vyukov > Cc: Alexander Potapenko > Cc: Andrey Konovalov > Cc: Christoph Lameter > Cc: Pekka Enberg > Cc: David Rientjes > Cc: Joonsoo Kim > Cc: Andrew Morton > Cc: kasan-dev@googlegroups.com > Cc: linux-kernel@vger.kernel.org > Cc: linux-mm@kvack.org > --- > include/linux/kasan.h | 20 +++++++++++++++++++- > lib/test_kasan.c | 17 +++++++++++++++++ > mm/kasan/common.c | 15 ++++++++++++--- > mm/slab.c | 12 ++++++++---- > mm/slub.c | 11 +++++++---- > 5 files changed, 63 insertions(+), 12 deletions(-) > > diff --git a/include/linux/kasan.h b/include/linux/kasan.h > index b40ea104dd36..9778a68fb5cf 100644 > --- a/include/linux/kasan.h > +++ b/include/linux/kasan.h > @@ -63,6 +63,14 @@ void * __must_check kasan_krealloc(const void *object, size_t new_size, > > void * __must_check kasan_slab_alloc(struct kmem_cache *s, void *object, > gfp_t flags); > + > +/** > + * kasan_shadow_invalid - Check if shadow memory of object is invalid. > + * @object: The pointed to object; the object pointer may be tagged. > + * @return: true if shadow is invalid, false if valid. > + */ > +bool kasan_shadow_invalid(const void *object); > + > bool kasan_slab_free(struct kmem_cache *s, void *object, unsigned long ip); > > struct kasan_cache { > @@ -77,7 +85,11 @@ int kasan_add_zero_shadow(void *start, unsigned long size); > void kasan_remove_zero_shadow(void *start, unsigned long size); > > size_t ksize(const void *); > -static inline void kasan_unpoison_slab(const void *ptr) { ksize(ptr); } > +static inline void kasan_unpoison_slab(const void *ptr) > +{ > + /* Force unpoison: ksize() only unpoisons if shadow of ptr is valid. */ > + kasan_unpoison_shadow(ptr, ksize(ptr)); > +} > size_t kasan_metadata_size(struct kmem_cache *cache); > > bool kasan_save_enable_multi_shot(void); > @@ -133,6 +145,12 @@ static inline void *kasan_slab_alloc(struct kmem_cache *s, void *object, > { > return object; > } > + > +static inline bool kasan_shadow_invalid(const void *object) > +{ > + return false; > +} > + > static inline bool kasan_slab_free(struct kmem_cache *s, void *object, > unsigned long ip) > { > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > index 7de2702621dc..9b710bfa84da 100644 > --- a/lib/test_kasan.c > +++ b/lib/test_kasan.c > @@ -623,6 +623,22 @@ static noinline void __init kasan_strings(void) > strnlen(ptr, 1); > } > > +static noinline void __init kmalloc_pagealloc_double_kzfree(void) > +{ > + char *ptr; > + size_t size = 16; > + > + pr_info("kmalloc pagealloc allocation: double-free (kzfree)\n"); > + ptr = kmalloc(size, GFP_KERNEL); > + if (!ptr) { > + pr_err("Allocation failed\n"); > + return; > + } > + > + kzfree(ptr); > + kzfree(ptr); > +} > + > static int __init kmalloc_tests_init(void) > { > /* > @@ -664,6 +680,7 @@ static int __init kmalloc_tests_init(void) > kasan_memchr(); > kasan_memcmp(); > kasan_strings(); > + kmalloc_pagealloc_double_kzfree(); > > kasan_restore_multi_shot(multishot); > > diff --git a/mm/kasan/common.c b/mm/kasan/common.c > index 242fdc01aaa9..357e02e73163 100644 > --- a/mm/kasan/common.c > +++ b/mm/kasan/common.c > @@ -413,10 +413,20 @@ static inline bool shadow_invalid(u8 tag, s8 shadow_byte) > return tag != (u8)shadow_byte; > } > > +bool kasan_shadow_invalid(const void *object) > +{ > + u8 tag = get_tag(object); > + s8 shadow_byte; > + > + object = reset_tag(object); > + > + shadow_byte = READ_ONCE(*(s8 *)kasan_mem_to_shadow(object)); > + return shadow_invalid(tag, shadow_byte); > +} > + > static bool __kasan_slab_free(struct kmem_cache *cache, void *object, > unsigned long ip, bool quarantine) > { > - s8 shadow_byte; > u8 tag; The tag variable is not used any more in this function, right? If so, it can be removed. > void *tagged_object; > unsigned long rounded_up_size; > @@ -435,8 +445,7 @@ static bool __kasan_slab_free(struct kmem_cache *cache, void *object, > if (unlikely(cache->flags & SLAB_TYPESAFE_BY_RCU)) > return false; > > - shadow_byte = READ_ONCE(*(s8 *)kasan_mem_to_shadow(object)); > - if (shadow_invalid(tag, shadow_byte)) { > + if (kasan_shadow_invalid(tagged_object)) { > kasan_report_invalid_free(tagged_object, ip); > return true; > } > diff --git a/mm/slab.c b/mm/slab.c > index f7117ad9b3a3..3595348c401b 100644 > --- a/mm/slab.c > +++ b/mm/slab.c > @@ -4226,10 +4226,14 @@ size_t ksize(const void *objp) > return 0; > > size = virt_to_cache(objp)->object_size; > - /* We assume that ksize callers could use the whole allocated area, > - * so we need to unpoison this area. > - */ > - kasan_unpoison_shadow(objp, size); > + > + if (!kasan_shadow_invalid(objp)) { > + /* > + * We assume that ksize callers could use the whole allocated > + * area, so we need to unpoison this area. > + */ > + kasan_unpoison_shadow(objp, size); > + } > > return size; > } > diff --git a/mm/slub.c b/mm/slub.c > index cd04dbd2b5d0..28231d30358e 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -3921,10 +3921,13 @@ static size_t __ksize(const void *object) > size_t ksize(const void *object) > { > size_t size = __ksize(object); > - /* We assume that ksize callers could use whole allocated area, > - * so we need to unpoison this area. > - */ > - kasan_unpoison_shadow(object, size); > + if (!kasan_shadow_invalid(object)) { > + /* > + * We assume that ksize callers could use whole allocated area, > + * so we need to unpoison this area. > + */ > + kasan_unpoison_shadow(object, size); > + } I think it's better to add a kasan_ksize() hook that implements this logic. This way we don't have to duplicate it for SLAB and SLUB. In this case we also don't need an exported kasan_shadow_invalid() hook, and its logic can be moved into shadow_invalid(). > return size; > } > EXPORT_SYMBOL(ksize); > -- > 2.22.0.410.gd8fdbe21b5-goog >