Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp5966964ybx; Mon, 11 Nov 2019 01:31:31 -0800 (PST) X-Google-Smtp-Source: APXvYqxqxQB6A7I00Dl0ReCMTdjgVetd7BJa+JBE7hT1bW7Rxi9xzxBkPOSVfJ3O6ObX2UZVdvdP X-Received: by 2002:a17:906:2e81:: with SMTP id o1mr21642704eji.284.1573464691625; Mon, 11 Nov 2019 01:31:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573464691; cv=none; d=google.com; s=arc-20160816; b=jawMlrdBmow6L9H83cr7KixkIdQzekaEHMu8iuUpfWC7dskrp7a+6c8Qq3AAFBAPK6 UBnIpSYaoaCp0z2KQpAAeMMua0xyCopw1JDBxxh433UsQOau9UlnZhFEJIz20YKkDUws s8pDESobn4oGxP6b65nY4WmRD1I6E1VYTe/ak32t3JIA/VW7qhQ1gQBE90f8xXn76cfC j1O72WKf0+IdQW60mV42pUtuM2OIQ3IliKbXAnu8hd+8NCuUhEJwlP4LvDqR7zezTkVa ICwE2gHkpbX39CE0u11uEgTmGSExi6j4qIUmRqJMl70UCsvFoinZigYA2kPzhddy9pKI 2jCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=ZWs7Q8BoDGnMECJcYrgtTA776G+F4DlAE1GcBF/cp5w=; b=PN/4Il//33O0a5E6VUL3vxrvE7dF1AMFFq8J4lIcCiABxyxjkCiK6GRzNG/sB9Ok+E N4iLEZL9SW/puUxv3+DAfM0fJ7r2CBeoZXV11iWb+iJ//HNz94jPJ48MdV8/Cz69g8r/ /pDqkULpTEwIG6c+0BikU+0UynANNpE/zEAb/upCBLdxZ/LDCMjp8hwrM3zOTm7t8U6+ kay7Tj83UUuSCjLF4XKb5Nup6Aueb/Q6T1E41mBPst4OGk94yQiG0MCHt3TCUaBwGltL svOmpgCvJln3C5ssVTdc2iwraPcFBYcDd805i8JmSpjEajw8JKXwWgYXUWnYFXLsP6At Ke+A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l12si11901666edk.60.2019.11.11.01.31.06; Mon, 11 Nov 2019 01:31:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726878AbfKKJab (ORCPT + 99 others); Mon, 11 Nov 2019 04:30:31 -0500 Received: from relay.sw.ru ([185.231.240.75]:60582 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726804AbfKKJab (ORCPT ); Mon, 11 Nov 2019 04:30:31 -0500 Received: from dhcp-172-16-25-5.sw.ru ([172.16.25.5]) by relay.sw.ru with esmtp (Exim 4.92.3) (envelope-from ) id 1iU61K-0001Yc-OX; Mon, 11 Nov 2019 12:30:02 +0300 Subject: Re: [PATCH v3 1/2] kasan: detect negative size in memory operation function To: Walter Wu Cc: Alexander Potapenko , Dmitry Vyukov , Matthias Brugger , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, wsd_upstream References: <20191104020519.27988-1-walter-zh.wu@mediatek.com> <34bf9c08-d2f2-a6c6-1dbe-29b1456d8284@virtuozzo.com> <1573456464.20611.45.camel@mtksdccf07> From: Andrey Ryabinin Message-ID: <757f0296-7fa0-0e5e-8490-3eca52da41ad@virtuozzo.com> Date: Mon, 11 Nov 2019 12:29:51 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <1573456464.20611.45.camel@mtksdccf07> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/11/19 10:14 AM, Walter Wu wrote: > On Sat, 2019-11-09 at 01:31 +0300, Andrey Ryabinin wrote: >> >> On 11/4/19 5:05 AM, Walter Wu wrote: >> >>> >>> diff --git a/mm/kasan/common.c b/mm/kasan/common.c >>> index 6814d6d6a023..4ff67e2fd2db 100644 >>> --- a/mm/kasan/common.c >>> +++ b/mm/kasan/common.c >>> @@ -99,10 +99,14 @@ bool __kasan_check_write(const volatile void *p, unsigned int size) >>> } >>> EXPORT_SYMBOL(__kasan_check_write); >>> >>> +extern bool report_enabled(void); >>> + >>> #undef memset >>> void *memset(void *addr, int c, size_t len) >>> { >>> - check_memory_region((unsigned long)addr, len, true, _RET_IP_); >>> + if (report_enabled() && >>> + !check_memory_region((unsigned long)addr, len, true, _RET_IP_)) >>> + return NULL; >>> >>> return __memset(addr, c, len); >>> } >>> @@ -110,8 +114,10 @@ void *memset(void *addr, int c, size_t len) >>> #undef memmove >>> void *memmove(void *dest, const void *src, size_t len) >>> { >>> - check_memory_region((unsigned long)src, len, false, _RET_IP_); >>> - check_memory_region((unsigned long)dest, len, true, _RET_IP_); >>> + if (report_enabled() && >>> + (!check_memory_region((unsigned long)src, len, false, _RET_IP_) || >>> + !check_memory_region((unsigned long)dest, len, true, _RET_IP_))) >>> + return NULL; >>> >>> return __memmove(dest, src, len); >>> } >>> @@ -119,8 +125,10 @@ void *memmove(void *dest, const void *src, size_t len) >>> #undef memcpy >>> void *memcpy(void *dest, const void *src, size_t len) >>> { >>> - check_memory_region((unsigned long)src, len, false, _RET_IP_); >>> - check_memory_region((unsigned long)dest, len, true, _RET_IP_); >>> + if (report_enabled() && >> >> report_enabled() checks seems to be useless. >> > > Hi Andrey, > > If it doesn't have report_enable(), then it will have below the error. > We think it should be x86 shadow memory is invalid value before KASAN > initialized, it will have some misjudgments to do directly return when > it detects invalid shadow value in memset()/memcpy()/memmove(). So we > add report_enable() to avoid this happening. but we should only use the > condition "current->kasan_depth == 0" to determine if KASAN is > initialized. And we try it is pass at x86. > Ok, I see. It just means that check_memory_region() return incorrect result in early stages of boot. So, the right way to deal with this would be making kasan_report() to return bool ("false" if no report and "true" if reported) and propagate this return value up to check_memory_region(). >>> diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c >>> index 36c645939bc9..52a92c7db697 100644 >>> --- a/mm/kasan/generic_report.c >>> +++ b/mm/kasan/generic_report.c >>> @@ -107,6 +107,24 @@ static const char *get_wild_bug_type(struct kasan_access_info *info) >>> >>> const char *get_bug_type(struct kasan_access_info *info) >>> { >>> + /* >>> + * If access_size is negative numbers, then it has three reasons >>> + * to be defined as heap-out-of-bounds bug type. >>> + * 1) Casting negative numbers to size_t would indeed turn up as >>> + * a large size_t and its value will be larger than ULONG_MAX/2, >>> + * so that this can qualify as out-of-bounds. >>> + * 2) If KASAN has new bug type and user-space passes negative size, >>> + * then there are duplicate reports. So don't produce new bug type >>> + * in order to prevent duplicate reports by some systems >>> + * (e.g. syzbot) to report the same bug twice. >>> + * 3) When size is negative numbers, it may be passed from user-space. >>> + * So we always print heap-out-of-bounds in order to prevent that >>> + * kernel-space and user-space have the same bug but have duplicate >>> + * reports. >>> + */ >> >> Completely fail to understand 2) and 3). 2) talks something about *NOT* producing new bug >> type, but at the same time you code actually does that. >> 3) says something about user-space which have nothing to do with kasan. >> > about 2) > We originally think the heap-out-of-bounds is similar to > heap-buffer-overflow, maybe we should change the bug type to > heap-buffer-overflow. There is no "heap-buffer-overflow". > > about 3) > Our idea is just to always print "heap-out-of-bounds" and don't > differentiate if the size come from user-space or not. Still doesn't make sence to me. KASAN doesn't differentiate if the size coming from user-space or not. It simply doesn't have any way of knowing from where is the size coming from.