Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp5208579pxb; Tue, 5 Oct 2021 20:59:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz8zOzRu+9SVJS+8LjiOQOGJ3bzJtfA5zufgUWd3Ys/279QZT7cKUuaiwYJBsb0zera2zte X-Received: by 2002:a62:6541:0:b0:44c:2988:7d9d with SMTP id z62-20020a626541000000b0044c29887d9dmr22009170pfb.50.1633492773533; Tue, 05 Oct 2021 20:59:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633492773; cv=none; d=google.com; s=arc-20160816; b=uItjP02ktZHyB34IQpiyxveHR+slCkOF2SLNOM6W0GVv9eLKFTs4uw615nwOeJWbvL i4ni3Fket3/p1V02oH4o6DdQDmObqZeNlcyvspplYVOvCdUFXiiHS4aM59l7cH17TAUz JnySMHEBzO4FX03gVR6Aqht/5Mia0qzcBK5Hl6nEO2dWjet/6Q+ZxqqlOUBYA4AGffRO +inZ/cnTWtZVKPsignOns8XSJ83ADrP/YosUOYpong4Osje8ALcmh/ZbX6lMxCdrIh3D 9wnca7I0L8ZzlPzWyiIJYVYD9zg/ZDLNDIQYnEzpek8sQ08OTowky4IdTP5it5oUNQxz Gf6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=b84QyZzxdfWttrk72IQ61VKUmWrKjM777rszm24bGaM=; b=J6IKc8JQ6e+cewlulwcM5I6fjTUC7zLBWjJl7edY4gHLKi+h1w663yT7q7gD2cnP6E 7zsXNK4TN6OqL/EMURrEaG5jnc8/mLuj6e5iy72uoaTg2gfZXym3pPo39qbn6jRhRF6L 1ydbbRMwfPqQCcFz7IcPKXr40MmZH67syQLROrKizwBs/lVtQcFJr1fwDaF89gdmoZj5 dAfM20xLngl7gHqzyLqAT9u8+XQtaZeb5dQAgU3ASSKwIMihfg+5C7rUfVoCoLCTPX1K GqpMYxIXkNIPVZG0UZcxMmUyNQIqk5BErMUElMAXBDooruMFrNeymYSr3P/aQcZD443Z uR8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=LURrqYKe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q7si2060900plx.101.2021.10.05.20.59.19; Tue, 05 Oct 2021 20:59:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=LURrqYKe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230358AbhJFEA2 (ORCPT + 99 others); Wed, 6 Oct 2021 00:00:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230166AbhJFEAT (ORCPT ); Wed, 6 Oct 2021 00:00:19 -0400 Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4766BC08C5C1 for ; Tue, 5 Oct 2021 20:56:46 -0700 (PDT) Received: by mail-pg1-x531.google.com with SMTP id s75so1264124pgs.5 for ; Tue, 05 Oct 2021 20:56:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=b84QyZzxdfWttrk72IQ61VKUmWrKjM777rszm24bGaM=; b=LURrqYKe8uPYHzUH11ppbTUR0uO0Bztb64979rnO6hUW73LrpVFSwWuNCl1NDlCDVZ Iytf4MzDURalEMfX8EvXzSF7Ab5BUKCl7UcOuTJdrmn4IL65AkFew6NB6iagqN/XzZ0Y C+9VMTGMKbmk+/Su+diio1PMQLNQ0YGZiwpNU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=b84QyZzxdfWttrk72IQ61VKUmWrKjM777rszm24bGaM=; b=hskhFUUnZHZDV0544geE+P86JvL8lhs1qOpH1xk6ar20Oi76tJhj6xhK8SVlvpbXEv QrNiT9s91P80jmv/+gkgKiwgUTBYG6413zI411E4VKXbOGkteMWdgmpW+fOejhvd0nKZ TDNNQx0AWX+xNnmzhTSj2nKpCfjOfx5gJ/3Uz+PFLCikWdIniI8M0jrrO6I/L9/iEfA5 IfBqSwtY/2ec++4wnQP7F4OgciznqiYqElf7BMjOL5BhXdxyZCZn7uYN8b1br22woH8r h6B7I+jyoJUXx9rBAQwXHp6TKnX18io2OFs+611UgA/fZ9Iw50eQ+VOkynsGWM7YCupX /z9w== X-Gm-Message-State: AOAM53335alSZqAm2tW3aERYVZ0Jd3oEX/VpoKgO8ygKDx3jX5e9x1ql PLpKs/f3WnutRb4DkQG14MApBw== X-Received: by 2002:aa7:9209:0:b0:44b:e5d4:d8cb with SMTP id 9-20020aa79209000000b0044be5d4d8cbmr34958352pfo.65.1633492605823; Tue, 05 Oct 2021 20:56:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z23sm19421948pgv.45.2021.10.05.20.56.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Oct 2021 20:56:45 -0700 (PDT) Date: Tue, 5 Oct 2021 20:56:44 -0700 From: Kees Cook To: Jann Horn Cc: Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Andy Whitcroft , Dennis Zhou , Dwaipayan Ray , Joe Perches , Lukas Bulwahn , Miguel Ojeda , Nathan Chancellor , Tejun Heo , Daniel Micay , Nick Desaulniers , Masahiro Yamada , Michal Marek , clang-built-linux@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v3 4/8] slab: Add __alloc_size attributes for better bounds checking Message-ID: <202110052056.F09CD8A@keescook> References: <20210930222704.2631604-1-keescook@chromium.org> <20210930222704.2631604-5-keescook@chromium.org> <20211005184717.65c6d8eb39350395e387b71f@linux-foundation.org> <202110052002.34E998B@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 06, 2021 at 05:22:06AM +0200, Jann Horn wrote: > On Wed, Oct 6, 2021 at 5:06 AM Kees Cook wrote: > > On Tue, Oct 05, 2021 at 06:47:17PM -0700, Andrew Morton wrote: > > > On Thu, 30 Sep 2021 15:27:00 -0700 Kees Cook wrote: > > > > > > > As already done in GrapheneOS, add the __alloc_size attribute for regular > > > > kmalloc interfaces, to provide additional hinting for better bounds > > > > checking, assisting CONFIG_FORTIFY_SOURCE and other compiler > > > > optimizations. > > > > > > x86_64 allmodconfig: > > > > What compiler and version? > > > > > > > > In file included from ./arch/x86/include/asm/preempt.h:7, > > > from ./include/linux/preempt.h:78, > > > from ./include/linux/spinlock.h:55, > > > from ./include/linux/mmzone.h:8, > > > from ./include/linux/gfp.h:6, > > > from ./include/linux/mm.h:10, > > > from ./include/linux/mman.h:5, > > > from lib/test_kasan_module.c:10: > > > In function 'check_copy_size', > > > inlined from 'copy_user_test' at ./include/linux/uaccess.h:191:6: > > > ./include/linux/thread_info.h:213:4: error: call to '__bad_copy_to' declared with attribute error: copy destination size is too small > > > 213 | __bad_copy_to(); > > > | ^~~~~~~~~~~~~~~ > > > In function 'check_copy_size', > > > inlined from 'copy_user_test' at ./include/linux/uaccess.h:199:6: > > > ./include/linux/thread_info.h:211:4: error: call to '__bad_copy_from' declared with attribute error: copy source size is too small > > > 211 | __bad_copy_from(); > > > | ^~~~~~~~~~~~~~~~~ > > > make[1]: *** [lib/test_kasan_module.o] Error 1 > > > make: *** [lib] Error 2 > > > > Hah, yes, it caught an intentionally bad copy. This may bypass the > > check, as I've had to do in LKDTM before. I will test... > > > > diff --git a/lib/test_kasan_module.c b/lib/test_kasan_module.c > > index 7ebf433edef3..9fb2fb2937da 100644 > > --- a/lib/test_kasan_module.c > > +++ b/lib/test_kasan_module.c > > @@ -19,7 +19,12 @@ static noinline void __init copy_user_test(void) > > { > > char *kmem; > > char __user *usermem; > > - size_t size = 128 - KASAN_GRANULE_SIZE; > > + /* > > + * This is marked volatile to avoid __alloc_size() > > + * noticing the intentionally out-of-bounds copys > > + * being done on the allocation. > > + */ > > + volatile size_t size = 128 - KASAN_GRANULE_SIZE; > > Maybe OPTIMIZER_HIDE_VAR()? The normal version of that abuses an empty > asm statement to hide the value from the compiler. Oh! I hadn't seen that before. Is that better than volatile in this case? -- Kees Cook