Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp12873517rwb; Sat, 26 Nov 2022 17:22:35 -0800 (PST) X-Google-Smtp-Source: AA0mqf6ujzQT++r2KTWwcN/RYZ05Rzf0QvhClTcMnWDpkyhTZ4CIgtDAzUVbySUs/VAGrdIZkLAn X-Received: by 2002:a05:6402:2409:b0:45c:935b:ae15 with SMTP id t9-20020a056402240900b0045c935bae15mr19756604eda.357.1669512155125; Sat, 26 Nov 2022 17:22:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669512155; cv=none; d=google.com; s=arc-20160816; b=GkojokLYKSUpYpXn4YAAI/6ouJyUyNNp1/sAfImt9lqRczWPGCJQe4v0SMZBM9ZWqI gNnYGW+h0aJ7pLxa9QLzn2oeDw3R3zp0A8iKQrnwFTcTfIaaab18lGvl3xgMnbu/+9XF A0hzNGEcoyHBUhd1YbH9i1Zw8EmC/gmk7a4E0QsZ++9EcOzLcEpvUFpdUTSP8Uh2/AYU SNgeFo3JgzP5kmU3Js+cGujfjlmQbXDj888SgKRqLmRZchHJdHQ07/HG0vlaHhSX0b4J pQ0+4me6aG8UtOaeltC4nuhQ2N5bT40Gr/Z9hy+eQ0W+u7zboCxrkFet5H4XVxw6jjx4 X/FQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=FsLJX0InAbt1kTuvXLVor2ZX32CfM2qEUmM/5HpvT0k=; b=tUlVr+Wj49Pj4n1VetW27XPJIsgNrsnRN17W9299d57QgfM/HEwBUziYYZIQxm/O7P T7GNeRYf76eEnDcBoufljtmByXdHE5I32UpDapGp3B9ypJyFRo72JcUKOw8atfGJdlWm RanWaJfaB7Swccbban7e3VyX3mhpi5jhz+LAdtov+A6LbsC1fvdj3Rg2p2ruq/WH10Qz z5GtFBuqaVRxd9M2P1ARnydRGQrpWqJOZE9Wqd05LXTDHnzszRfzMXHD7kDVbQrkB8yH 0Zq1IA6De4ycQlWOJmfIAGhlzeriTAaQhXpMXqR62psSGDZheTf120iG00y2RN8nRO0h 8dbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=TX4xrszZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ne3-20020a1709077b8300b007ad6a0afbc6si7136137ejc.7.2022.11.26.17.22.09; Sat, 26 Nov 2022 17:22:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=TX4xrszZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229500AbiK0AzQ (ORCPT + 85 others); Sat, 26 Nov 2022 19:55:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52016 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229453AbiK0AzP (ORCPT ); Sat, 26 Nov 2022 19:55:15 -0500 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FCABE54 for ; Sat, 26 Nov 2022 16:55:14 -0800 (PST) Received: by mail-pl1-x634.google.com with SMTP id jn7so7062097plb.13 for ; Sat, 26 Nov 2022 16:55:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=FsLJX0InAbt1kTuvXLVor2ZX32CfM2qEUmM/5HpvT0k=; b=TX4xrszZ73TLZMRLzOtqL582Nxzu/yrD4HfU99RN3oNyKJ3LN7xrw8jELReSbxqhLc R/C7r8S9aPqKc4mLuSphopRGYkMrGuyaFEcLH/zLG1Hk4AFsHw4lyXNzjxdq7PJlWlq4 yj9ajMuSinkA7YHL44VSc/tZ4f6Vzmd5LKE6I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FsLJX0InAbt1kTuvXLVor2ZX32CfM2qEUmM/5HpvT0k=; b=qVbcDtslOh1DlcxLWcXmVGw/T7Mr60Oy1Yt3XS8GXKAZdaxBUOfapUSBLMDO1ZgGUV NOvjyLlvQl9BQF07DKaFTtKky6Hgp6hLvwHynJ0L/CKNln2T3Q5lFk0ovVOZSezxCjv1 ktqTn92L+wl3a5soJGQi/U8+rbRaAu4vQPNvq78+JztNZfBmv/LoV9R+0tnBHwmntS4d oBUAZZN0f0DeA3LhFSrj/ddnHens/Fgl9i65GvLrK+lCFA6frshB+/mGLcZt3IjWxWZP +IsOeAH+i0tNg99hESa9MABZPC4/XeAr7xF4cdGbX9LJh6LxaHmMGJqzr0UwYOJ9D5jY k1Gg== X-Gm-Message-State: ANoB5pkTKOxKalEGhIYZYg6BBkjmwkFYkHEBj4n4rXkvdm1flJQqS6iN udFbfF5rW5JSmNc18pRev1VgKw== X-Received: by 2002:a17:903:1ce:b0:186:a2ef:7a69 with SMTP id e14-20020a17090301ce00b00186a2ef7a69mr25665561plh.77.1669510513461; Sat, 26 Nov 2022 16:55:13 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 70-20020a621749000000b0056da073b2b7sm5250323pfx.210.2022.11.26.16.55.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Nov 2022 16:55:12 -0800 (PST) Date: Sat, 26 Nov 2022 16:55:11 -0800 From: Kees Cook To: Andrey Konovalov Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , linux-mm@kvack.org, kasan-dev@googlegroups.com, Vlastimil Babka , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v2] mm: Make ksize() a reporting-only function Message-ID: <202211261654.5F276B51B@keescook> References: <20221118035656.gonna.698-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Nov 26, 2022 at 06:04:39PM +0100, Andrey Konovalov wrote: > On Fri, Nov 18, 2022 at 4:57 AM Kees Cook wrote: > > > > With all "silently resizing" callers of ksize() refactored, remove the > > logic in ksize() that would allow it to be used to effectively change > > the size of an allocation (bypassing __alloc_size hints, etc). Users > > wanting this feature need to either use kmalloc_size_roundup() before an > > allocation, or use krealloc() directly. > > > > For kfree_sensitive(), move the unpoisoning logic inline. Replace the > > some of the partially open-coded ksize() in __do_krealloc with ksize() > > now that it doesn't perform unpoisoning. > > > > Adjust the KUnit tests to match the new ksize() behavior. > > > > Cc: Andrey Konovalov > > Cc: Christoph Lameter > > Cc: Pekka Enberg > > Cc: David Rientjes > > Cc: Joonsoo Kim > > Cc: Andrew Morton > > Cc: Roman Gushchin > > Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> > > Cc: Andrey Ryabinin > > Cc: Alexander Potapenko > > Cc: Dmitry Vyukov > > Cc: Vincenzo Frascino > > Cc: linux-mm@kvack.org > > Cc: kasan-dev@googlegroups.com > > Acked-by: Vlastimil Babka > > Signed-off-by: Kees Cook > > --- > > v2: > > - improve kunit test precision (andreyknvl) > > - add Ack (vbabka) > > v1: https://lore.kernel.org/all/20221022180455.never.023-kees@kernel.org > > --- > > mm/kasan/kasan_test.c | 14 +++++++++----- > > mm/slab_common.c | 26 ++++++++++---------------- > > 2 files changed, 19 insertions(+), 21 deletions(-) > > > > diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c > > index 7502f03c807c..fc4b22916587 100644 > > --- a/mm/kasan/kasan_test.c > > +++ b/mm/kasan/kasan_test.c > > @@ -821,7 +821,7 @@ static void kasan_global_oob_left(struct kunit *test) > > KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); > > } > > > > -/* Check that ksize() makes the whole object accessible. */ > > +/* Check that ksize() does NOT unpoison whole object. */ > > static void ksize_unpoisons_memory(struct kunit *test) > > { > > char *ptr; > > @@ -829,15 +829,19 @@ static void ksize_unpoisons_memory(struct kunit *test) > > > > ptr = kmalloc(size, GFP_KERNEL); > > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > > + > > real_size = ksize(ptr); > > + KUNIT_EXPECT_GT(test, real_size, size); > > > > OPTIMIZER_HIDE_VAR(ptr); > > > > - /* This access shouldn't trigger a KASAN report. */ > > - ptr[size] = 'x'; > > + /* These accesses shouldn't trigger a KASAN report. */ > > + ptr[0] = 'x'; > > + ptr[size - 1] = 'x'; > > > > - /* This one must. */ > > - KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size]); > > + /* These must trigger a KASAN report. */ > > + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]); > > + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size - 1]); > > Hi Kees, > > I just realized there's an issue here with the tag-based modes, as > they align the unpoisoned area to 16 bytes. > > One solution would be to change the allocation size to 128 - > KASAN_GRANULE_SIZE - 5, the same way kmalloc_oob_right test does it, > so that the last 16-byte granule won't get unpoisoned for the > tag-based modes. And then check that the ptr[size] access fails only > for the Generic mode. Ah! Good point. Are you able to send a patch? I suspect you know exactly what to change; it might take me a bit longer to double-check all of those details. -Kees -- Kees Cook