Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5654699rdb; Wed, 13 Dec 2023 15:38:51 -0800 (PST) X-Google-Smtp-Source: AGHT+IFgAoiOXWSWRNqu2bBUcWsbzhyGQjQELgmNWZT9xdFUBVX3Xkmea9FVligE7MlCKNevxinO X-Received: by 2002:a05:6871:5826:b0:203:3512:e14f with SMTP id oj38-20020a056871582600b002033512e14fmr1246410oac.102.1702510730782; Wed, 13 Dec 2023 15:38:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702510730; cv=none; d=google.com; s=arc-20160816; b=BqYUtoCbG6u2EXwZlTTSpCxWL0zjIECeOg6Ms1PG/jjkkDLZkx+PUcNea8wDVwk3dQ hFKZ9IeTHaBeHF2LvCfkLBT5+iKgQc70olRJLvMVYOprFdnT1EhGe9rsVHu6U2BdIqtq NSEhuvJ1AfcZOcHqOckLNYLFJSasRdztf7MdEOrcCZEpAU9l4d/hoyD8q5AHS2UHSCvA 5+FH2kxpWLSJouJKu+FMbOrEZgHFSCgS6s/MYi2N6mZBKIiVkkmHBok70fkeWvaeYQ0L WUGgNYARlplpNKSMcXEj9gHLeLO+yLM3dssKDN7NIWZq6Kf/ywg+z9TcjVyKpSKQG5jo U+FA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=YWzC8DsQqa6wKXOwz7r3yo3WLfhtbao5IRz+1f0SKy8=; fh=TQATEbdDZNcnk8L2eDP6eFL9HlexFaHIexhR1TH2IlY=; b=Dep6ydk7pw6qSBnsovKZq7sWMenqUbMVvbeY1KUb0qTMSZvtk+xL6fXCCL5Psu7xIx W+j6hchKSbzurCVz5LIciNX2zvH7bq82TE+l/+MQHvezhHxBJczalwKFXf+y0aslaD/Q J+n4Ay/QO7AaJPIXef9j8kdlO3c8yIADsruR9PtA3iKpvpowJp7oBbg/wB++Am/5yEn6 GQ6KeyHQiYffRSuS5TjqvFU1YObrVPx3mISmzJhvFdqYC6497hkq2F8Ncvj6cCdJwCZW qWYud5sf9eT6mMaUOdCm5+iFQsg1UWpOgoE39k86Wo9rObRiI8t1tSkWC0QpshVUbPBD gE+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=aQI3T2vl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id u6-20020a631406000000b005c66350f55asi10291627pgl.343.2023.12.13.15.38.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 15:38:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=aQI3T2vl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 00B2B803207C; Wed, 13 Dec 2023 15:38:46 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1442917AbjLMXiL (ORCPT + 99 others); Wed, 13 Dec 2023 18:38:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40454 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1442920AbjLMXhU (ORCPT ); Wed, 13 Dec 2023 18:37:20 -0500 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E91091B5; Wed, 13 Dec 2023 15:37:15 -0800 (PST) Received: from pps.filterd (m0353723.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3BDMSAMJ011063; Wed, 13 Dec 2023 23:37:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=YWzC8DsQqa6wKXOwz7r3yo3WLfhtbao5IRz+1f0SKy8=; b=aQI3T2vllsV+ObZJDRe/Zf9Ha5k3riKmZa14HkA1yIdVTqulMezkGv1PRlb3D+odsWxd 43aBga8zFkH/okB6yUB1Psp6qh2cGDODOKf10uUUYVY1DDEKdTLRy3Ngdr34KwEs9psy aLwFIm23nfPiiVVJ7LsIF1efz44qD+2elLgkh9xYw+AUmjO7tvtH4BKfmg3AHx4LGASB AcgLgOJS7sMK/4yIveCHYoxi4YcxL4Pn4UWScsRguxoTfYgXPWx3ZiRyS0NvY71BDEUi s4cGHGjr/B4q8gyiNx8UWqjlr6oiQAFrkYVxAPtq52Y5f03XoV7PbruLURjeArXtZaV/ tQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3uyne6165w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Dec 2023 23:37:00 +0000 Received: from m0353723.ppops.net (m0353723.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 3BDN63Dk009269; Wed, 13 Dec 2023 23:37:00 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3uyne61605-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Dec 2023 23:36:59 +0000 Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 3BDNOPrE014136; Wed, 13 Dec 2023 23:36:31 GMT Received: from smtprelay06.fra02v.mail.ibm.com ([9.218.2.230]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 3uw592c4fs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Dec 2023 23:36:31 +0000 Received: from smtpav02.fra02v.mail.ibm.com (smtpav02.fra02v.mail.ibm.com [10.20.54.101]) by smtprelay06.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 3BDNaS5539387892 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 13 Dec 2023 23:36:28 GMT Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B36B620043; Wed, 13 Dec 2023 23:36:28 +0000 (GMT) Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 08C3A20040; Wed, 13 Dec 2023 23:36:27 +0000 (GMT) Received: from heavy.boeblingen.de.ibm.com (unknown [9.171.70.156]) by smtpav02.fra02v.mail.ibm.com (Postfix) with ESMTP; Wed, 13 Dec 2023 23:36:26 +0000 (GMT) From: Ilya Leoshkevich To: Alexander Gordeev , Alexander Potapenko , Andrew Morton , Christoph Lameter , David Rientjes , Heiko Carstens , Joonsoo Kim , Marco Elver , Masami Hiramatsu , Pekka Enberg , Steven Rostedt , Vasily Gorbik , Vlastimil Babka Cc: Christian Borntraeger , Dmitry Vyukov , Hyeonggon Yoo <42.hyeyoo@gmail.com>, kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-s390@vger.kernel.org, linux-trace-kernel@vger.kernel.org, Mark Rutland , Roman Gushchin , Sven Schnelle , Ilya Leoshkevich Subject: [PATCH v3 12/34] kmsan: Support SLAB_POISON Date: Thu, 14 Dec 2023 00:24:32 +0100 Message-ID: <20231213233605.661251-13-iii@linux.ibm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231213233605.661251-1-iii@linux.ibm.com> References: <20231213233605.661251-1-iii@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: ZPYGJjS1ND9T0j1SVbC9BdaZjseEeUwb X-Proofpoint-ORIG-GUID: mB8Th-NtdbtQGDfs5uCnRJQbqp4W6oNm X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-13_14,2023-12-13_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 phishscore=0 clxscore=1015 malwarescore=0 mlxscore=0 spamscore=0 bulkscore=0 mlxlogscore=999 lowpriorityscore=0 suspectscore=0 priorityscore=1501 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2312130167 X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Wed, 13 Dec 2023 15:38:47 -0800 (PST) Avoid false KMSAN negatives with SLUB_DEBUG by allowing kmsan_slab_free() to poison the freed memory, and by preventing init_object() from unpoisoning new allocations by using __memset(). There are two alternatives to this approach. First, init_object() can be marked with __no_sanitize_memory. This annotation should be used with great care, because it drops all instrumentation from the function, and any shadow writes will be lost. Even though this is not a concern with the current init_object() implementation, this may change in the future. Second, kmsan_poison_memory() calls may be added after memset() calls. The downside is that init_object() is called from free_debug_processing(), in which case poisoning will erase the distinction between simply uninitialized memory and UAF. Signed-off-by: Ilya Leoshkevich --- mm/kmsan/hooks.c | 2 +- mm/slub.c | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c index 3acf010c9814..21004eeee240 100644 --- a/mm/kmsan/hooks.c +++ b/mm/kmsan/hooks.c @@ -74,7 +74,7 @@ void kmsan_slab_free(struct kmem_cache *s, void *object) return; /* RCU slabs could be legally used after free within the RCU period */ - if (unlikely(s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON))) + if (unlikely(s->flags & SLAB_TYPESAFE_BY_RCU)) return; /* * If there's a constructor, freed memory must remain in the same state diff --git a/mm/slub.c b/mm/slub.c index 63d281dfacdb..b111bc315e3f 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1030,7 +1030,12 @@ static void init_object(struct kmem_cache *s, void *object, u8 val) unsigned int poison_size = s->object_size; if (s->flags & SLAB_RED_ZONE) { - memset(p - s->red_left_pad, val, s->red_left_pad); + /* + * Use __memset() here and below in order to avoid overwriting + * the KMSAN shadow. Keeping the shadow makes it possible to + * distinguish uninit-value from use-after-free. + */ + __memset(p - s->red_left_pad, val, s->red_left_pad); if (slub_debug_orig_size(s) && val == SLUB_RED_ACTIVE) { /* @@ -1043,12 +1048,12 @@ static void init_object(struct kmem_cache *s, void *object, u8 val) } if (s->flags & __OBJECT_POISON) { - memset(p, POISON_FREE, poison_size - 1); - p[poison_size - 1] = POISON_END; + __memset(p, POISON_FREE, poison_size - 1); + __memset(p + poison_size - 1, POISON_END, 1); } if (s->flags & SLAB_RED_ZONE) - memset(p + poison_size, val, s->inuse - poison_size); + __memset(p + poison_size, val, s->inuse - poison_size); } static void restore_bytes(struct kmem_cache *s, char *message, u8 data, -- 2.43.0