Commit 611806b4 authored by Andrey Konovalov's avatar Andrey Konovalov Committed by Linus Torvalds
Browse files

kasan: fix bug detection via ksize for HW_TAGS mode 

The currently existing kasan_check_read/write() annotations are intended
to be used for kernel modules that have KASAN compiler instrumentation
disabled. Thus, they are only relevant for the software KASAN modes that
rely on compiler instrumentation.

However there's another use case for these annotations: ksize() checks
that the object passed to it is indeed accessible before unpoisoning the
whole object. This is currently done via __kasan_check_read(), which is
compiled away for the hardware tag-based mode that doesn't rely on
compiler instrumentation. This leads to KASAN missing detecting some
memory corruptions.

Provide another annotation called kasan_check_byte() that is available
for all KASAN modes. As the implementation rename and reuse
kasan_check_invalid_free(). Use this new annotation in ksize().
To avoid having ksize() as the top frame in the reported stack trace
pass _RET_IP_ to __kasan_check_byte().

Also add a new ksize_uaf() test that checks that a use-after-free is
detected via ksize() itself, and via plain accesses that happen later.

Link: https://linux-review.googlesource.com/id/Iaabf771881d0f9ce1b969f2a62938e99d3308ec5
Link: https://lkml.kernel.org/r/f32ad74a60b28d8402482a38476f02bb7600f620.1610733117.git.andreyknvl@google.com


Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Reviewed-by: default avatarMarco Elver <elver@google.com>
Reviewed-by: default avatarAlexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Branislav Rankov <Branislav.Rankov@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Evgenii Stepanov <eugenis@google.com>
Cc: Kevin Brodsky <kevin.brodsky@arm.com>
Cc: Peter Collingbourne <pcc@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 027b37b5

include/linux/kasan-checks.h

+6 −0
Original line number Diff line number Diff line
@@ -4,6 +4,12 @@ 


#include <linux/types.h>



/*

 * The annotations present in this file are only relevant for the software

 * KASAN modes that rely on compiler instrumentation, and will be optimized

 * away for the hardware tag-based KASAN mode. Use kasan_check_byte() instead.

 */



/*

 * __kasan_check_*: Always available when KASAN is enabled. This may be used

 * even in compilation units that selectively disable KASAN, but must use KASAN

include/linux/kasan.h

+17 −0
Original line number Diff line number Diff line
@@ -246,6 +246,19 @@ static __always_inline void kasan_kfree_large(void *ptr) 
		__kasan_kfree_large(ptr, _RET_IP_);

}



/*

 * Unlike kasan_check_read/write(), kasan_check_byte() is performed even for

 * the hardware tag-based mode that doesn't rely on compiler instrumentation.

 */

bool __kasan_check_byte(const void *addr, unsigned long ip);

static __always_inline bool kasan_check_byte(const void *addr)

{

	if (kasan_enabled())

		return __kasan_check_byte(addr, _RET_IP_);

	return true;

}





bool kasan_save_enable_multi_shot(void);

void kasan_restore_multi_shot(bool enabled);
@@ -301,6 +314,10 @@ static inline void *kasan_krealloc(const void *object, size_t new_size, 
	return (void *)object;

}

static inline void kasan_kfree_large(void *ptr) {}

static inline bool kasan_check_byte(const void *address)

{

	return true;

}



#endif /* CONFIG_KASAN */

lib/test_kasan.c

+20 −0
Original line number Diff line number Diff line
@@ -496,6 +496,7 @@ static void kasan_global_oob(struct kunit *test) 
	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);

}



/* Check that ksize() makes the whole object accessible. */

static void ksize_unpoisons_memory(struct kunit *test)

{

	char *ptr;
@@ -514,6 +515,24 @@ static void ksize_unpoisons_memory(struct kunit *test) 
	kfree(ptr);

}



/*

 * Check that a use-after-free is detected by ksize() and via normal accesses

 * after it.

 */

static void ksize_uaf(struct kunit *test)

{

	char *ptr;

	int size = 128 - KASAN_GRANULE_SIZE;



	ptr = kmalloc(size, GFP_KERNEL);

	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);

	kfree(ptr);



	KUNIT_EXPECT_KASAN_FAIL(test, ksize(ptr));

	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = *ptr);

	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = *(ptr + size));

}



static void kasan_stack_oob(struct kunit *test)

{

	char stack_array[10];
@@ -907,6 +926,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { 
	KUNIT_CASE(kasan_alloca_oob_left),

	KUNIT_CASE(kasan_alloca_oob_right),

	KUNIT_CASE(ksize_unpoisons_memory),

	KUNIT_CASE(ksize_uaf),

	KUNIT_CASE(kmem_cache_double_free),

	KUNIT_CASE(kmem_cache_invalid_free),

	KUNIT_CASE(kasan_memchr),

mm/kasan/common.c

+10 −1
Original line number Diff line number Diff line
@@ -345,7 +345,7 @@ static bool ____kasan_slab_free(struct kmem_cache *cache, void *object, 
	if (unlikely(cache->flags & SLAB_TYPESAFE_BY_RCU))

		return false;



	if (kasan_check_invalid_free(tagged_object)) {

	if (!kasan_byte_accessible(tagged_object)) {

		kasan_report_invalid_free(tagged_object, ip);

		return true;

	}
@@ -490,3 +490,12 @@ void __kasan_kfree_large(void *ptr, unsigned long ip) 
		kasan_report_invalid_free(ptr, ip);

	/* The object will be poisoned by kasan_free_pages(). */

}



bool __kasan_check_byte(const void *address, unsigned long ip)

{

	if (!kasan_byte_accessible(address)) {

		kasan_report((unsigned long)address, 1, false, ip);

		return false;

	}

	return true;

}

mm/kasan/generic.c

+2 −2
Original line number Diff line number Diff line
@@ -185,11 +185,11 @@ bool kasan_check_range(unsigned long addr, size_t size, bool write, 
	return check_region_inline(addr, size, write, ret_ip);

}



bool kasan_check_invalid_free(void *addr)

bool kasan_byte_accessible(const void *addr)

{

	s8 shadow_byte = READ_ONCE(*(s8 *)kasan_mem_to_shadow(addr));



	return shadow_byte < 0 || shadow_byte >= KASAN_GRANULE_SIZE;

	return shadow_byte >= 0 && shadow_byte < KASAN_GRANULE_SIZE;

}



void kasan_cache_shrink(struct kmem_cache *cache)