Re: [PATCH v5] mm, kasan, kmsan: copy_from/to_kernel_nofault
From: Andrey Konovalov
Date: Thu Oct 10 2024 - 17:39:34 EST
On Thu, Oct 10, 2024 at 3:10 PM Sabyrzhan Tasbolatov
<snovitoll@xxxxxxxxx> wrote:
>
> diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
> index a181e4780d9d..cb6ad84641ec 100644
> --- a/mm/kasan/kasan_test_c.c
> +++ b/mm/kasan/kasan_test_c.c
> @@ -1954,6 +1954,42 @@ static void rust_uaf(struct kunit *test)
> KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf());
> }
>
> +static void copy_to_kernel_nofault_oob(struct kunit *test)
> +{
> + char *ptr;
> + char buf[128];
> + size_t size = sizeof(buf);
> +
> + /* This test currently fails with the HW_TAGS mode.
> + * The reason is unknown and needs to be investigated. */
> + ptr = kmalloc(size - KASAN_GRANULE_SIZE, GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
> + OPTIMIZER_HIDE_VAR(ptr);
> +
> + if (IS_ENABLED(CONFIG_KASAN_SW_TAGS)) {
> + /* Check that the returned pointer is tagged. */
> + KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
> + KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
> + }
It appears you deleted a wrong check. I meant the checks above, not
the CONFIG_KASAN_HW_TAGS one.
> +
> + /*
> + * We test copy_to_kernel_nofault() to detect corrupted memory that is
> + * being written into the kernel. In contrast, copy_from_kernel_nofault()
> + * is primarily used in kernel helper functions where the source address
> + * might be random or uninitialized. Applying KASAN instrumentation to
> + * copy_from_kernel_nofault() could lead to false positives.
> + * By focusing KASAN checks only on copy_to_kernel_nofault(),
> + * we ensure that only valid memory is written to the kernel,
> + * minimizing the risk of kernel corruption while avoiding
> + * false positives in the reverse case.
> + */
> + KUNIT_EXPECT_KASAN_FAIL(test,
> + copy_to_kernel_nofault(&buf[0], ptr, size));
> + KUNIT_EXPECT_KASAN_FAIL(test,
> + copy_to_kernel_nofault(ptr, &buf[0], size));
Nit: empty line before kfree.
> + kfree(ptr);
> +}