Re: [PATCH v6] mm, kasan, kmsan: copy_from/to_kernel_nofault
From: Andrey Konovalov
Date: Sat Oct 12 2024 - 18:45:58 EST
On Fri, Oct 11, 2024 at 5:52 AM Sabyrzhan Tasbolatov
<snovitoll@xxxxxxxxx> wrote:
>
> Instrument copy_from_kernel_nofault() with KMSAN for uninitialized kernel
> memory check and copy_to_kernel_nofault() with KASAN, KCSAN to detect
> the memory corruption.
>
> syzbot reported that bpf_probe_read_kernel() kernel helper triggered
> KASAN report via kasan_check_range() which is not the expected behaviour
> as copy_from_kernel_nofault() is meant to be a non-faulting helper.
>
> Solution is, suggested by Marco Elver, to replace KASAN, KCSAN check in
> copy_from_kernel_nofault() with KMSAN detection of copying uninitilaized
> kernel memory. In copy_to_kernel_nofault() we can retain
> instrument_write() explicitly for the memory corruption instrumentation.
For future reference: please write commit messages in a way that is
readable standalone. I.e. without obscured references to the
discussions or problems in the previous versions of the patch. It's
fine to give such references in itself, but you need to give enough
context in the commit message to make it understandable without
looking up those discussions.
> copy_to_kernel_nofault() is tested on x86_64 and arm64 with
> CONFIG_KASAN_SW_TAGS. On arm64 with CONFIG_KASAN_HW_TAGS,
> kunit test currently fails. Need more clarification on it.
>
> Link: https://lore.kernel.org/linux-mm/CANpmjNMAVFzqnCZhEity9cjiqQ9CVN1X7qeeeAp_6yKjwKo8iw@xxxxxxxxxxxxxx/
> Reviewed-by: Marco Elver <elver@xxxxxxxxxx>
> Reported-by: syzbot+61123a5daeb9f7454599@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=61123a5daeb9f7454599
> Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxx>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=210505
> Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@xxxxxxxxx>
> ---
> v2:
> - squashed previous submitted in -mm tree 2 patches based on Linus tree
> v3:
> - moved checks to *_nofault_loop macros per Marco's comments
> - edited the commit message
> v4:
> - replaced Suggested-by with Reviewed-by
> v5:
> - addressed Andrey's comment on deleting CONFIG_KASAN_HW_TAGS check in
> mm/kasan/kasan_test_c.c
> - added explanatory comment in kasan_test_c.c
> - added Suggested-by: Marco Elver back per Andrew's comment.
> v6:
> - deleted checks KASAN_TAG_MIN, KASAN_TAG_KERNEL per Andrey's comment.
> - added empty line before kfree.
> ---
> mm/kasan/kasan_test_c.c | 34 ++++++++++++++++++++++++++++++++++
> mm/kmsan/kmsan_test.c | 17 +++++++++++++++++
> mm/maccess.c | 10 ++++++++--
> 3 files changed, 59 insertions(+), 2 deletions(-)
>
> diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
> index a181e4780d9d..716f2cac9708 100644
> --- a/mm/kasan/kasan_test_c.c
> +++ b/mm/kasan/kasan_test_c.c
> @@ -1954,6 +1954,39 @@ static void rust_uaf(struct kunit *test)
> KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf());
> }
>
> +static void copy_to_kernel_nofault_oob(struct kunit *test)
> +{
> + char *ptr;
> + char buf[128];
> + size_t size = sizeof(buf);
> +
> + /* This test currently fails with the HW_TAGS mode.
> + * The reason is unknown and needs to be investigated. */
> + KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS);
> +
> + ptr = kmalloc(size - KASAN_GRANULE_SIZE, GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
> + OPTIMIZER_HIDE_VAR(ptr);
> +
> + /*
> + * We test copy_to_kernel_nofault() to detect corrupted memory that is
> + * being written into the kernel. In contrast, copy_from_kernel_nofault()
> + * is primarily used in kernel helper functions where the source address
> + * might be random or uninitialized. Applying KASAN instrumentation to
> + * copy_from_kernel_nofault() could lead to false positives.
> + * By focusing KASAN checks only on copy_to_kernel_nofault(),
> + * we ensure that only valid memory is written to the kernel,
> + * minimizing the risk of kernel corruption while avoiding
> + * false positives in the reverse case.
> + */
> + KUNIT_EXPECT_KASAN_FAIL(test,
> + copy_to_kernel_nofault(&buf[0], ptr, size));
> + KUNIT_EXPECT_KASAN_FAIL(test,
> + copy_to_kernel_nofault(ptr, &buf[0], size));
> +
> + kfree(ptr);
> +}
> +
> static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(kmalloc_oob_right),
> KUNIT_CASE(kmalloc_oob_left),
> @@ -2027,6 +2060,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(match_all_not_assigned),
> KUNIT_CASE(match_all_ptr_tag),
> KUNIT_CASE(match_all_mem_tag),
> + KUNIT_CASE(copy_to_kernel_nofault_oob),
> KUNIT_CASE(rust_uaf),
> {}
> };
> diff --git a/mm/kmsan/kmsan_test.c b/mm/kmsan/kmsan_test.c
> index 13236d579eba..9733a22c46c1 100644
> --- a/mm/kmsan/kmsan_test.c
> +++ b/mm/kmsan/kmsan_test.c
> @@ -640,6 +640,22 @@ static void test_unpoison_memory(struct kunit *test)
> KUNIT_EXPECT_TRUE(test, report_matches(&expect));
> }
>
> +static void test_copy_from_kernel_nofault(struct kunit *test)
> +{
> + long ret;
> + char buf[4], src[4];
> + size_t size = sizeof(buf);
> +
> + EXPECTATION_UNINIT_VALUE_FN(expect, "copy_from_kernel_nofault");
> + kunit_info(
> + test,
> + "testing copy_from_kernel_nofault with uninitialized memory\n");
> +
> + ret = copy_from_kernel_nofault((char *)&buf[0], (char *)&src[0], size);
> + USE(ret);
> + KUNIT_EXPECT_TRUE(test, report_matches(&expect));
> +}
> +
> static struct kunit_case kmsan_test_cases[] = {
> KUNIT_CASE(test_uninit_kmalloc),
> KUNIT_CASE(test_init_kmalloc),
> @@ -664,6 +680,7 @@ static struct kunit_case kmsan_test_cases[] = {
> KUNIT_CASE(test_long_origin_chain),
> KUNIT_CASE(test_stackdepot_roundtrip),
> KUNIT_CASE(test_unpoison_memory),
> + KUNIT_CASE(test_copy_from_kernel_nofault),
> {},
> };
>
> diff --git a/mm/maccess.c b/mm/maccess.c
> index 518a25667323..3ca55ec63a6a 100644
> --- a/mm/maccess.c
> +++ b/mm/maccess.c
> @@ -13,9 +13,14 @@ bool __weak copy_from_kernel_nofault_allowed(const void *unsafe_src,
> return true;
> }
>
> +/*
> + * The below only uses kmsan_check_memory() to ensure uninitialized kernel
> + * memory isn't leaked.
> + */
> #define copy_from_kernel_nofault_loop(dst, src, len, type, err_label) \
> while (len >= sizeof(type)) { \
> - __get_kernel_nofault(dst, src, type, err_label); \
> + __get_kernel_nofault(dst, src, type, err_label); \
> + kmsan_check_memory(src, sizeof(type)); \
> dst += sizeof(type); \
> src += sizeof(type); \
> len -= sizeof(type); \
> @@ -49,7 +54,8 @@ EXPORT_SYMBOL_GPL(copy_from_kernel_nofault);
>
> #define copy_to_kernel_nofault_loop(dst, src, len, type, err_label) \
> while (len >= sizeof(type)) { \
> - __put_kernel_nofault(dst, src, type, err_label); \
> + __put_kernel_nofault(dst, src, type, err_label); \
> + instrument_write(dst, sizeof(type)); \
> dst += sizeof(type); \
> src += sizeof(type); \
> len -= sizeof(type); \
> --
> 2.34.1
>
Reviewed-by: Andrey Konovalov <andreyknvl@xxxxxxxxx>
Tested-by: Andrey Konovalov <andreyknvl@xxxxxxxxx>
For KASAN parts.
Thank you!