Commit 38931d89 authored by Kees Cook's avatar Kees Cook

mm: Make ksize() a reporting-only function

With all "silently resizing" callers of ksize() refactored, remove the
logic in ksize() that would allow it to be used to effectively change
the size of an allocation (bypassing __alloc_size hints, etc). Users
wanting this feature need to either use kmalloc_size_roundup() before an
allocation, or use krealloc() directly.

For kfree_sensitive(), move the unpoisoning logic inline. Replace the
some of the partially open-coded ksize() in __do_krealloc with ksize()
now that it doesn't perform unpoisoning.

Adjust the KUnit tests to match the new ksize() behavior. Execution
tested with:

$ ./tools/testing/kunit/kunit.py run \
	--kconfig_add CONFIG_KASAN=y \
	--kconfig_add CONFIG_KASAN_GENERIC=y \
	--arch x86_64 kasan

Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: linux-mm@kvack.org
Cc: kasan-dev@googlegroups.com
Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
Acked-by: default avatarDavid Rientjes <rientjes@google.com>
Enhanced-by: default avatarAndrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 9124a264
...@@ -783,23 +783,30 @@ static void kasan_global_oob_left(struct kunit *test) ...@@ -783,23 +783,30 @@ static void kasan_global_oob_left(struct kunit *test)
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
} }
/* Check that ksize() makes the whole object accessible. */ /* Check that ksize() does NOT unpoison whole object. */
static void ksize_unpoisons_memory(struct kunit *test) static void ksize_unpoisons_memory(struct kunit *test)
{ {
char *ptr; char *ptr;
size_t size = 123, real_size; size_t size = 128 - KASAN_GRANULE_SIZE - 5;
size_t real_size;
ptr = kmalloc(size, GFP_KERNEL); ptr = kmalloc(size, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
real_size = ksize(ptr); real_size = ksize(ptr);
KUNIT_EXPECT_GT(test, real_size, size);
OPTIMIZER_HIDE_VAR(ptr); OPTIMIZER_HIDE_VAR(ptr);
/* This access shouldn't trigger a KASAN report. */ /* These accesses shouldn't trigger a KASAN report. */
ptr[size] = 'x'; ptr[0] = 'x';
ptr[size - 1] = 'x';
/* This one must. */ /* These must trigger a KASAN report. */
KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size]); if (IS_ENABLED(CONFIG_KASAN_GENERIC))
KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]);
KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size + 5]);
KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size - 1]);
kfree(ptr); kfree(ptr);
} }
......
...@@ -1333,11 +1333,11 @@ __do_krealloc(const void *p, size_t new_size, gfp_t flags) ...@@ -1333,11 +1333,11 @@ __do_krealloc(const void *p, size_t new_size, gfp_t flags)
void *ret; void *ret;
size_t ks; size_t ks;
/* Don't use instrumented ksize to allow precise KASAN poisoning. */ /* Check for double-free before calling ksize. */
if (likely(!ZERO_OR_NULL_PTR(p))) { if (likely(!ZERO_OR_NULL_PTR(p))) {
if (!kasan_check_byte(p)) if (!kasan_check_byte(p))
return NULL; return NULL;
ks = kfence_ksize(p) ?: __ksize(p); ks = ksize(p);
} else } else
ks = 0; ks = 0;
...@@ -1405,8 +1405,10 @@ void kfree_sensitive(const void *p) ...@@ -1405,8 +1405,10 @@ void kfree_sensitive(const void *p)
void *mem = (void *)p; void *mem = (void *)p;
ks = ksize(mem); ks = ksize(mem);
if (ks) if (ks) {
kasan_unpoison_range(mem, ks);
memzero_explicit(mem, ks); memzero_explicit(mem, ks);
}
kfree(mem); kfree(mem);
} }
EXPORT_SYMBOL(kfree_sensitive); EXPORT_SYMBOL(kfree_sensitive);
...@@ -1427,13 +1429,11 @@ EXPORT_SYMBOL(kfree_sensitive); ...@@ -1427,13 +1429,11 @@ EXPORT_SYMBOL(kfree_sensitive);
*/ */
size_t ksize(const void *objp) size_t ksize(const void *objp)
{ {
size_t size;
/* /*
* We need to first check that the pointer to the object is valid, and * We need to first check that the pointer to the object is valid.
* only then unpoison the memory. The report printed from ksize() is * The KASAN report printed from ksize() is more useful, then when
* more useful, then when it's printed later when the behaviour could * it's printed later when the behaviour could be undefined due to
* be undefined due to a potential use-after-free or double-free. * a potential use-after-free or double-free.
* *
* We use kasan_check_byte(), which is supported for the hardware * We use kasan_check_byte(), which is supported for the hardware
* tag-based KASAN mode, unlike kasan_check_read/write(). * tag-based KASAN mode, unlike kasan_check_read/write().
...@@ -1447,13 +1447,7 @@ size_t ksize(const void *objp) ...@@ -1447,13 +1447,7 @@ size_t ksize(const void *objp)
if (unlikely(ZERO_OR_NULL_PTR(objp)) || !kasan_check_byte(objp)) if (unlikely(ZERO_OR_NULL_PTR(objp)) || !kasan_check_byte(objp))
return 0; return 0;
size = kfence_ksize(objp) ?: __ksize(objp); return kfence_ksize(objp) ?: __ksize(objp);
/*
* We assume that ksize callers could use whole allocated area,
* so we need to unpoison this area.
*/
kasan_unpoison_range(objp, size);
return size;
} }
EXPORT_SYMBOL(ksize); EXPORT_SYMBOL(ksize);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment