From: Andrey Ryabinin <aryabinin@virtuozzo.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Walter Wu <walter-zh.wu@mediatek.com>,
Alexander Potapenko <glider@google.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
kasan-dev <kasan-dev@googlegroups.com>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
wsd_upstream <wsd_upstream@mediatek.com>,
linux-mediatek@lists.infradead.org
Subject: Re: [PATCH v4 1/2] kasan: detect negative size in memory operation function
Date: Fri, 22 Nov 2019 01:18:38 +0300 [thread overview]
Message-ID: <ad1aa63b-38d7-4c8d-00c0-bd215cf9b66e@virtuozzo.com> (raw)
In-Reply-To: <CACT4Y+botuVF6KanfRrudDguw7HGkJ1mrwvxYZQQF0eWoo-Lxw@mail.gmail.com>
On 11/21/19 10:58 PM, Dmitry Vyukov wrote:
> On Thu, Nov 21, 2019 at 1:27 PM Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
>>> diff --git a/mm/kasan/common.c b/mm/kasan/common.c
>>> index 6814d6d6a023..4bfce0af881f 100644
>>> --- a/mm/kasan/common.c
>>> +++ b/mm/kasan/common.c
>>> @@ -102,7 +102,8 @@ EXPORT_SYMBOL(__kasan_check_write);
>>> #undef memset
>>> void *memset(void *addr, int c, size_t len)
>>> {
>>> - check_memory_region((unsigned long)addr, len, true, _RET_IP_);
>>> + if (!check_memory_region((unsigned long)addr, len, true, _RET_IP_))
>>> + return NULL;
>>>
>>> return __memset(addr, c, len);
>>> }
>>> @@ -110,8 +111,9 @@ void *memset(void *addr, int c, size_t len)
>>> #undef memmove
>>> void *memmove(void *dest, const void *src, size_t len)
>>> {
>>> - check_memory_region((unsigned long)src, len, false, _RET_IP_);
>>> - check_memory_region((unsigned long)dest, len, true, _RET_IP_);
>>> + if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
>>> + !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
>>> + return NULL;
>>>
>>> return __memmove(dest, src, len);
>>> }
>>> @@ -119,8 +121,9 @@ void *memmove(void *dest, const void *src, size_t len)
>>> #undef memcpy
>>> void *memcpy(void *dest, const void *src, size_t len)
>>> {
>>> - check_memory_region((unsigned long)src, len, false, _RET_IP_);
>>> - check_memory_region((unsigned long)dest, len, true, _RET_IP_);
>>> + if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
>>> + !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
>>> + return NULL;
>>>
>>
>> I realized that we are going a wrong direction here. Entirely skipping mem*() operation on any
>> poisoned shadow value might only make things worse. Some bugs just don't have any serious consequences,
>> but skipping the mem*() ops entirely might introduce such consequences, which wouldn't happen otherwise.
>>
>> So let's keep this code as this, no need to check the result of check_memory_region().
>
> I suggested it.
>
> For our production runs it won't matter, we always panic on first report.
> If one does not panic, there is no right answer. You say: _some_ bugs
> don't have any serious consequences, but skipping the mem*() ops
> entirely might introduce such consequences. The opposite is true as
> well, right? :) And it's not hard to come up with a scenario where
> overwriting memory after free or out of bounds badly corrupts memory.
> I don't think we can somehow magically avoid bad consequences in all
> cases.
>
Absolutely right. My point was that if it's bad consequences either way,
than there is no point in complicating this code, it doesn't buy us anything.
> What I was thinking about is tests. We need tests for this. And we
> tried to construct tests specifically so that they don't badly corrupt
> memory (e.g. OOB/UAF reads, or writes to unused redzones, etc), so
> that it's possible to run all of them to completion reliably. Skipping
> the actual memory options allows to write such tests for all possible
> scenarios. That's was my motivation.
But I see you point now. No objections to the patch in that case.
next prev parent reply other threads:[~2019-11-21 22:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-12 6:53 [PATCH v4 1/2] kasan: detect negative size in memory operation function Walter Wu
2019-11-20 8:34 ` Walter Wu
2019-11-21 12:26 ` Andrey Ryabinin
2019-11-21 13:02 ` Walter Wu
2019-11-21 13:03 ` Andrey Ryabinin
2019-11-21 13:09 ` Walter Wu
2019-11-21 19:58 ` Dmitry Vyukov
2019-11-21 22:18 ` Andrey Ryabinin [this message]
2019-11-21 22:20 ` Andrey Ryabinin
2019-11-22 7:18 ` Walter Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad1aa63b-38d7-4c8d-00c0-bd215cf9b66e@virtuozzo.com \
--to=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=matthias.bgg@gmail.com \
--cc=walter-zh.wu@mediatek.com \
--cc=wsd_upstream@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).