[PATCH v4 0/4] Rust KASAN Support

[PATCH v4 0/4] Rust KASAN Support

[Matthew Maurer]

Right now, if we turn on KASAN, Rust code will cause violations because
it's not enabled properly.

This series:
1. Adds flag probe macros for Rust - now that we're setting a minimum rustc
   version instead of an exact one, these could be useful in general. We need
   them in this patch because we don't set a restriction on which LLVM rustc
   is using, which is what KASAN actually cares about.
2. Makes `rustc` enable the relevant KASAN sanitizer flags when C does.
3. Adds a smoke test to the `kasan_test` KUnit suite to check basic
   integration.

This patch series requires the target.json array support patch [1] as
the x86_64 target.json file currently produced does not mark itself as KASAN
capable, and is rebased on top of the KASAN Makefile rewrite [2].

Differences from v3 [3]:
* Probing macro comments made more accurate
* Probing macros now set --out-dir to avoid potential read-only fs
  issues
* Reordered KHWASAN explicit disablement patch to come before KASAN
  enablement
* Comment/ordering cleanup in KASAN makefile
* Ensured KASAN tests work with and without CONFIG_RUST enabled

[1] https://lore.kernel.org/lkml/20240730-target-json-arrays-v1-1-2b376fd0ecf4@google.com/
[2] https://lore.kernel.org/all/20240813224027.84503-1-andrey.konovalov@linux.dev
[3] https://lore.kernel.org/all/20240819213534.4080408-1-mmaurer@google.com/

Matthew Maurer (4):
  kbuild: rust: Define probing macros for rustc
  rust: kasan: Rust does not support KHWASAN
  kbuild: rust: Enable KASAN support
  kasan: rust: Add KASAN smoke test via UAF

 init/Kconfig                              |  1 +
 mm/kasan/Makefile                         |  7 ++-
 mm/kasan/kasan.h                          |  6 +++
 mm/kasan/{kasan_test.c => kasan_test_c.c} | 12 +++++
 mm/kasan/kasan_test_rust.rs               | 19 ++++++++
 scripts/Kconfig.include                   |  8 ++++
 scripts/Makefile.compiler                 | 15 ++++++
 scripts/Makefile.kasan                    | 57 ++++++++++++++++-------
 scripts/Makefile.lib                      |  3 ++
 scripts/generate_rust_target.rs           |  1 +
 10 files changed, 112 insertions(+), 17 deletions(-)
 rename mm/kasan/{kasan_test.c => kasan_test_c.c} (99%)
 create mode 100644 mm/kasan/kasan_test_rust.rs

-- 
2.46.0.184.g6999bdac58-goog

[PATCH v4 1/4] kbuild: rust: Define probing macros for rustc

[Matthew Maurer]

Creates flag probe macro variants for `rustc`. These are helpful
because:

1. The kernel now supports a minimum `rustc` version rather than a
   single version.
2. `rustc` links against a range of LLVM revisions, occasionally even
   ones without an official release number. Since the availability of
   some Rust flags depends on which LLVM it has been linked against,
   probing is necessary.

Signed-off-by: Matthew Maurer <mmaurer@google.com>
---
 scripts/Kconfig.include   |  8 ++++++++
 scripts/Makefile.compiler | 15 +++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/scripts/Kconfig.include b/scripts/Kconfig.include
index 3ee8ecfb8c04..bdb187af45fd 100644
--- a/scripts/Kconfig.include
+++ b/scripts/Kconfig.include
@@ -63,3 +63,11 @@ ld-version := $(shell,set -- $(ld-info) && echo $2)
 cc-option-bit = $(if-success,$(CC) -Werror $(1) -E -x c /dev/null -o /dev/null,$(1))
 m32-flag := $(cc-option-bit,-m32)
 m64-flag := $(cc-option-bit,-m64)
+
+# $(rustc-option,<flag>)
+# Return y if the Rust compiler supports <flag>, n otherwise
+# Calls to this should be guarded so that they are not evaluated if
+# CONFIG_RUST_IS_AVAILABLE is not set.
+# If you are testing for unstable features, consider testing RUSTC_VERSION
+# instead, as features may have different completeness while available.
+rustc-option = $(success,trap "rm -rf .tmp_$$" EXIT; mkdir .tmp_$$; $(RUSTC) $(1) --crate-type=rlib /dev/null --out-dir=.tmp_$$ -o .tmp_$$/tmp.rlib)
diff --git a/scripts/Makefile.compiler b/scripts/Makefile.compiler
index 92be0c9a13ee..057305eae85c 100644
--- a/scripts/Makefile.compiler
+++ b/scripts/Makefile.compiler
@@ -72,3 +72,18 @@ clang-min-version = $(call test-ge, $(CONFIG_CLANG_VERSION), $1)
 # ld-option
 # Usage: KBUILD_LDFLAGS += $(call ld-option, -X, -Y)
 ld-option = $(call try-run, $(LD) $(KBUILD_LDFLAGS) $(1) -v,$(1),$(2),$(3))
+
+# __rustc-option
+# Usage: MY_RUSTFLAGS += $(call __rustc-option,$(RUSTC),$(MY_RUSTFLAGS),-Cinstrument-coverage,-Zinstrument-coverage)
+__rustc-option = $(call try-run,\
+	$(1) $(2) $(3) --crate-type=rlib /dev/null --out-dir=$$TMPOUT -o "$$TMP",$(3),$(4))
+
+# rustc-option
+# Usage: rustflags-y += $(call rustc-option,-Cinstrument-coverage,-Zinstrument-coverage)
+rustc-option = $(call __rustc-option, $(RUSTC),\
+	$(KBUILD_RUSTFLAGS),$(1),$(2))
+
+# rustc-option-yn
+# Usage: flag := $(call rustc-option-yn,-Cinstrument-coverage)
+rustc-option-yn = $(call try-run,\
+	$(RUSTC) $(KBUILD_RUSTFLAGS) $(1) --crate-type=rlib /dev/null --out-dir=$$TMPOUT -o "$$TMP",y,n)
-- 
2.46.0.184.g6999bdac58-goog

[PATCH v4 2/4] rust: kasan: Rust does not support KHWASAN

[Matthew Maurer]

Rust does not yet have support for software tags. Prevent RUST from
being selected if KASAN_SW_TAGS is enabled.

Signed-off-by: Matthew Maurer <mmaurer@google.com>
---
 init/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/init/Kconfig b/init/Kconfig
index 72404c1f2157..a8c3a289895e 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1907,6 +1907,7 @@ config RUST
 	depends on !GCC_PLUGINS
 	depends on !RANDSTRUCT
 	depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE
+	depends on !KASAN_SW_TAGS
 	help
 	  Enables Rust support in the kernel.
 
-- 
2.46.0.184.g6999bdac58-goog

[PATCH v4 3/4] kbuild: rust: Enable KASAN support

[Matthew Maurer]

Rust supports KASAN via LLVM, but prior to this patch, the flags aren't
set properly.

Suggested-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Matthew Maurer <mmaurer@google.com>
---
 scripts/Makefile.kasan          | 57 ++++++++++++++++++++++++---------
 scripts/Makefile.lib            |  3 ++
 scripts/generate_rust_target.rs |  1 +
 3 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
index aab4154af00a..97570df40a98 100644
--- a/scripts/Makefile.kasan
+++ b/scripts/Makefile.kasan
@@ -12,6 +12,11 @@ endif
 KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET)
 
 cc-param = $(call cc-option, -mllvm -$(1), $(call cc-option, --param $(1)))
+rustc-param = $(call rustc-option, -Cllvm-args=-$(1),)
+
+check-args = $(foreach arg,$(2),$(call $(1),$(arg)))
+
+kasan_params :=
 
 ifdef CONFIG_KASAN_STACK
 	stack_enable := 1
@@ -41,39 +46,59 @@ CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \
 		$(call cc-option, -fsanitize=kernel-address \
 		-mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET)))
 
-# Now, add other parameters enabled similarly in both GCC and Clang.
-# As some of them are not supported by older compilers, use cc-param.
-CFLAGS_KASAN += $(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \
-		$(call cc-param,asan-stack=$(stack_enable)) \
-		$(call cc-param,asan-instrument-allocas=1) \
-		$(call cc-param,asan-globals=1)
+# The minimum supported `rustc` version has a minimum supported LLVM
+# version late enough that we can assume support for -asan-mapping-offset.
+RUSTFLAGS_KASAN := -Zsanitizer=kernel-address \
+		   -Zsanitizer-recover=kernel-address \
+		   -Cllvm-args=-asan-mapping-offset=$(KASAN_SHADOW_OFFSET)
+
+# Now, add other parameters enabled similarly in GCC, Clang, and rustc.
+# As some of them are not supported by older compilers, these will be filtered
+# through `cc-param` or `rust-param` as applicable.
+kasan_params += asan-instrumentation-with-call-threshold=$(call_threshold) \
+		asan-stack=$(stack_enable) \
+		asan-instrument-allocas=1 \
+		asan-globals=1
 
 # Instrument memcpy/memset/memmove calls by using instrumented __asan_mem*()
 # instead. With compilers that don't support this option, compiler-inserted
 # memintrinsics won't be checked by KASAN on GENERIC_ENTRY architectures.
-CFLAGS_KASAN += $(call cc-param,asan-kernel-mem-intrinsic-prefix=1)
+kasan_params += asan-kernel-mem-intrinsic-prefix=1
 
 endif # CONFIG_KASAN_GENERIC
 
 ifdef CONFIG_KASAN_SW_TAGS
 
+CFLAGS_KASAN := -fsanitize=kernel-hwaddress
+
+# This sets flags that will enable KHWASAN once enabled in Rust. These will
+# not work today, and is guarded against in dependencies for CONFIG_RUST.
+RUSTFLAGS_KASAN := -Zsanitizer=kernel-hwaddress \
+		   -Zsanitizer-recover=kernel-hwaddress
+
 ifdef CONFIG_KASAN_INLINE
-	instrumentation_flags := $(call cc-param,hwasan-mapping-offset=$(KASAN_SHADOW_OFFSET))
+	kasan_params += hwasan-mapping-offset=$(KASAN_SHADOW_OFFSET)
 else
-	instrumentation_flags := $(call cc-param,hwasan-instrument-with-calls=1)
+	kasan_params += hwasan-instrument-with-calls=1
 endif
 
-CFLAGS_KASAN := -fsanitize=kernel-hwaddress \
-		$(call cc-param,hwasan-instrument-stack=$(stack_enable)) \
-		$(call cc-param,hwasan-use-short-granules=0) \
-		$(call cc-param,hwasan-inline-all-checks=0) \
-		$(instrumentation_flags)
+kasan_params += hwasan-instrument-stack=$(stack_enable) \
+		hwasan-use-short-granules=0 \
+		hwasan-inline-all-checks=0
 
 # Instrument memcpy/memset/memmove calls by using instrumented __hwasan_mem*().
 ifeq ($(call clang-min-version, 150000)$(call gcc-min-version, 130000),y)
-	CFLAGS_KASAN += $(call cc-param,hwasan-kernel-mem-intrinsic-prefix=1)
+	kasan_params += hwasan-kernel-mem-intrinsic-prefix=1
 endif
 
 endif # CONFIG_KASAN_SW_TAGS
 
-export CFLAGS_KASAN CFLAGS_KASAN_NOSANITIZE
+# Add all as-supported KASAN LLVM parameters requested by the configuration.
+CFLAGS_KASAN += $(call check-args, cc-param, $(kasan_params))
+
+ifdef CONFIG_RUST
+	# Avoid calling `rustc-param` unless Rust is enabled.
+	RUSTFLAGS_KASAN += $(call check-args, rustc-param, $(kasan_params))
+endif # CONFIG_RUST
+
+export CFLAGS_KASAN CFLAGS_KASAN_NOSANITIZE RUSTFLAGS_KASAN
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 9f06f6aaf7fc..4a58636705e0 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -167,6 +167,9 @@ ifneq ($(CONFIG_KASAN_HW_TAGS),y)
 _c_flags += $(if $(patsubst n%,, \
 		$(KASAN_SANITIZE_$(target-stem).o)$(KASAN_SANITIZE)$(is-kernel-object)), \
 		$(CFLAGS_KASAN), $(CFLAGS_KASAN_NOSANITIZE))
+_rust_flags += $(if $(patsubst n%,, \
+		$(KASAN_SANITIZE_$(target-stem).o)$(KASAN_SANITIZE)$(is-kernel-object)), \
+		$(RUSTFLAGS_KASAN))
 endif
 endif
 
diff --git a/scripts/generate_rust_target.rs b/scripts/generate_rust_target.rs
index ced405d35c5d..c24c2abd67db 100644
--- a/scripts/generate_rust_target.rs
+++ b/scripts/generate_rust_target.rs
@@ -192,6 +192,7 @@ fn main() {
         }
         ts.push("features", features);
         ts.push("llvm-target", "x86_64-linux-gnu");
+        ts.push("supported-sanitizers", ["kernel-address"]);
         ts.push("target-pointer-width", "64");
     } else if cfg.has("LOONGARCH") {
         panic!("loongarch uses the builtin rustc loongarch64-unknown-none-softfloat target");
-- 
2.46.0.184.g6999bdac58-goog

[PATCH v4 4/4] kasan: rust: Add KASAN smoke test via UAF

[Matthew Maurer]

Adds a smoke test to ensure that KASAN in Rust is actually detecting a
Rust-native UAF. There is significant room to expand this test suite,
but this will at least ensure that flags are having the intended effect.

The rename from kasan_test.c to kasan_test_c.c is in order to allow the
single kasan_test.ko test suite to contain both a .o file produced
by the C compiler and one produced by rustc.

Signed-off-by: Matthew Maurer <mmaurer@google.com>
---
 mm/kasan/Makefile                         |  7 ++++++-
 mm/kasan/kasan.h                          |  6 ++++++
 mm/kasan/{kasan_test.c => kasan_test_c.c} | 12 ++++++++++++
 mm/kasan/kasan_test_rust.rs               | 19 +++++++++++++++++++
 4 files changed, 43 insertions(+), 1 deletion(-)
 rename mm/kasan/{kasan_test.c => kasan_test_c.c} (99%)
 create mode 100644 mm/kasan/kasan_test_rust.rs

diff --git a/mm/kasan/Makefile b/mm/kasan/Makefile
index 7634dd2a6128..13059d9ee13c 100644
--- a/mm/kasan/Makefile
+++ b/mm/kasan/Makefile
@@ -44,13 +44,18 @@ ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX
 CFLAGS_KASAN_TEST += -fno-builtin
 endif
 
-CFLAGS_kasan_test.o := $(CFLAGS_KASAN_TEST)
+CFLAGS_kasan_test_c.o := $(CFLAGS_KASAN_TEST)
+RUSTFLAGS_kasan_test_rust.o := $(RUSTFLAGS_KASAN)
 CFLAGS_kasan_test_module.o := $(CFLAGS_KASAN_TEST)
 
 obj-y := common.o report.o
 obj-$(CONFIG_KASAN_GENERIC) += init.o generic.o report_generic.o shadow.o quarantine.o
 obj-$(CONFIG_KASAN_HW_TAGS) += hw_tags.o report_hw_tags.o tags.o report_tags.o
 obj-$(CONFIG_KASAN_SW_TAGS) += init.o report_sw_tags.o shadow.o sw_tags.o tags.o report_tags.o
+kasan_test-objs := kasan_test_c.o
+ifdef CONFIG_RUST
+	kasan_test-objs += kasan_test_rust.o
+endif
 
 obj-$(CONFIG_KASAN_KUNIT_TEST) += kasan_test.o
 obj-$(CONFIG_KASAN_MODULE_TEST) += kasan_test_module.o
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index fb2b9ac0659a..f438a6cdc964 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -555,6 +555,12 @@ static inline bool kasan_arch_is_ready(void)	{ return true; }
 void kasan_kunit_test_suite_start(void);
 void kasan_kunit_test_suite_end(void);
 
+#ifdef CONFIG_RUST
+char kasan_test_rust_uaf(void);
+#else
+static inline char kasan_test_rust_uaf(void) { return '\0'; }
+#endif
+
 #else /* CONFIG_KASAN_KUNIT_TEST */
 
 static inline void kasan_kunit_test_suite_start(void) { }
diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test_c.c
similarity index 99%
rename from mm/kasan/kasan_test.c
rename to mm/kasan/kasan_test_c.c
index 7b32be2a3cf0..dd3d2a1e3145 100644
--- a/mm/kasan/kasan_test.c
+++ b/mm/kasan/kasan_test_c.c
@@ -1899,6 +1899,17 @@ static void match_all_mem_tag(struct kunit *test)
 	kfree(ptr);
 }
 
+/*
+ * Check that Rust performing a use-after-free using `unsafe` is detected.
+ * This is a smoke test to make sure that Rust is being sanitized properly.
+ */
+static void rust_uaf(struct kunit *test)
+{
+	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_RUST);
+	KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf());
+}
+
+
 static struct kunit_case kasan_kunit_test_cases[] = {
 	KUNIT_CASE(kmalloc_oob_right),
 	KUNIT_CASE(kmalloc_oob_left),
@@ -1971,6 +1982,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
 	KUNIT_CASE(match_all_not_assigned),
 	KUNIT_CASE(match_all_ptr_tag),
 	KUNIT_CASE(match_all_mem_tag),
+	KUNIT_CASE(rust_uaf),
 	{}
 };
 
diff --git a/mm/kasan/kasan_test_rust.rs b/mm/kasan/kasan_test_rust.rs
new file mode 100644
index 000000000000..7239303b232c
--- /dev/null
+++ b/mm/kasan/kasan_test_rust.rs
@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! Helper crate for KASAN testing
+//! Provides behavior to check the sanitization of Rust code.
+use kernel::prelude::*;
+use core::ptr::addr_of_mut;
+
+/// Trivial UAF - allocate a big vector, grab a pointer partway through,
+/// drop the vector, and touch it.
+#[no_mangle]
+pub extern "C" fn kasan_test_rust_uaf() -> u8 {
+    let mut v: Vec<u8> = Vec::new();
+    for _ in 0..4096 {
+        v.push(0x42, GFP_KERNEL).unwrap();
+    }
+    let ptr: *mut u8 = addr_of_mut!(v[2048]);
+    drop(v);
+    unsafe { *ptr }
+}
-- 
2.46.0.184.g6999bdac58-goog

Re: [PATCH v4 4/4] kasan: rust: Add KASAN smoke test via UAF

[Andrey Konovalov]

On Tue, Aug 20, 2024 at 9:49 PM Matthew Maurer <mmaurer@google.com> wrote:
>
> Adds a smoke test to ensure that KASAN in Rust is actually detecting a
> Rust-native UAF. There is significant room to expand this test suite,
> but this will at least ensure that flags are having the intended effect.
>
> The rename from kasan_test.c to kasan_test_c.c is in order to allow the
> single kasan_test.ko test suite to contain both a .o file produced
> by the C compiler and one produced by rustc.
>
> Signed-off-by: Matthew Maurer <mmaurer@google.com>
> ---
>  mm/kasan/Makefile                         |  7 ++++++-
>  mm/kasan/kasan.h                          |  6 ++++++
>  mm/kasan/{kasan_test.c => kasan_test_c.c} | 12 ++++++++++++
>  mm/kasan/kasan_test_rust.rs               | 19 +++++++++++++++++++
>  4 files changed, 43 insertions(+), 1 deletion(-)
>  rename mm/kasan/{kasan_test.c => kasan_test_c.c} (99%)
>  create mode 100644 mm/kasan/kasan_test_rust.rs
>
> diff --git a/mm/kasan/Makefile b/mm/kasan/Makefile
> index 7634dd2a6128..13059d9ee13c 100644
> --- a/mm/kasan/Makefile
> +++ b/mm/kasan/Makefile
> @@ -44,13 +44,18 @@ ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX
>  CFLAGS_KASAN_TEST += -fno-builtin
>  endif
>
> -CFLAGS_kasan_test.o := $(CFLAGS_KASAN_TEST)
> +CFLAGS_kasan_test_c.o := $(CFLAGS_KASAN_TEST)
> +RUSTFLAGS_kasan_test_rust.o := $(RUSTFLAGS_KASAN)
>  CFLAGS_kasan_test_module.o := $(CFLAGS_KASAN_TEST)
>
>  obj-y := common.o report.o
>  obj-$(CONFIG_KASAN_GENERIC) += init.o generic.o report_generic.o shadow.o quarantine.o
>  obj-$(CONFIG_KASAN_HW_TAGS) += hw_tags.o report_hw_tags.o tags.o report_tags.o
>  obj-$(CONFIG_KASAN_SW_TAGS) += init.o report_sw_tags.o shadow.o sw_tags.o tags.o report_tags.o

Nit: empty line here.

> +kasan_test-objs := kasan_test_c.o
> +ifdef CONFIG_RUST
> +       kasan_test-objs += kasan_test_rust.o
> +endif
>
>  obj-$(CONFIG_KASAN_KUNIT_TEST) += kasan_test.o
>  obj-$(CONFIG_KASAN_MODULE_TEST) += kasan_test_module.o
> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
> index fb2b9ac0659a..f438a6cdc964 100644
> --- a/mm/kasan/kasan.h
> +++ b/mm/kasan/kasan.h
> @@ -555,6 +555,12 @@ static inline bool kasan_arch_is_ready(void)       { return true; }
>  void kasan_kunit_test_suite_start(void);
>  void kasan_kunit_test_suite_end(void);
>
> +#ifdef CONFIG_RUST
> +char kasan_test_rust_uaf(void);
> +#else
> +static inline char kasan_test_rust_uaf(void) { return '\0'; }
> +#endif
> +
>  #else /* CONFIG_KASAN_KUNIT_TEST */
>
>  static inline void kasan_kunit_test_suite_start(void) { }
> diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test_c.c
> similarity index 99%
> rename from mm/kasan/kasan_test.c
> rename to mm/kasan/kasan_test_c.c
> index 7b32be2a3cf0..dd3d2a1e3145 100644
> --- a/mm/kasan/kasan_test.c
> +++ b/mm/kasan/kasan_test_c.c
> @@ -1899,6 +1899,17 @@ static void match_all_mem_tag(struct kunit *test)
>         kfree(ptr);
>  }
>
> +/*
> + * Check that Rust performing a use-after-free using `unsafe` is detected.
> + * This is a smoke test to make sure that Rust is being sanitized properly.
> + */
> +static void rust_uaf(struct kunit *test)
> +{
> +       KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_RUST);
> +       KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf());
> +}
> +
> +
>  static struct kunit_case kasan_kunit_test_cases[] = {
>         KUNIT_CASE(kmalloc_oob_right),
>         KUNIT_CASE(kmalloc_oob_left),
> @@ -1971,6 +1982,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
>         KUNIT_CASE(match_all_not_assigned),
>         KUNIT_CASE(match_all_ptr_tag),
>         KUNIT_CASE(match_all_mem_tag),
> +       KUNIT_CASE(rust_uaf),
>         {}
>  };
>
> diff --git a/mm/kasan/kasan_test_rust.rs b/mm/kasan/kasan_test_rust.rs
> new file mode 100644
> index 000000000000..7239303b232c
> --- /dev/null
> +++ b/mm/kasan/kasan_test_rust.rs
> @@ -0,0 +1,19 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +//! Helper crate for KASAN testing
> +//! Provides behavior to check the sanitization of Rust code.
> +use kernel::prelude::*;
> +use core::ptr::addr_of_mut;
> +
> +/// Trivial UAF - allocate a big vector, grab a pointer partway through,
> +/// drop the vector, and touch it.
> +#[no_mangle]
> +pub extern "C" fn kasan_test_rust_uaf() -> u8 {
> +    let mut v: Vec<u8> = Vec::new();
> +    for _ in 0..4096 {
> +        v.push(0x42, GFP_KERNEL).unwrap();
> +    }
> +    let ptr: *mut u8 = addr_of_mut!(v[2048]);
> +    drop(v);
> +    unsafe { *ptr }
> +}
> --
> 2.46.0.184.g6999bdac58-goog
>

Re: [PATCH v4 3/4] kbuild: rust: Enable KASAN support

[Andrey Konovalov]

On Tue, Aug 20, 2024 at 9:49 PM Matthew Maurer <mmaurer@google.com> wrote:
>
> Rust supports KASAN via LLVM, but prior to this patch, the flags aren't
> set properly.
>
> Suggested-by: Miguel Ojeda <ojeda@kernel.org>
> Signed-off-by: Matthew Maurer <mmaurer@google.com>
> ---
>  scripts/Makefile.kasan          | 57 ++++++++++++++++++++++++---------
>  scripts/Makefile.lib            |  3 ++
>  scripts/generate_rust_target.rs |  1 +
>  3 files changed, 45 insertions(+), 16 deletions(-)
>
> diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
> index aab4154af00a..97570df40a98 100644
> --- a/scripts/Makefile.kasan
> +++ b/scripts/Makefile.kasan
> @@ -12,6 +12,11 @@ endif
>  KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET)
>
>  cc-param = $(call cc-option, -mllvm -$(1), $(call cc-option, --param $(1)))
> +rustc-param = $(call rustc-option, -Cllvm-args=-$(1),)
> +
> +check-args = $(foreach arg,$(2),$(call $(1),$(arg)))
> +
> +kasan_params :=
>
>  ifdef CONFIG_KASAN_STACK
>         stack_enable := 1
> @@ -41,39 +46,59 @@ CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \
>                 $(call cc-option, -fsanitize=kernel-address \
>                 -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET)))
>
> -# Now, add other parameters enabled similarly in both GCC and Clang.
> -# As some of them are not supported by older compilers, use cc-param.
> -CFLAGS_KASAN += $(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \
> -               $(call cc-param,asan-stack=$(stack_enable)) \
> -               $(call cc-param,asan-instrument-allocas=1) \
> -               $(call cc-param,asan-globals=1)
> +# The minimum supported `rustc` version has a minimum supported LLVM
> +# version late enough that we can assume support for -asan-mapping-offset.
> +RUSTFLAGS_KASAN := -Zsanitizer=kernel-address \
> +                  -Zsanitizer-recover=kernel-address \
> +                  -Cllvm-args=-asan-mapping-offset=$(KASAN_SHADOW_OFFSET)
> +
> +# Now, add other parameters enabled similarly in GCC, Clang, and rustc.
> +# As some of them are not supported by older compilers, these will be filtered
> +# through `cc-param` or `rust-param` as applicable.
> +kasan_params += asan-instrumentation-with-call-threshold=$(call_threshold) \
> +               asan-stack=$(stack_enable) \
> +               asan-instrument-allocas=1 \
> +               asan-globals=1
>
>  # Instrument memcpy/memset/memmove calls by using instrumented __asan_mem*()
>  # instead. With compilers that don't support this option, compiler-inserted
>  # memintrinsics won't be checked by KASAN on GENERIC_ENTRY architectures.
> -CFLAGS_KASAN += $(call cc-param,asan-kernel-mem-intrinsic-prefix=1)
> +kasan_params += asan-kernel-mem-intrinsic-prefix=1
>
>  endif # CONFIG_KASAN_GENERIC
>
>  ifdef CONFIG_KASAN_SW_TAGS
>
> +CFLAGS_KASAN := -fsanitize=kernel-hwaddress
> +
> +# This sets flags that will enable KHWASAN once enabled in Rust. These will

Nit: the kernel doesn't use the term KHWASAN, it's SW_TAGS KASAN or
Software Tag-Based KASAN.


> +# not work today, and is guarded against in dependencies for CONFIG_RUST.
> +RUSTFLAGS_KASAN := -Zsanitizer=kernel-hwaddress \
> +                  -Zsanitizer-recover=kernel-hwaddress
> +
>  ifdef CONFIG_KASAN_INLINE
> -       instrumentation_flags := $(call cc-param,hwasan-mapping-offset=$(KASAN_SHADOW_OFFSET))
> +       kasan_params += hwasan-mapping-offset=$(KASAN_SHADOW_OFFSET)
>  else
> -       instrumentation_flags := $(call cc-param,hwasan-instrument-with-calls=1)
> +       kasan_params += hwasan-instrument-with-calls=1
>  endif
>
> -CFLAGS_KASAN := -fsanitize=kernel-hwaddress \
> -               $(call cc-param,hwasan-instrument-stack=$(stack_enable)) \
> -               $(call cc-param,hwasan-use-short-granules=0) \
> -               $(call cc-param,hwasan-inline-all-checks=0) \
> -               $(instrumentation_flags)
> +kasan_params += hwasan-instrument-stack=$(stack_enable) \
> +               hwasan-use-short-granules=0 \
> +               hwasan-inline-all-checks=0
>
>  # Instrument memcpy/memset/memmove calls by using instrumented __hwasan_mem*().
>  ifeq ($(call clang-min-version, 150000)$(call gcc-min-version, 130000),y)
> -       CFLAGS_KASAN += $(call cc-param,hwasan-kernel-mem-intrinsic-prefix=1)
> +       kasan_params += hwasan-kernel-mem-intrinsic-prefix=1
>  endif
>
>  endif # CONFIG_KASAN_SW_TAGS
>
> -export CFLAGS_KASAN CFLAGS_KASAN_NOSANITIZE
> +# Add all as-supported KASAN LLVM parameters requested by the configuration.
> +CFLAGS_KASAN += $(call check-args, cc-param, $(kasan_params))
> +
> +ifdef CONFIG_RUST
> +       # Avoid calling `rustc-param` unless Rust is enabled.
> +       RUSTFLAGS_KASAN += $(call check-args, rustc-param, $(kasan_params))
> +endif # CONFIG_RUST
> +
> +export CFLAGS_KASAN CFLAGS_KASAN_NOSANITIZE RUSTFLAGS_KASAN
> diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> index 9f06f6aaf7fc..4a58636705e0 100644
> --- a/scripts/Makefile.lib
> +++ b/scripts/Makefile.lib
> @@ -167,6 +167,9 @@ ifneq ($(CONFIG_KASAN_HW_TAGS),y)
>  _c_flags += $(if $(patsubst n%,, \
>                 $(KASAN_SANITIZE_$(target-stem).o)$(KASAN_SANITIZE)$(is-kernel-object)), \
>                 $(CFLAGS_KASAN), $(CFLAGS_KASAN_NOSANITIZE))
> +_rust_flags += $(if $(patsubst n%,, \
> +               $(KASAN_SANITIZE_$(target-stem).o)$(KASAN_SANITIZE)$(is-kernel-object)), \
> +               $(RUSTFLAGS_KASAN))
>  endif
>  endif
>
> diff --git a/scripts/generate_rust_target.rs b/scripts/generate_rust_target.rs
> index ced405d35c5d..c24c2abd67db 100644
> --- a/scripts/generate_rust_target.rs
> +++ b/scripts/generate_rust_target.rs
> @@ -192,6 +192,7 @@ fn main() {
>          }
>          ts.push("features", features);
>          ts.push("llvm-target", "x86_64-linux-gnu");
> +        ts.push("supported-sanitizers", ["kernel-address"]);
>          ts.push("target-pointer-width", "64");
>      } else if cfg.has("LOONGARCH") {
>          panic!("loongarch uses the builtin rustc loongarch64-unknown-none-softfloat target");
> --
> 2.46.0.184.g6999bdac58-goog
>

Re: [PATCH v4 0/4] Rust KASAN Support

[Andrey Konovalov]

On Tue, Aug 20, 2024 at 9:49 PM Matthew Maurer <mmaurer@google.com> wrote:
>
> Right now, if we turn on KASAN, Rust code will cause violations because
> it's not enabled properly.
>
> This series:
> 1. Adds flag probe macros for Rust - now that we're setting a minimum rustc
>    version instead of an exact one, these could be useful in general. We need
>    them in this patch because we don't set a restriction on which LLVM rustc
>    is using, which is what KASAN actually cares about.
> 2. Makes `rustc` enable the relevant KASAN sanitizer flags when C does.
> 3. Adds a smoke test to the `kasan_test` KUnit suite to check basic
>    integration.
>
> This patch series requires the target.json array support patch [1] as
> the x86_64 target.json file currently produced does not mark itself as KASAN
> capable, and is rebased on top of the KASAN Makefile rewrite [2].
>
> Differences from v3 [3]:
> * Probing macro comments made more accurate
> * Probing macros now set --out-dir to avoid potential read-only fs
>   issues
> * Reordered KHWASAN explicit disablement patch to come before KASAN
>   enablement
> * Comment/ordering cleanup in KASAN makefile
> * Ensured KASAN tests work with and without CONFIG_RUST enabled
>
> [1] https://lore.kernel.org/lkml/20240730-target-json-arrays-v1-1-2b376fd0ecf4@google.com/
> [2] https://lore.kernel.org/all/20240813224027.84503-1-andrey.konovalov@linux.dev
> [3] https://lore.kernel.org/all/20240819213534.4080408-1-mmaurer@google.com/
>
> Matthew Maurer (4):
>   kbuild: rust: Define probing macros for rustc
>   rust: kasan: Rust does not support KHWASAN
>   kbuild: rust: Enable KASAN support
>   kasan: rust: Add KASAN smoke test via UAF
>
>  init/Kconfig                              |  1 +
>  mm/kasan/Makefile                         |  7 ++-
>  mm/kasan/kasan.h                          |  6 +++
>  mm/kasan/{kasan_test.c => kasan_test_c.c} | 12 +++++
>  mm/kasan/kasan_test_rust.rs               | 19 ++++++++
>  scripts/Kconfig.include                   |  8 ++++
>  scripts/Makefile.compiler                 | 15 ++++++
>  scripts/Makefile.kasan                    | 57 ++++++++++++++++-------
>  scripts/Makefile.lib                      |  3 ++
>  scripts/generate_rust_target.rs           |  1 +
>  10 files changed, 112 insertions(+), 17 deletions(-)
>  rename mm/kasan/{kasan_test.c => kasan_test_c.c} (99%)
>  create mode 100644 mm/kasan/kasan_test_rust.rs
>
> --
> 2.46.0.184.g6999bdac58-goog
>

Left a couple of nit comments - feel free to ignore if you don't end
up sending v5.

Otherwise, for patches 2-4:

Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>

Re: [PATCH v4 0/4] Rust KASAN Support

[Miguel Ojeda]

On Tue, Aug 20, 2024 at 9:49 PM Matthew Maurer <mmaurer@google.com> wrote:
>
> Right now, if we turn on KASAN, Rust code will cause violations because
> it's not enabled properly.
>
> This series:
> 1. Adds flag probe macros for Rust - now that we're setting a minimum rustc
>    version instead of an exact one, these could be useful in general. We need
>    them in this patch because we don't set a restriction on which LLVM rustc
>    is using, which is what KASAN actually cares about.
> 2. Makes `rustc` enable the relevant KASAN sanitizer flags when C does.
> 3. Adds a smoke test to the `kasan_test` KUnit suite to check basic
>    integration.
>
> This patch series requires the target.json array support patch [1] as
> the x86_64 target.json file currently produced does not mark itself as KASAN
> capable, and is rebased on top of the KASAN Makefile rewrite [2].

Applied to `rust-next` -- thanks everyone!

    [ Applied empty line nit, removed double empty line,
      applied `rustfmt` and formatted crate comment. - Miguel ]

    [ Applied "SW_TAGS KASAN" nit. - Miguel ]

I think `TMPOUT` needs to be passed though, i.e. like I did in
https://github.com/Rust-for-Linux/linux/pull/1087#issuecomment-2218445303:

diff --git a/scripts/Makefile.compiler b/scripts/Makefile.compiler
index 057305eae85c..0ac8679095f4 100644
--- a/scripts/Makefile.compiler
+++ b/scripts/Makefile.compiler
@@ -20,6 +20,7 @@ TMPOUT = $(if $(KBUILD_EXTMOD),$(firstword
$(KBUILD_EXTMOD))/).tmp_$$$$
 # Exit code chooses option. "$$TMP" serves as a temporary file and is
 # automatically cleaned up.
 try-run = $(shell set -e;              \
+       TMPOUT=$(TMPOUT);               \
        TMP=$(TMPOUT)/tmp;              \
        trap "rm -rf $(TMPOUT)" EXIT;   \
        mkdir -p $(TMPOUT);             \

Or is there something I am missing?

Cheers,
Miguel

Re: [PATCH v4 0/4] Rust KASAN Support

[Miguel Ojeda]

On Mon, Sep 16, 2024 at 6:15 PM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> Applied to `rust-next` -- thanks everyone!

Also, for KASAN + RETHUNK builds, I noticed objtool detects this:

    samples/rust/rust_print.o: warning: objtool:
asan.module_ctor+0x17: 'naked' return found in MITIGATION_RETHUNK
build
    samples/rust/rust_print.o: warning: objtool:
asan.module_dtor+0x17: 'naked' return found in MITIGATION_RETHUNK
build

And indeed from a quick look the `ret` is there.

Since KASAN support is important, I decided to take it nevertheless,
but please let's make sure this is fixed during the cycle (or add a
"depends on").

Thanks!

Cheers,
Miguel

Re: [PATCH v4 0/4] Rust KASAN Support

[Alice Ryhl]

On Mon, Sep 16, 2024 at 6:47 PM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> On Mon, Sep 16, 2024 at 6:15 PM Miguel Ojeda
> <miguel.ojeda.sandonis@gmail.com> wrote:
> >
> > Applied to `rust-next` -- thanks everyone!
>
> Also, for KASAN + RETHUNK builds, I noticed objtool detects this:
>
>     samples/rust/rust_print.o: warning: objtool:
> asan.module_ctor+0x17: 'naked' return found in MITIGATION_RETHUNK
> build
>     samples/rust/rust_print.o: warning: objtool:
> asan.module_dtor+0x17: 'naked' return found in MITIGATION_RETHUNK
> build
>
> And indeed from a quick look the `ret` is there.
>
> Since KASAN support is important, I decided to take it nevertheless,
> but please let's make sure this is fixed during the cycle (or add a
> "depends on").

I figured out what the problem is. I will follow up with a fix soon.

Alice

Re: [PATCH v4 0/4] Rust KASAN Support

[Alice Ryhl]

On Wed, Sep 25, 2024 at 10:26 AM Alice Ryhl <aliceryhl@google.com> wrote:
>
> On Mon, Sep 16, 2024 at 6:47 PM Miguel Ojeda
> <miguel.ojeda.sandonis@gmail.com> wrote:
> >
> > On Mon, Sep 16, 2024 at 6:15 PM Miguel Ojeda
> > <miguel.ojeda.sandonis@gmail.com> wrote:
> > >
> > > Applied to `rust-next` -- thanks everyone!
> >
> > Also, for KASAN + RETHUNK builds, I noticed objtool detects this:
> >
> >     samples/rust/rust_print.o: warning: objtool:
> > asan.module_ctor+0x17: 'naked' return found in MITIGATION_RETHUNK
> > build
> >     samples/rust/rust_print.o: warning: objtool:
> > asan.module_dtor+0x17: 'naked' return found in MITIGATION_RETHUNK
> > build
> >
> > And indeed from a quick look the `ret` is there.
> >
> > Since KASAN support is important, I decided to take it nevertheless,
> > but please let's make sure this is fixed during the cycle (or add a
> > "depends on").
>
> I figured out what the problem is. I will follow up with a fix soon.

I posted a fix:
https://github.com/rust-lang/rust/pull/130824

We'll need a check on RUSTC_VERSION in Kconfig for this. If the PR
gets merged within the next 22 days, this will land in 1.83.0. Would
you like me to send a fix with that version number now or wait for it
to get merged before I send that fix?

Alice

Re: [PATCH v4 0/4] Rust KASAN Support

[Miguel Ojeda]

On Wed, Sep 25, 2024 at 12:00 PM Alice Ryhl <aliceryhl@google.com> wrote:
>
> I posted a fix:
> https://github.com/rust-lang/rust/pull/130824

Reviewed, tagged and added to the lists -- thanks!

> We'll need a check on RUSTC_VERSION in Kconfig for this. If the PR
> gets merged within the next 22 days, this will land in 1.83.0. Would
> you like me to send a fix with that version number now or wait for it
> to get merged before I send that fix?

Perhaps it could also go into 1.82.0 since it is a fix? (there are
still a couple weeks for that)

In any case, I think we can put 1.83 in the fix already and modify
later if needed. Even then, I am not sure if the requirement is a big
deal, i.e. I guess we could keep the warning and avoid adding the
restriction. But since this is for KASAN-enabled, I guess it is fine
adding the restriction and being safe & proper.

Cheers,
Miguel