[PATCH master 1/2] tlsf: hardening: unpoison trailing padding before zeroing it

[PATCH master 1/2] tlsf: hardening: unpoison trailing padding before zeroing it

[Ahmad Fatoum]

The actual allocated buffer size can be bigger than what was requested
due to alignment.

When KASAN is enabled, only the requested size is unpoisoned.
This currently leads to problems, because with
CONFIG_INIT_ON_ALLOC_DEFAULT_ON enabled, the whole allocated
buffer will be zeroed.

If we fix that, we will instead run into a problem when freeing the
buffer while CONFIG_INIT_ON_ALLOC_DEFAULT_ON is enabled:
We don't record the actual size for later use and thus trying to zero
all of the buffer will again trip over the poisoned padding at the end.

Fix this by first unpoisoning the whole buffer, zeroing it and then
restoring poisoning of off-limits memory.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/tlsf.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/common/tlsf.c b/common/tlsf.c
index 5504453a9453..01293630dd7c 100644
--- a/common/tlsf.c
+++ b/common/tlsf.c
@@ -607,10 +607,19 @@ static void* block_prepare_used(control_t* control, block_header_t* block,
 
 		kasan_poison_shadow(&block->size, size + 2 * sizeof(size_t),
 			    KASAN_KMALLOC_REDZONE);
-		kasan_unpoison_shadow(p, used);
 
-		if (want_init_on_alloc())
+		if (want_init_on_alloc()) {
+			kasan_unpoison_shadow(p, size);
 			memzero_explicit(p, size);
+			/*
+			 * KASAN doesn't play nicely with poisoning addresses
+			 * that are not granule-aligned, which is why we poison
+			 * the full size and then unpoison the rest.
+			 */
+			kasan_poison_shadow(p, size, 0xff);
+		}
+
+		kasan_unpoison_shadow(p, used);
 	}
 	return p;
 }
@@ -1017,8 +1026,10 @@ void tlsf_free(tlsf_t tlsf, void* ptr)
 		control_t* control = tlsf_cast(control_t*, tlsf);
 		block_header_t* block = block_from_ptr(ptr);
 		tlsf_assert(!block_is_free(block) && "block already marked as free");
-		if (want_init_on_free())
+		if (want_init_on_free()) {
+			kasan_unpoison_shadow(ptr, block_size(block));
 			memzero_explicit(ptr, block_size(block));
+		}
 		kasan_poison_shadow(ptr, block_size(block), 0xff);
 		block_mark_as_free(block);
 		block = block_merge_prev(control, block);
-- 
2.39.5

[PATCH master 2/2] tlsf: hardening: skip KASAN checks when zeroing memory

[Ahmad Fatoum]

We are already unpoisoning the memory before allocation, so we know for
certain that memset will not trip over anything. Switch over to using
__memset in that case to reduce performance impact.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 arch/arm/include/asm/string.h | 8 ++++++++
 common/tlsf.c                 | 8 ++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/arch/arm/include/asm/string.h b/arch/arm/include/asm/string.h
index f79392e53d01..4b77914865e7 100644
--- a/arch/arm/include/asm/string.h
+++ b/arch/arm/include/asm/string.h
@@ -3,6 +3,8 @@
 #ifndef __ASM_ARM_STRING_H
 #define __ASM_ARM_STRING_H
 
+#include <linux/compiler.h>
+
 #ifdef CONFIG_ARM_OPTIMZED_STRING_FUNCTIONS
 
 #define __HAVE_ARCH_MEMCPY
@@ -17,4 +19,10 @@ extern void *__memcpy(void *, const void *, __kernel_size_t);
 extern void *__memset(void *, int, __kernel_size_t);
 extern void *__memmove(void *, const void *, __kernel_size_t);
 
+static inline void __memzero_explicit(void *s, __kernel_size_t count)
+{
+	__memset(s, 0, count);
+	barrier_data(s);
+}
+
 #endif
diff --git a/common/tlsf.c b/common/tlsf.c
index 01293630dd7c..8666b94ea387 100644
--- a/common/tlsf.c
+++ b/common/tlsf.c
@@ -12,6 +12,10 @@
 
 #ifndef CONFIG_KASAN
 #define __memcpy memcpy
+/* This is only an optimization: On sandbox, with ASan, we don't have
+ * an asan-less memset implementation, so we must unpoison memory anyhow.
+ */
+#define __memzero_explicit memzero_explicit
 #endif
 
 /*
@@ -610,7 +614,7 @@ static void* block_prepare_used(control_t* control, block_header_t* block,
 
 		if (want_init_on_alloc()) {
 			kasan_unpoison_shadow(p, size);
-			memzero_explicit(p, size);
+			__memzero_explicit(p, size);
 			/*
 			 * KASAN doesn't play nicely with poisoning addresses
 			 * that are not granule-aligned, which is why we poison
@@ -1028,7 +1032,7 @@ void tlsf_free(tlsf_t tlsf, void* ptr)
 		tlsf_assert(!block_is_free(block) && "block already marked as free");
 		if (want_init_on_free()) {
 			kasan_unpoison_shadow(ptr, block_size(block));
-			memzero_explicit(ptr, block_size(block));
+			__memzero_explicit(ptr, block_size(block));
 		}
 		kasan_poison_shadow(ptr, block_size(block), 0xff);
 		block_mark_as_free(block);
-- 
2.39.5

Re: [PATCH master 1/2] tlsf: hardening: unpoison trailing padding before zeroing it

[Sascha Hauer]

On Tue, 22 Apr 2025 07:37:39 +0200, Ahmad Fatoum wrote:
> The actual allocated buffer size can be bigger than what was requested
> due to alignment.
> 
> When KASAN is enabled, only the requested size is unpoisoned.
> This currently leads to problems, because with
> CONFIG_INIT_ON_ALLOC_DEFAULT_ON enabled, the whole allocated
> buffer will be zeroed.
> 
> [...]

Applied, thanks!

[1/2] tlsf: hardening: unpoison trailing padding before zeroing it
      https://git.pengutronix.de/cgit/barebox/commit/?id=bad633c5392d (link may not be stable)
[2/2] tlsf: hardening: skip KASAN checks when zeroing memory
      https://git.pengutronix.de/cgit/barebox/commit/?id=d5c5e18f0dfe (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>