Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp850014imm; Fri, 29 Jun 2018 07:24:44 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd8UKlI11+h/l+f4Z/jmV+b66CEtrspPxkN8AhHFkoGYdzgVCmA7VDWTXlujv8Ifa28zhVo X-Received: by 2002:a62:a104:: with SMTP id b4-v6mr14826092pff.159.1530282284149; Fri, 29 Jun 2018 07:24:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530282284; cv=none; d=google.com; s=arc-20160816; b=LG5kP3tkMkEmy2DpvxGne2OZJajlyE0G8PAERQGUiSlnVPcmNfbnwmuLOvl/A90TxN DZAgN/8Tn+Hu2xAKmJ+jGyPJADpcfW/9dJvlNgva8NpkC6pmkkEiktItpxanke1K1w/x qabGFHojPW93UMIJc91Zku2vlzuMXKmVQ0l5rC5PsQVnXtYGyPtIyqbids/KNeWlh1Ye 6uh8zwiIGg4A7pBscA/5k6PzMgq/NLZdk0h7SU6rcTvAsk+uWLnm7rQIUkuJ2bMi12xd esUaGeYfRjCqRl1iCPIsCuwQ8pLJYYs3oJUxKMz9OKcfdD86sxF77F+olCkhbYu+N2tX uVrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=Kgi3MI2bWN9/Ht24AI/JWU8GN65KuvcgAOpjVIiDLWg=; b=1H0+cWRjR4xJxEN1lO6tZ42Uk+lY1NSTK/BeGcyIdzosPRYu/v39g8PAIBRAiZa6cz Dxi5tSYn3oJV1/83dH4iKEdsHoY8+A/DckciO1c9q6C4tpao5LY+lP/SkpQWTaAf+4qi J0NvnOhij0CWiWd389BiSlvQ8t3G01sSvqsOjPzUNryVCul2oQwPcjC3PwPImT5n6N0n 5o20xTBIE3OIo8rHNDCHPPMXMz86crNqtuDYD7+GULQmV6r8aiMsHLDw4MTxoQHwnVj8 klwSN3UcqmzruK5ytpFNvdxe9ef1NFUbHiFNn+73y2FPnBftlvRcIKAK5EW2Lz2loztV jCBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qXViInOs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g17-v6si9627666pfj.283.2018.06.29.07.24.29; Fri, 29 Jun 2018 07:24:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qXViInOs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936482AbeF2NSi (ORCPT + 99 others); Fri, 29 Jun 2018 09:18:38 -0400 Received: from mail-it0-f67.google.com ([209.85.214.67]:40025 "EHLO mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932776AbeF2NSc (ORCPT ); Fri, 29 Jun 2018 09:18:32 -0400 Received: by mail-it0-f67.google.com with SMTP id 188-v6so2801255ita.5 for ; Fri, 29 Jun 2018 06:18:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Kgi3MI2bWN9/Ht24AI/JWU8GN65KuvcgAOpjVIiDLWg=; b=qXViInOsn2ir/S8FtBvNPETGY7AsjG2kQ6PnWq8jyzewToeCSVxdyTksZrvar0rcD1 MOB3/HHlg0jRBS1rWzibz4tg75T9V8StM+FUQNTvIWvN+hIiv5HXUIbwcs7ZzJ3JF33h mqNGGn+lkjCb7WQXwJuAoJ1ubi4l+rqRK7cjj4nLN/1II9GfzcXNdAJrB0x8cvvKFNXI NvrBj2b1MdjgGBnvK1M9jHmHR8np1UE23JKuZ0GbT193K8NpOLj2IkxCxM0uBXSo+6ZM fVDVxlwKcv4D/naNSZ6QbErbFnoTPId5AM7txhlIDnXuICiIOJx96yWrkcLpfMECYHTF ML/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Kgi3MI2bWN9/Ht24AI/JWU8GN65KuvcgAOpjVIiDLWg=; b=BotRGnRltf6j5ig0+04YsOE/5siut7u+4HQwI6UdOu0jz+jlbqXcXde+d10/V2G9FD mkeODPk/wgKoRlYdNirehQgEHgXNps3hIHyfbHrsSRPs4YjxkANyWepYVTYn+rQ7yXbE HWP2dZcuxKtABJoKV8lwDWy5g/5bZNNEVbhefUjJqIG72W6E1qqcwrwd9qUnNQx7VCrM XF/WwlV9FemMkjuW0KSL9lETuODQHnK0vKIFh92tnFwittbsjPsLeMiRQ+KU4x7uD5FR PExkBTgi3IVWY+wvpxgzBT4+e20sosrlIFgu4YOxLlayPdKSYaM05t4QlPjYF6OpmHjc yQXQ== X-Gm-Message-State: APt69E14VS98ZmRr7qEh4h5yftVJvpueOWhVO4Bl8nboL7A4Sym+2MUD Lq6jHWcJD8bukA+FAtaR2cWv/143J9Kk3bx1njhgpA== X-Received: by 2002:a02:9962:: with SMTP id d31-v6mr12065662jak.1.1530278311992; Fri, 29 Jun 2018 06:18:31 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:9082:0:0:0:0:0 with HTTP; Fri, 29 Jun 2018 06:18:31 -0700 (PDT) In-Reply-To: <20180629112613.7i4xesjyxolc63gu@ltop.local> References: <20180628105057.GA26019@e103592.cambridge.arm.com> <20180629110419.GC26019@e103592.cambridge.arm.com> <20180629112613.7i4xesjyxolc63gu@ltop.local> From: Andrey Konovalov Date: Fri, 29 Jun 2018 15:18:31 +0200 Message-ID: Subject: Re: [PATCH v4 00/17] khwasan: kernel hardware assisted address sanitizer To: Luc Van Oostenryck Cc: Dave Martin , Mark Rutland , Kate Stewart , linux-doc@vger.kernel.org, Catalin Marinas , Will Deacon , Paul Lawrence , Linux Memory Management List , Alexander Potapenko , Chintan Pandya , Christoph Lameter , Ingo Molnar , Jacob Bramley , Jann Horn , Mark Brand , kasan-dev , linux-sparse@vger.kernel.org, Geert Uytterhoeven , Linux ARM , Andrey Ryabinin , Evgeniy Stepanov , Arnd Bergmann , Linux Kbuild mailing list , Marc Zyngier , Ramana Radhakrishnan , Ruben Ayrapetyan , Mike Rapoport , Dmitry Vyukov , Kostya Serebryany , Ard Biesheuvel , Greg Kroah-Hartman , Nick Desaulniers , LKML , "Eric W . Biederman" , Lee Smith , Andrew Morton , "Kirill A . Shutemov" , smatch@vger.kernel.org, Dan Carpenter Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 29, 2018 at 1:26 PM, Luc Van Oostenryck wrote: > On Fri, Jun 29, 2018 at 12:04:22PM +0100, Dave Martin wrote: >> >> Can sparse be hacked to identify pointer subtractions where the pointers >> are cannot be statically proved to point into the same allocation? Re all the comments about finding all the places where we do pointer subtraction/comparison: I might be wrong, but I doubt you can easily do that with static analysis. What we could do is to try to detect all such subtractions/comparisons dynamically. The idea is to instrument all pointer/ulong subtraction/comparison instructions and try to detect tags mismatch. And then run some workload (e.g. syzkaller) to trigger more kernel code. The question is how much false positives we would get, since I imagine there would be a number of cases when we compare some random ulongs.