Received: by 2002:ac0:8845:0:0:0:0:0 with SMTP id g63csp442017img; Thu, 28 Feb 2019 02:06:35 -0800 (PST) X-Google-Smtp-Source: APXvYqytxUPSutOoEiqgNLjPmYUYb5MGfZFKp9i58l1gbkZT5fsAmc+fwGf87s2wzzmK9JAZ7vfC X-Received: by 2002:a63:ce45:: with SMTP id r5mr178509pgi.216.1551348395477; Thu, 28 Feb 2019 02:06:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551348395; cv=none; d=google.com; s=arc-20160816; b=PXogmEpAgCFP+7tizlzTV4XmUgE5RIKrthoDF8sS3yC+lD0q09CxuP41cCELyTi72V SquGdo4oUQ4FHwWEQPo11KxsHUGwfTyr+d9ykZu74iYB0GAaKXu19wKmx6wD+wladtA9 p5PWaCcLwOTDbkwV4GLQz0yVLUTtKyq+EocC2eXxbFBiAYvDkzSa2CVYOGMfHAmS+EiS /VEJIIacorPA1u7gau/YGx6jIqq6+YsBT2dlVVtwm6gZNsvZSeUQxoA2mUnvzA8Dpgsr bq0q0f1hnSzSCNFEz+Mp8tcC206DBIt8/oheiY4TsLSR8/VawNdx/mLG6B0kkmsYElCD GwNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=AeEfp8MAqA+ucdvLUAqXs6r3S1y/W4WvU7P5Wd9L+zg=; b=mOzqXGi1yZRZK3M9yYltQG1pTifSGETGumeu6P/yKku+Gn5WNPisaX2GivLcIlJuQ1 xCgbyNT79v8dNaz5XYxBv2M41Y+N0QvFKIhpaqqbFv8er/WfEQNiG/pkozNYmuaZUnyb d2fQ48tORNy+Cz0WEwOisKyw0Cy6mivFzyJRUA66o+RTig9HxV422jdUqg6xz0LDbGKZ 1aSjBB4wsbKCUECvgGtahPuqsGhBku8q8uUvROnVOPT/Kr5lry9xW3iDatTUGG3+JadQ r0uBQ4sKnGvW42SAdIYyXXQ0a9Srn0CjwxmGHsuGJUPuCsDMG6DmTgfz358YhM8ygD1z 0ZuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jp0owfE0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b5si17119588plx.64.2019.02.28.02.06.19; Thu, 28 Feb 2019 02:06:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jp0owfE0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732286AbfB1KFX (ORCPT + 99 others); Thu, 28 Feb 2019 05:05:23 -0500 Received: from mail-io1-f68.google.com ([209.85.166.68]:46781 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725921AbfB1KFX (ORCPT ); Thu, 28 Feb 2019 05:05:23 -0500 Received: by mail-io1-f68.google.com with SMTP id k21so16080958ior.13 for ; Thu, 28 Feb 2019 02:05:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=AeEfp8MAqA+ucdvLUAqXs6r3S1y/W4WvU7P5Wd9L+zg=; b=jp0owfE0GN06XKZCVfZd6c1Sib8+d/UBwpQ+tcG7oaQKLc+f1E3UTK0tokksn1OneB 6wb4zeCZWPv/QBCLnvmzebcuc3CeXIIhtrN/M3KcRqbqvykPgXlozFoC0XY7A0H7A3sx Kl0sXVB4P/7ejnzkb1tHXi39E8+OkSzcuJWw4wAkylZcqbGhmHVEBqYf71PbWYjSDWTK 7w0I7Xn27W9cCXx0Lq3q8yPHRj4OlWLVFDstIoHc/8YAEP6ukqeRjoRZtoTV+HM0EUT1 bmM9x9n4XI0B9GSgOWg2i57lVTOt6bkfJ+KVkoNPcVl0CZ2pJaZaUYozq39HeqVWbC3h dhzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=AeEfp8MAqA+ucdvLUAqXs6r3S1y/W4WvU7P5Wd9L+zg=; b=PED8rWfkgBffX2D481Pfb7pghdtqGkCfCZPXkc2yvoyURcQHcw7jzdcMK1XhOw1TSE BkQwtA2RHI+WYPQl27RtzKz/AZ7j0G4mXkVrqeyHhlXEXWF6MtS0UZxwZu0b/WI3r//x 09vS9b4m5U8Uz7DeE23nDXmHdUgy5nIrtrQ4cAhbYXvXrT/ZawTlrlYZ1PS2qpnLDY2C jEwVo/F4TDGvTyNxzq0l755Csn1Vf2dW148CvDXhVP2IzDlcO0nrmamX4aj/00TAmut9 0m9xxNgHaYxJf7T2TRUp6sckc3XnyFqe/IAfFTWIxvQWRD7kN8akpGFQGOodCBPOjG3c Sx3w== X-Gm-Message-State: APjAAAVw3+Rg09VFXijSSuziPhnA6Ofbv/B6zVwJbxuuorCKq2OfsiRb eiCPTNwRZOvv9BM6rJAH8jLfnFxCjU5M/ZNO0MosmA== X-Received: by 2002:a5d:834a:: with SMTP id q10mr4384239ior.271.1551348321770; Thu, 28 Feb 2019 02:05:21 -0800 (PST) MIME-Version: 1.0 References: <20190225124330.613028745@infradead.org> <20190225125232.191698923@infradead.org> <20190227140830.GP32494@hirez.programming.kicks-ass.net> <19b35cb1-9527-2e15-6deb-9ce7c1ef1d66@virtuozzo.com> <20190227142623.GR32494@hirez.programming.kicks-ass.net> <20190227143313.GK32534@hirez.programming.kicks-ass.net> <20190227172816.GT32494@hirez.programming.kicks-ass.net> <20190228094008.GN32534@hirez.programming.kicks-ass.net> In-Reply-To: From: Dmitry Vyukov Date: Thu, 28 Feb 2019 11:05:10 +0100 Message-ID: Subject: Re: [PATCH 5/6] objtool: Add UACCESS validation To: Peter Zijlstra Cc: Andrey Ryabinin , Linus Torvalds , Thomas Gleixner , "H. Peter Anvin" , Julien Thierry , Will Deacon , Andy Lutomirski , Ingo Molnar , Catalin Marinas , James Morse , valentin.schneider@arm.com, Brian Gerst , Josh Poimboeuf , Andy Lutomirski , Borislav Petkov , Denys Vlasenko , LKML , Alexander Potapenko Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 28, 2019 at 10:59 AM Dmitry Vyukov wrote: > > On Thu, Feb 28, 2019 at 10:40 AM Peter Zijlstra wr= ote: > > > > On Wed, Feb 27, 2019 at 06:28:16PM +0100, Peter Zijlstra wrote: > > > On Wed, Feb 27, 2019 at 04:40:28PM +0100, Dmitry Vyukov wrote: > > > > On Wed, Feb 27, 2019 at 3:33 PM Peter Zijlstra wrote: > > > > > > > > Urgh, kasan_report() is definitely unsafe. Now, admitedly we shou= ld > > > > > 'never' hit that, but it does leave us up a creek without a paddl= e. > > > > > > > If SMAP detects additional bugs, then it would be pity to disable i= t > > > > with KASAN (detect bugs in production but not during testing). > > > > > > > > You mentioned that exception save/restore the UACCESS state. Is it > > > > possible to do the same in kasan_report? At the very least we need = to > > > > survive report printing, what happens after that does not matter mu= ch > > > > (we've corrupted memory by now anyway). > > > > > > Ideally we'll put all of kasan_report() in an exception, much like we= do > > > for WARN. But there's a distinct lack of arch hooks there to play wit= h. > > > I suppose I can try and create some. > > > > > > On top of that we'll have to mark these __asan functions with notrace= . > > > > > > Maybe a little something horrible like so... completely untested. > > > > OK, I got that to compile; the next problem is: > > > > ../include/linux/kasan.h:90:1: error: built-in function =E2=80=98__asan= _loadN_noabort=E2=80=99 must be directly called > > UACCESS_SAFE(__asan_loadN_noabort); > > > > Which doesn't make any sense; since we actually generated that symbol, > > it clearly is not built-in. What gives? > > I guess this warning originated for user-space where programmer does > not define them and does not generally know about them and signature > is not a public contract for user. And then for kernel it just stayed > the same because not doing this warning would require somebody to > proactively think about this potential difference and add an > additional code to skip this check and even then it wasn't obvious why > one will want to do this with these functions. So that's where we are > now. Maybe asm directive will help to trick the compiler?