Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp950933rwn; Thu, 15 Sep 2022 08:27:22 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7Gxfm4FWDSj2eBglRP8zwTn2IwNAT9ImqdyOaUbybyETi2D3h3YAnL+aLJToiStxBL3nng X-Received: by 2002:a17:902:c7cc:b0:176:9fdd:ddb7 with SMTP id r12-20020a170902c7cc00b001769fddddb7mr125164pla.150.1663255642030; Thu, 15 Sep 2022 08:27:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663255642; cv=none; d=google.com; s=arc-20160816; b=J7upvY3Q6hyWg0mhyazuPPPUGy6+faoNn/EZt/GC0qJB1lV8YEH1WdajvLTFWlfDIE yeazSN/2qr8+8GeNJD4g1+/Y/33REgqJlVhwFJL/YGSnd9v7VNrvFbijqIN3E5cPKgSJ Dk6mVBF51ZSJoCHDkHQUaWGvFfioBOCQPgtxjA0TtNFECAaaT/UW3ADG5KhgF1LH4tRw iJ/uZ4Gh/M72qUg/TgQyYSMwvSP0U7C2KOfKeYunG/Iam830JgU9qr0K9KvgRxG5z7TS D+PPT5jssSYqK6mIVHCZtIq/kUpio+S3Z2GOpcSQzZX6h0GCllR6TkV2ygqzMgnmS29d Zytw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=gorYk6QZYQqsbqX3c5FquLgSIgOkVhkBb0FBAlBlnNE=; b=XkXuKvsbaC8/DnNHmbca/CcTx2h2NdKfxLtiBC2D+xDbyy2WAfuk0RIA+ts4SInzgA yExKG/lGjOiW681nF0Cb+Kna4sTjHTTi3xZzABhBl43hZbLfhZbVXAuMmaCP3Z0NfBfO 0uvlqfGxrV7c0dK3itcUlvJlYs7L+XtniqsigH8ODgpUvTP7g4A1xM9JFyV8dZ+FHzVT xvDGzlWKkhgFLAsyzAk9Dph/Tbv4/u4twPAjxX0rtTRxgedyc+oOgkwiLuk2WbqIhJMJ Jw7Bp4wExHfqQaOtn+rl2CF5jLMPtbVuwZLBgu3GCWrNTOdjTJaDt3Dc2/hrq+By/Km6 V5Xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=kplPwV+L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b62-20020a62cf41000000b0053a94865d0esi17177356pfg.80.2022.09.15.08.27.07; Thu, 15 Sep 2022 08:27:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=kplPwV+L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230433AbiIOPKd (ORCPT + 99 others); Thu, 15 Sep 2022 11:10:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230374AbiIOPIv (ORCPT ); Thu, 15 Sep 2022 11:08:51 -0400 Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com [IPv6:2a00:1450:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D09398C9F for ; Thu, 15 Sep 2022 08:06:01 -0700 (PDT) Received: by mail-ej1-x649.google.com with SMTP id ho13-20020a1709070e8d00b00730a655e173so7729814ejc.8 for ; Thu, 15 Sep 2022 08:06:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date; bh=gorYk6QZYQqsbqX3c5FquLgSIgOkVhkBb0FBAlBlnNE=; b=kplPwV+LYMSeUsnP2/9jWw9wErn1H9lcBvU6cYlfR9a9Dsgm+kvLhjsgtxH1cQy28i BqtFI2VWtQT0leDmXz7ejpScV23UNEpG7mJUJp3p94fZxjT3BON080bQ5cWYXRzOCLrz ZUxUFyu1gz8AEgRa3BvmhVwvPqSacmkXDWPaVsqzafrIjNY67epDctUiPvU7vq5tB49w 88DUeT8ArehnGDKGPcuQSCCI6keHi8snBjlyia1r1w4gojNAEwRsQ3FJChQoxpuNNwb6 M511hTfOPRRHM1hCwd5bgSAMfa1aQqdBSl1zmfrvkVXFvA8JeL076IxXdfuOF0rLR0Cs o2vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date; bh=gorYk6QZYQqsbqX3c5FquLgSIgOkVhkBb0FBAlBlnNE=; b=Mtm19h8lSVU9V7LxYOlehN8QfpqYPj5c8YiLEoB2izmw/SvzJUEdioNTK2TzgNy2+c EKeA5WtcqImSyQfd/tWHCmemLpVyGaFIlQZbB2fMri48RlZ0JgF7wEJmGGHXSB4E+t9R n1Y65f66//ZbEdtl1ha0vj5WEF6GzpiAKqx/X4CFBKMhZT5K2JInjQ1YJEhl2jb97ZT4 sAg82QZweo6kdK17lmtCgL66X8Dm1eyaF1Y5YlzaMKPz+iFb2NpuxnGrSHysA/YMhqjV /nDzROrkjdAT02/ZtNOxAkCMCjHIx1615wsiTu7xkK/jWaNP3KgOn8JDHMMdwCWylcb0 NFRw== X-Gm-Message-State: ACrzQf0joGd8kyIK4jqAMx2XqfC2tcddIbTG78gySclidaqoiV3+YMf2 LqF4jdLFjC/xiSaPi4hEDfo+aHF1jgo= X-Received: from glider.muc.corp.google.com ([2a00:79e0:9c:201:686d:27b5:495:85b7]) (user=glider job=sendgmr) by 2002:a05:6402:2201:b0:44f:443e:2a78 with SMTP id cq1-20020a056402220100b0044f443e2a78mr293434edb.76.1663254359888; Thu, 15 Sep 2022 08:05:59 -0700 (PDT) Date: Thu, 15 Sep 2022 17:04:04 +0200 In-Reply-To: <20220915150417.722975-1-glider@google.com> Mime-Version: 1.0 References: <20220915150417.722975-1-glider@google.com> X-Mailer: git-send-email 2.37.2.789.g6183377224-goog Message-ID: <20220915150417.722975-31-glider@google.com> Subject: [PATCH v7 30/43] security: kmsan: fix interoperability with auto-initialization From: Alexander Potapenko To: glider@google.com Cc: Alexander Viro , Alexei Starovoitov , Andrew Morton , Andrey Konovalov , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Christoph Hellwig , Christoph Lameter , David Rientjes , Dmitry Vyukov , Eric Biggers , Eric Dumazet , Greg Kroah-Hartman , Herbert Xu , Ilya Leoshkevich , Ingo Molnar , Jens Axboe , Joonsoo Kim , Kees Cook , Marco Elver , Mark Rutland , Matthew Wilcox , "Michael S. Tsirkin" , Pekka Enberg , Peter Zijlstra , Petr Mladek , Stephen Rothwell , Steven Rostedt , Thomas Gleixner , Vasily Gorbik , Vegard Nossum , Vlastimil Babka , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Heap and stack initialization is great, but not when we are trying uses of uninitialized memory. When the kernel is built with KMSAN, having kernel memory initialization enabled may introduce false negatives. We disable CONFIG_INIT_STACK_ALL_PATTERN and CONFIG_INIT_STACK_ALL_ZERO under CONFIG_KMSAN, making it impossible to auto-initialize stack variables in KMSAN builds. We also disable CONFIG_INIT_ON_ALLOC_DEFAULT_ON and CONFIG_INIT_ON_FREE_DEFAULT_ON to prevent accidental use of heap auto-initialization. We however still let the users enable heap auto-initialization at boot-time (by setting init_on_alloc=1 or init_on_free=1), in which case a warning is printed. Signed-off-by: Alexander Potapenko --- Link: https://linux-review.googlesource.com/id/I86608dd867018683a14ae1870f1928ad925f42e9 --- mm/page_alloc.c | 4 ++++ security/Kconfig.hardening | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index b28093e3bb42a..e5eed276ee41d 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -936,6 +936,10 @@ void init_mem_debugging_and_hardening(void) else static_branch_disable(&init_on_free); + if (IS_ENABLED(CONFIG_KMSAN) && + (_init_on_alloc_enabled_early || _init_on_free_enabled_early)) + pr_info("mem auto-init: please make sure init_on_alloc and init_on_free are disabled when running KMSAN\n"); + #ifdef CONFIG_DEBUG_PAGEALLOC if (!debug_pagealloc_enabled()) return; diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index bd2aabb2c60f9..2739a6776454e 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -106,6 +106,7 @@ choice config INIT_STACK_ALL_PATTERN bool "pattern-init everything (strongest)" depends on CC_HAS_AUTO_VAR_INIT_PATTERN + depends on !KMSAN help Initializes everything on the stack (including padding) with a specific debug value. This is intended to eliminate @@ -124,6 +125,7 @@ choice config INIT_STACK_ALL_ZERO bool "zero-init everything (strongest and safest)" depends on CC_HAS_AUTO_VAR_INIT_ZERO + depends on !KMSAN help Initializes everything on the stack (including padding) with a zero value. This is intended to eliminate all @@ -218,6 +220,7 @@ config STACKLEAK_RUNTIME_DISABLE config INIT_ON_ALLOC_DEFAULT_ON bool "Enable heap memory zeroing on allocation by default" + depends on !KMSAN help This has the effect of setting "init_on_alloc=1" on the kernel command line. This can be disabled with "init_on_alloc=0". @@ -230,6 +233,7 @@ config INIT_ON_ALLOC_DEFAULT_ON config INIT_ON_FREE_DEFAULT_ON bool "Enable heap memory zeroing on free by default" + depends on !KMSAN help This has the effect of setting "init_on_free=1" on the kernel command line. This can be disabled with "init_on_free=0". -- 2.37.2.789.g6183377224-goog