Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp6078178rwb; Wed, 18 Jan 2023 00:26:31 -0800 (PST) X-Google-Smtp-Source: AMrXdXugjzXCCfQJizVBjC7TC4v0Zk+XJx4mBX3+OullqH3sJ+9T3uTABdXKDmjzV5VN6MDK0EvM X-Received: by 2002:aa7:c9ca:0:b0:49e:28c1:936c with SMTP id i10-20020aa7c9ca000000b0049e28c1936cmr5721230edt.26.1674030390965; Wed, 18 Jan 2023 00:26:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674030390; cv=none; d=google.com; s=arc-20160816; b=rw0p2Vddz6woa29LRil3vnFlKFV/qs6P14mWxb5MY0T50kYCDMmvPObP74BTycoP5r ntuwmrJQFrOvKDyhXOYEJKnYTU2+N0Sfxm8ZYlzv/GJj2pgxNEvQMMwlB/UY/Fx2OuSr Av0hDINRIzwiKPjykbWELQvN7rIVtv/5Xnk1+W8LURewLr5ZWM4E31hR28eBfHn7+DAF eVpRA8tZ8qCZnTZgfCSm5XTNpju5FeNieuIsLqH6Xrm4u0M9qJYn+IyvdeR8Qm2tgYvS uev+FghHmgsVFiIiWZWEWrRFF4ISb408yL8rcsvu1L4VULWcOoygWgnWmE+YLWkODtjA SS7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=tXJS6O96pqUrAn6JTjfwzdlxbTr5MxmXpgvppk1+ZUI=; b=PjhozWtVvzzLexCiRqBdmE6DlgL1hOiycRW+i7S1QXZZEaVTzpPluzVcMJvyt1y1m7 T7uM6rM1v34cA7Dqh41BTgu0odhn6TdUvadrJvzfUBhLPpYjBHsAozSrPJT1dWh5ZWHn ZwhTrxxmZoHGXuS/PkGIwyE/u6o3wJT72UEZdaidblzDn7bmU9dyjMAGBZVfEXI5wJPe +YX1Lq90i7me9+P6iPgrQA9p72PeihkxRqYoF5SJmGr4GPKrZabQW+lBnn8/jJHhLoqo ZC0Hw/1skZqNL05s+TWY092ws6sgG9UG2OssreRL/Li+qzTpWTzwkIzZ125XLrg824dH rqyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Y1PYitAE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u1-20020a50a401000000b0048ee37983a0si36229537edb.178.2023.01.18.00.26.19; Wed, 18 Jan 2023 00:26:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Y1PYitAE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229930AbjARIDf (ORCPT + 46 others); Wed, 18 Jan 2023 03:03:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230193AbjARIBQ (ORCPT ); Wed, 18 Jan 2023 03:01:16 -0500 Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBD5751C7E for ; Tue, 17 Jan 2023 23:36:23 -0800 (PST) Received: by mail-lf1-x12d.google.com with SMTP id d30so45592282lfv.8 for ; Tue, 17 Jan 2023 23:36:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tXJS6O96pqUrAn6JTjfwzdlxbTr5MxmXpgvppk1+ZUI=; b=Y1PYitAEZNLh0tMF269DyDhvK7SU90x/pZSKSUY1YcSH3Q6dxMtNI8y9Q6AN6MVyxY cn5Ye3GOhKXE+nTWj69viVf+zWfsKnvGe6xqqrgFpGLlGCyy8uyKFasmeGN8dSb1KTLJ uTn3z7L2Fi3f18OTfxJPfiPGQRrL04ekm6xNXWKL9NZsnsFrxC/Z1S5LqSI9bPH2p+W3 lmRkmrIyJwD9dBWQgUU1cqe+YQcXSdCW4QFho72DRZ2iucpHpsiXUmFmB+FKdnM/7bZM t9mm3hEVPaskSJ+LwS35XMx0JGimed0EqmiCjGOCFNq6fy6Ea1iT55TyTPNLYakuXk7B B/mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tXJS6O96pqUrAn6JTjfwzdlxbTr5MxmXpgvppk1+ZUI=; b=GPqan7BAGejBCriQkuIfmhUaruc9wcqV5vmvssisQsXSX3xbGOo3tn0oKR1fEPnpGI B2ZezjW0o9uxsXHCJe1FvXxaRgRspn9C9/doTcKY83bZ4iQPxYgnP3WlqC/n9gXwxUrd IpXDiNFM7LlX6NgyhedBAIVYeu+UbG72Y/FpQ15bdZbMCj9kIQ0TBeTvwr/Qfb3BrNV1 V470kdqmofX56xFbu1LR+l/QPUFd2U0r3OlLATwDmqWEpTQ0JPZuJT/ltj7nMayr1j83 glZP3sBP9rUdk6OE8iqUAQi3IaNkwGOz3Q9eauWKFZIkc2lXq4pSuxxp80ExV4jUUbao PsHQ== X-Gm-Message-State: AFqh2kqpQc76yGBD1CVN4p0ATN9hV8VM5kqrY9OlkwTkiTiPE+CbHXMM 02YswbPWbP7zEBZmnWVU3FdxbNs10tTtGid/xV5zjA== X-Received: by 2002:ac2:4bd0:0:b0:4c5:32a4:6f88 with SMTP id o16-20020ac24bd0000000b004c532a46f88mr410419lfq.6.1674027381894; Tue, 17 Jan 2023 23:36:21 -0800 (PST) MIME-Version: 1.0 References: <20230117163543.1049025-1-jannh@google.com> In-Reply-To: <20230117163543.1049025-1-jannh@google.com> From: Dmitry Vyukov Date: Wed, 18 Jan 2023 08:36:09 +0100 Message-ID: Subject: Re: [PATCH] fork, vmalloc: KASAN-poison backing pages of vmapped stacks To: Jann Horn Cc: Andrew Morton , linux-mm@kvack.org, Uladzislau Rezki , Christoph Hellwig , Andy Lutomirski , linux-kernel@vger.kernel.org, Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Vincenzo Frascino , kasan-dev@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 17 Jan 2023 at 17:35, Jann Horn wrote: > > KASAN (except in HW_TAGS mode) tracks memory state based on virtual > addresses. The mappings of kernel stack pages in the linear mapping are > currently marked as fully accessible. Hi Jann, To confirm my understanding, this is not just KASAN (except in HW_TAGS mode), but also CONFIG_VMAP_STACK is required, right? > Since stack corruption issues can cause some very gnarly errors, let's be > extra careful and tell KASAN to forbid accesses to stack memory through the > linear mapping. > > Signed-off-by: Jann Horn > --- > I wrote this after seeing > https://lore.kernel.org/all/Y8W5rjKdZ9erIF14@casper.infradead.org/ > and wondering about possible ways that this kind of stack corruption > could be sneaking past KASAN. > That's proooobably not the explanation, but still... I think catching any silent corruptions is still very useful. Besides confusing reports, sometimes they lead to an explosion of random reports all over the kernel. > include/linux/vmalloc.h | 6 ++++++ > kernel/fork.c | 10 ++++++++++ > mm/vmalloc.c | 24 ++++++++++++++++++++++++ > 3 files changed, 40 insertions(+) > > diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h > index 096d48aa3437..bfb50178e5e3 100644 > --- a/include/linux/vmalloc.h > +++ b/include/linux/vmalloc.h > @@ -297,4 +297,10 @@ bool vmalloc_dump_obj(void *object); > static inline bool vmalloc_dump_obj(void *object) { return false; } > #endif > > +#if defined(CONFIG_MMU) && (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) > +void vmalloc_poison_backing_pages(const void *addr); > +#else > +static inline void vmalloc_poison_backing_pages(const void *addr) {} > +#endif I think this should be in kasan headers and prefixed with kasan_. There are also kmsan/kcsan that may poison memory and hw poisoning (MADV_HWPOISON), so it's a somewhat overloaded term on its own. Can/should this be extended to all vmalloc-ed memory? Or some of it can be accessed via both addresses? Also, should we mprotect it instead while it's allocated as the stack? If it works, it looks like a reasonable improvement for CONFIG_VMAP_STACK in general. Would also catch non-instrumented accesses. > #endif /* _LINUX_VMALLOC_H */ > diff --git a/kernel/fork.c b/kernel/fork.c > index 9f7fe3541897..5c8c103a3597 100644 > --- a/kernel/fork.c > +++ b/kernel/fork.c > @@ -321,6 +321,16 @@ static int alloc_thread_stack_node(struct task_struct *tsk, int node) > vfree(stack); > return -ENOMEM; > } > + > + /* > + * A virtually-allocated stack's memory should only be accessed through > + * the vmalloc area, not through the linear mapping. > + * Inform KASAN that all accesses through the linear mapping should be > + * reported (instead of permitting all accesses through the linear > + * mapping). > + */ > + vmalloc_poison_backing_pages(stack); > + > /* > * We can't call find_vm_area() in interrupt context, and > * free_thread_stack() can be called in interrupt context, > diff --git a/mm/vmalloc.c b/mm/vmalloc.c > index ca71de7c9d77..10c79c53cf5c 100644 > --- a/mm/vmalloc.c > +++ b/mm/vmalloc.c > @@ -4042,6 +4042,30 @@ void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms) > } > #endif /* CONFIG_SMP */ > > +#if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) > +/* > + * Poison the KASAN shadow for the linear mapping of the pages used as stack > + * memory. > + * NOTE: This makes no sense in HW_TAGS mode because HW_TAGS marks physical > + * memory, not virtual memory. > + */ > +void vmalloc_poison_backing_pages(const void *addr) > +{ > + struct vm_struct *area; > + int i; > + > + if (WARN(!PAGE_ALIGNED(addr), "bad address (%p)\n", addr)) > + return; > + > + area = find_vm_area(addr); > + if (WARN(!area, "nonexistent vm area (%p)\n", addr)) > + return; > + > + for (i = 0; i < area->nr_pages; i++) > + kasan_poison_pages(area->pages[i], 0, false); > +} > +#endif > + > #ifdef CONFIG_PRINTK > bool vmalloc_dump_obj(void *object) > { > > base-commit: 5dc4c995db9eb45f6373a956eb1f69460e69e6d4 > -- > 2.39.0.314.g84b9a713c41-goog >