Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp4806945rdb; Fri, 15 Sep 2023 12:54:19 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEXz5UjaHe8/uMlpqLT7LTge0s7q37lL6jVLlavDUCpPDWVwxVydPlOHhWfOK5nrZF/jk3z X-Received: by 2002:a17:90a:5918:b0:26c:f9a5:4493 with SMTP id k24-20020a17090a591800b0026cf9a54493mr2655943pji.5.1694807659535; Fri, 15 Sep 2023 12:54:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694807659; cv=none; d=google.com; s=arc-20160816; b=KqEzRHPbOT2Wrggkl2oDEjNkT5QDLo0/V5xy81vt7YhxQgazGd8qckksB0JFxgH9Hn WqmJpyHA/oOUgplZmYLa5aG8ycOV4rLwKkucd0UUzzPkio/J54Jcc1LwLBs74lSG2LMz duHDHl5OVfyJkdngkkfzj+9lcLSrAwvPKtPzvpcaNLZoFEdhyBLkcjbnfe4TDeSewX49 8SNj5AYPLpAipIaeRciCSSByN8Mcz33xpgT/GEdQSBhuoWqjcKWz7Fp3VZutsJAU379b 3fW+avwIzJWbQsj/F4qeuRxfOQ0RSP3/gN1YgkYY1o1967uAEmKLI8gM5eLmqouydgpA NYgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=qqLoBm8H6ZiMRz1kerNsf8O/I1x2KB0Fau5qTkJBuRw=; fh=+gxP9MmviEtshzpAVR0BRblIKw8YPx9MamjkLCPhuJA=; b=r5z0UXuZeS7Bacf9dIg5/SzsZERoB91KtitmzGjQ68pnBovrPGLgelsrfUJuLSJvIG sjKPLYO54UDQa9QOM3inPL+YMWOsEbSME2f1WSddWv8TxsqhszC/CZDrgvpT1ReQvEQK L7cwzn5UuzUBQtxiOd6zextn6agDXRch99jBjMSL3AEoYwWwuORlN2VmLwPPRGgGH5wM 1Nw02Q1R49tlDOQPGpGoxoSLXeDvQ5nHd+FpDOn1azHKI7gqA07qfMp2TQHUkX6f8Tum l2zP5Dq6m6neYbxh90Avmpb1VWo3sR7JeMtXL7J9RXd7TK0sR8juAXQoO2EGSTLla+hl r70A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="m5w/4qnv"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id j10-20020a17090a734a00b002680e08a877si5728932pjs.186.2023.09.15.12.54.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Sep 2023 12:54:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="m5w/4qnv"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 643098311BE7; Thu, 14 Sep 2023 18:54:46 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231881AbjIOBys (ORCPT + 99 others); Thu, 14 Sep 2023 21:54:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36426 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231728AbjIOByh (ORCPT ); Thu, 14 Sep 2023 21:54:37 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF211449C for ; Thu, 14 Sep 2023 18:51:48 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id 98e67ed59e1d1-2749b3e682aso122924a91.2 for ; Thu, 14 Sep 2023 18:51:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1694742708; x=1695347508; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=qqLoBm8H6ZiMRz1kerNsf8O/I1x2KB0Fau5qTkJBuRw=; b=m5w/4qnveZmS5IZO4IZnnmlhpD3AfLeZQyWl81dAoslfoHVPyE13zlKELRGOyfkGxA YM4x0wXWSTpDdHE1EH2y2ACx+bsDfxI6L7df/EE5FuhQoYVsJrqK17wNyp/Op5yKPpDd 4So6PA/X+VO9NKibg/y5+NAIPGnQyPPBIjhgFnE0rGDB2bj/0KNXuApENvjzT08mM6nc 5KEGCi1xplLjw/HsxxVC3sv1ryPWdYJu2J5n/p5n8XB7BZYOQ5x4e1Ec8cM+hvnhSRim 6xD3v0BDNv0hU1HKASQxE23XiRVpVGIG6ENwMzV1bwxqcnmwLIDCpHLy4ruXTSzf5dne GYUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694742708; x=1695347508; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qqLoBm8H6ZiMRz1kerNsf8O/I1x2KB0Fau5qTkJBuRw=; b=SFo7VYIIjEmSzdWwcoJgde/MOG/RrGjCxGTxxVS0+ms0kCNHfujA+GrXDZNTmVPwVo QFrLLbCS6Po59yfREu9Gqa/9cLknzEUh+zgqLbO0dJavm5pTFNa38fWQIhpxnL+Wyz7j MYPJyNrRdUIyZIK7lX/Gd3g7t68Y4W6DCLW1V4jiIdUFbJMlFuo8us7Yy00/AmK8Sae4 ULwpolje0QbpiIo4MBgOqeEeKsZkhr3OlRsVsSkaaR4yAmEl8J+kVvvxh+ATWUPS/uyV /MRJ0ZD1437gH1KOdzF+JihkLbjnHZGEYQj7WT8D952ao8DbemqwKAj0MJDs08hIO9gt Zhfg== X-Gm-Message-State: AOJu0Yw2cBU2gQn0O2vLshZ1qP/I+oV8Z1tTZBzi8oF+ZXlIhghb+Qbi B8vDy9VD1sC+JiYBmBc+Lm9zaoG4pKg9HmVxXTw= X-Received: by 2002:a17:90b:a49:b0:268:60d9:92cc with SMTP id gw9-20020a17090b0a4900b0026860d992ccmr210845pjb.43.1694742708242; Thu, 14 Sep 2023 18:51:48 -0700 (PDT) MIME-Version: 1.0 References: <20230914080833.50026-1-haibo.li@mediatek.com> <20230914112915.81f55863c0450195b4ed604a@linux-foundation.org> In-Reply-To: From: Andrey Konovalov Date: Fri, 15 Sep 2023 03:51:37 +0200 Message-ID: Subject: Re: [PATCH] kasan:fix access invalid shadow address when input is illegal To: Jann Horn , Haibo Li Cc: Andrew Morton , linux-kernel@vger.kernel.org, xiaoming.yu@mediatek.com, Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , Matthias Brugger , AngeloGioacchino Del Regno , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, Mark Rutland Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 14 Sep 2023 18:54:46 -0700 (PDT) On Thu, Sep 14, 2023 at 10:41=E2=80=AFPM Jann Horn wrote= : > > > Accessing unmapped memory with KASAN always led to a crash when > > checking shadow memory. This was reported/discussed before. To improve > > crash reporting for this case, Jann added kasan_non_canonical_hook and > > Mark integrated it into arm64. But AFAIU, for some reason, it stopped > > working. > > > > Instead of this patch, we need to figure out why > > kasan_non_canonical_hook stopped working and fix it. > > > > This approach taken by this patch won't work for shadow checks added > > by compiler instrumentation. It only covers explicitly checked > > accesses, such as via memcpy, etc. > > FWIW, AFAICS kasan_non_canonical_hook() currently only does anything > under CONFIG_KASAN_INLINE; Ah, right. I was thinking about the inline mode, but the patch refers to the issue with the outline mode. However, I just checked kasan_non_canonical_hook for SW_TAGS with the inline mode: it does not work when accessing 0x42ffffb80aaaaaaa, the addr < KASAN_SHADOW_OFFSET check fails. It appears there's something unusual about how instrumentation calculates the shadow address. I didn't investigate further yet. > I think the idea when I added that was that > it assumes that when KASAN checks an access in out-of-line > instrumentation or a slowpath, it will do the required checks to avoid > this kind of fault? Ah, no, KASAN doesn't do it. However, I suppose we could add what the original patch proposes for the outline mode. For the inline mode, it seems to be pointless, as most access checks happen though the compiler inserted code anyway. I also wonder how much slowdown this patch will introduce. Haibo, could you check how much slower the kernel becomes with your patch? If possible, with all GENERIC/SW_TAGS and INLINE/OUTLINE combinations. If the slowdown is large, we can just make kasan_non_canonical_hook work for both modes (and fix it for SW_TAGS).