Received: by 2002:ab2:620c:0:b0:1ef:ffd0:ce49 with SMTP id o12csp1465205lqt; Wed, 20 Mar 2024 05:07:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWxxffCiom3Gn+wevvoYc4hJjVjDRJLMjAcI1zlrtgG3Yp5vBj7dh4Zbh7WFo0Bo0ECai0E7MyRltcf4neX86Sr+LtK77MWxXBEh9CfeQ== X-Google-Smtp-Source: AGHT+IF/0v0KEey1YEYIHIStvetkSkBC/rNO+RE7SgdGPRfX6WJSKjLZJtuThJ1THXTxyArMNZsm X-Received: by 2002:ac8:5787:0:b0:431:bce:90a0 with SMTP id v7-20020ac85787000000b004310bce90a0mr1335009qta.14.1710936445019; Wed, 20 Mar 2024 05:07:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710936445; cv=pass; d=google.com; s=arc-20160816; b=0Goog02Bsv2Kix+UNvu+oCbf9h2i1Hvfu+B/5qsT3n1DrXKLJPTy+/7lm2bKnFw+AD u1BtswV5epDa5RrhYoNAz0T20OHr94tKiSnLnbCyFtPQIjZyJn8gzsYizAwZpeMNo9Jk GA/nZJ6XnVymMUDWlrlltQq4Mz2nKHtr4vZuVhxUa3SRSTk9u/NWiwSPOoImMLHw2qGY wOkoMn2EsylxYE8kOh5J2uOKtlKgw0kmjQhWyMkjU4lRoEcQwByjn+Iny+B5mBkcl4wh xftSCIhYRZ4Ft7GogddwNRvKZKVcSVQG/kxVsX0HCRRBflLbD/byvF12uK6DXkdaB8x5 Of4g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=z7DDAmZLzRu6HgzyxGlka/nEAH/Bp9s7j8g062J1qR0=; fh=67Hl6yME7ievRdlWXVCH60ez2wP5kXyKckXFU7lVUzE=; b=1HD2nzAU2J/emZ4StgEOC2UPH03JypB5qVnUZW2A3eOaDxcIJmpkTRJl7M9vhXbIjj n2jjWT5AnU4mkQfXYR08tJ+OfT7143R0Iehm3LG8rB0XavUuENGnXX15BFl8zfVFszo/ G3q/hV8/Xkkz3n4zfoC0kJlijkPcw6g5lB74OWHC2U1aR9S9syq7l3qM3PErcQ0VN5Zb 0KX/grkoGrENSCjyMEIR1gePvuoBtUlgpu18MaFr6fzCN2Idv6e/c759LLi558wTBT9/ Q3a7btUKqiJ2n1bmHIgv5ManPpB1VaPK3fBrjU8gtoLANz1nAYruQ4/dTaEN4LcDIiZv CmmA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=e267a4zr; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-108893-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-108893-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id h8-20020ac85848000000b00430e8f4acc3si3279566qth.336.2024.03.20.05.07.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 05:07:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-108893-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=e267a4zr; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-108893-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-108893-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 9D8741C2205A for ; Wed, 20 Mar 2024 12:07:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EC8763FB2A; Wed, 20 Mar 2024 12:07:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="e267a4zr" Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 60FD12628D for ; Wed, 20 Mar 2024 12:07:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710936439; cv=none; b=D9d84JY6ZhUNOrxP1+y2HrRyZybW9E+X70bvWV2yZqMibTmE1nbfpnHH6yKDw2z1CrwRSrHnKdOjQas7Ykkvnm3r3qu3CHSisaz5E0g0Ai9HiepMjq+v72YGHyHcx1WlTChdK/T3+ojBSsjn+/XgQ4Z5jlNXtjzmpOE1PQNfIOI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710936439; c=relaxed/simple; bh=qQIyN94RcUxQGeM01O+NcNfg5sUN7Y8zbd8QRPJDgIM=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=u3eaZUP2TZFz525m6DejXzV/V/loz8e6IHnfwJ8bkMC3hFXdvqL1Tu1BlmbekkebdtaXmv6MA3hBXqHwtyxKVFQMmm93AnSPktZjPSoABJxWlteqattOlvorWKw1U/ENPttnmuCOgw3QSLiOP7+T992wItFUEuLarDzFXjx8CrY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=e267a4zr; arc=none smtp.client-ip=209.85.219.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-qv1-f45.google.com with SMTP id 6a1803df08f44-6963cf14771so10787206d6.3 for ; Wed, 20 Mar 2024 05:07:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1710936436; x=1711541236; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=z7DDAmZLzRu6HgzyxGlka/nEAH/Bp9s7j8g062J1qR0=; b=e267a4zrRwe7qaZX26PH25DXs81gD5QQAtAM80wvN7+JJpTQNnqT/WoD/qu/kC2Nzo bxilbraeIqkqzCVJBNcRGDO3k0eXFCv4PJpjTJkD5BXL7Qo9HgAJW5jdEAQfARYhJtpj eZwTpsIevDOzvELPqSD7aRIKnBePhw8J3NYaDvMK8XiQfbGBmFVjeb/3X0CcOHbcF8Z3 L1501U6s7y22nrNfpoSH0D8aTo8TwKuDYUlu1IDo8ToSg5sUj66AeTa0964d88VywWXC P+HyffjcY412mUwn5SoWxjtzUKlccEeoIr4+JV85fmYudJjjEKjcrmCLEcoaSoJqKnnO ExUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710936436; x=1711541236; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z7DDAmZLzRu6HgzyxGlka/nEAH/Bp9s7j8g062J1qR0=; b=Cih94Sk+viZWqlNgs38yIEMftMz42RfiepV9SOwROLT59yEcccbFfuYGZsGCP9fUDr wPq4P083s6lAFpp541O+Usvuso1WiGE/A6/cvlTiJOl5YvGsnohUa/4uJuZoP/50XSZX Iv1wJW3IqStMb5306P/mVIKyEzTAy65LgKsO8Q5pRfQyFq6duQ6bf5AuAgUH9Fm5pO3U RcBaFlJ4480h8EVG8PPaegBKTe7dLELXvLg3rw4jKWvz+jm6w4gpsmtA1vE4/8aDs0C1 1OHh3Ov79c8PzS3jywMbNtFwV2pePtjx0LvuyHPpFU7yl0G1VnZMt9kNeEgYBITtsLZV R4tQ== X-Forwarded-Encrypted: i=1; AJvYcCV4KaEKnbsdWt2l4W0yNENO0vmz19g9EcwSvOIrdA1xL5e9rZ2o95L3wr8i6s7RkkD1Be5HAPYThSxqS2vtgG1uoVhfWHJfoMcEUhvS X-Gm-Message-State: AOJu0YwP2PlIh53RtgU+QFnNY2oQPUeaH9FNskvBGlDBg6pQJZ6m4eDc 84bXdk8ltpbQ8rA4IWauAGzMJL3VbBViFjkWLxZpmvQD5AMGFE917d9A5Qq9xzyvbXoREeqdY2V BTSLhPElyL5Ag5DOGjYkZoHWeAxSt0USqm5PZ X-Received: by 2002:a05:6214:2b97:b0:691:64e9:9a4a with SMTP id kr23-20020a0562142b9700b0069164e99a4amr25165795qvb.53.1710936436027; Wed, 20 Mar 2024 05:07:16 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240319163656.2100766-1-glider@google.com> <20240319163656.2100766-3-glider@google.com> In-Reply-To: From: Alexander Potapenko Date: Wed, 20 Mar 2024 13:06:33 +0100 Message-ID: Subject: Re: [PATCH v1 3/3] x86: call instrumentation hooks from copy_mc.c To: Tetsuo Handa Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, kasan-dev@googlegroups.com, tglx@linutronix.de, x86@kernel.org, Linus Torvalds , Dmitry Vyukov , Marco Elver Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Mar 20, 2024 at 11:40=E2=80=AFAM Tetsuo Handa wrote: > > On 2024/03/20 18:29, Alexander Potapenko wrote: > > But for KASAN/KCSAN we can afford more aggressive checks. > > First, if we postpone them after the actual memory accesses happen, > > the kernel may panic on the invalid access without a decent error > > report. > > Second, even if in a particular case only `len-ret` bytes were copied, > > the caller probably expected both `src` and `dst` to have `len` > > addressable bytes. > > Checking for the whole length in this case is more likely to detect a > > real error than produce a false positive. > > KASAN/KCSAN care about whether the requested address range is accessible = but > do not care about whether the requested address range was actually access= ed? I am not exactly sure under which circumstances a copy_mc may fail, but let's consider how copy_to_user() is handled. In instrument_copy_to_user() (https://elixir.bootlin.com/linux/latest/source/include/linux/instrumented.= h#L110) we check the whole ranges before the copy is performed. Assume there is buggy code in the kernel that allocates N bytes for some buffer and then copies N+1 bytes from that buffer to the userspace. If we are (un)lucky enough, the userspace code may be always allocating the destination buffer in a way that prevents copy_to_user() from copying more than N bytes. Yet it is possible to provide a userspace buffer that is big enough to trigger an OOB read in the kernel, and reporting this issue is usually the right thing to do, even if it does not occur during testing. Moreover, if dst can receive N+1 bytes, but the OOB read happens to crash the kernel, we'll get a simple panic report instead of a KASAN report, if we decide to perform the check after copying the data. > > By the way, we have the same problem for copy_page() and I was thinking a= bout > https://lkml.kernel.org/r/1a817eb5-7cd8-44d6-b409-b3bc3f377cb9@I-love.SAK= URA.ne.jp . > But given that instrument_memcpy_{before,after} are added, > how do we want to use instrument_memcpy_{before,after} for copy_page() ? > Should we rename assembly version of copy_page() so that we don't need to= use > tricky wrapping like below? I think renaming the assembly version and providing a `static inline void copy_page()` in arch/x86/include/asm/page_64.h should be cleaner, but it is up to x86 people to decide. The patch below seems to work: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.= h index cc6b8e087192e..70ee3da32397e 100644 --- a/arch/x86/include/asm/page_64.h +++ b/arch/x86/include/asm/page_64.h @@ -8,6 +8,7 @@ #include #include +#include #include /* duplicated to the one in bootmem.h */ @@ -58,7 +59,14 @@ static inline void clear_page(void *page) : "cc", "memory", "rax", "rcx"); } -void copy_page(void *to, void *from); +void copy_page_asm(void *to, void *from); + +static inline void copy_page(void *to, void *from) +{ + instrument_memcpy_before(to, from, PAGE_SIZE); + copy_page_asm(to, from); + instrument_memcpy_after(to, from, PAGE_SIZE, 0); +} #ifdef CONFIG_X86_5LEVEL /* diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S index d6ae793d08faf..e65b70406d48a 100644 --- a/arch/x86/lib/copy_page_64.S +++ b/arch/x86/lib/copy_page_64.S @@ -13,13 +13,13 @@ * prefetch distance based on SMP/UP. */ ALIGN -SYM_FUNC_START(copy_page) +SYM_FUNC_START(copy_page_asm) ALTERNATIVE "jmp copy_page_regs", "", X86_FEATURE_REP_GOOD movl $4096/8, %ecx rep movsq RET -SYM_FUNC_END(copy_page) -EXPORT_SYMBOL(copy_page) +SYM_FUNC_END(copy_page_asm) +EXPORT_SYMBOL(copy_page_asm) SYM_FUNC_START_LOCAL(copy_page_regs) subq $2*8, %rsp =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D