From: Daniel Axtens <dja@axtens.net>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: kasan-dev <kasan-dev@googlegroups.com>,
Linux-MM <linux-mm@kvack.org>,
the arch/x86 maintainers <x86@kernel.org>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Andy Lutomirski <luto@kernel.org>
Subject: Re: [PATCH 1/3] kasan: support backing vmalloc space with real shadow memory
Date: Mon, 29 Jul 2019 20:15:19 +1000 [thread overview]
Message-ID: <87blxdgn9k.fsf@dja-thinkpad.axtens.net> (raw)
In-Reply-To: <CACT4Y+Yw74otyk9gASfUyAW_bbOr8H5Cjk__F7iptrxRWmS9=A@mail.gmail.com>
Hi Dmitry,
Thanks for the feedback!
>> + addr = shadow_alloc_start;
>> + do {
>> + pgdp = pgd_offset_k(addr);
>> + p4dp = p4d_alloc(&init_mm, pgdp, addr);
>
> Page table allocations will be protected by mm->page_table_lock, right?
Yes, each of those alloc functions take the lock if they end up in the
slow-path that does the actual allocation (e.g. __p4d_alloc()).
>> + pudp = pud_alloc(&init_mm, p4dp, addr);
>> + pmdp = pmd_alloc(&init_mm, pudp, addr);
>> + ptep = pte_alloc_kernel(pmdp, addr);
>> +
>> + /*
>> + * we can validly get here if pte is not none: it means we
>> + * allocated this page earlier to use part of it for another
>> + * allocation
>> + */
>> + if (pte_none(*ptep)) {
>> + backing = __get_free_page(GFP_KERNEL);
>> + backing_pte = pfn_pte(PFN_DOWN(__pa(backing)),
>> + PAGE_KERNEL);
>> + set_pte_at(&init_mm, addr, ptep, backing_pte);
>> + }
>> + } while (addr += PAGE_SIZE, addr != shadow_alloc_end);
>> +
>> + requested_size = round_up(requested_size, KASAN_SHADOW_SCALE_SIZE);
>> + kasan_unpoison_shadow(area->addr, requested_size);
>> + kasan_poison_shadow(area->addr + requested_size,
>> + area->size - requested_size,
>> + KASAN_VMALLOC_INVALID);
>
>
> Do I read this correctly that if kernel code does vmalloc(64), they
> will have exactly 64 bytes available rather than full page? To make
> sure: vmalloc does not guarantee that the available size is rounded up
> to page size? I suspect we will see a throw out of new bugs related to
> OOBs on vmalloc memory. So I want to make sure that these will be
> indeed bugs that we agree need to be fixed.
> I am sure there will be bugs where the size is controlled by
> user-space, so these are bad bugs under any circumstances. But there
> will also probably be OOBs, where people will try to "prove" that
> that's fine and will work (just based on our previous experiences :)).
So the implementation of vmalloc will always round it up. The
description of the function reads, in part:
* Allocate enough pages to cover @size from the page level
* allocator and map them into contiguous kernel virtual space.
So in short it's not quite clear - you could argue that you have a
guarantee that you get full pages, but you could also argue that you've
specifically asked for @size bytes and @size bytes only.
So far it seems that users are well behaved in terms of using the amount
of memory they ask for, but you'll get a better idea than me very
quickly as I only tested with trinity. :)
I also handle vmap - for vmap there's no way to specify sub-page
allocations so you get as many pages as you ask for.
> On impl side: kasan_unpoison_shadow seems to be capable of handling
> non-KASAN_SHADOW_SCALE_SIZE-aligned sizes exactly in the way we want.
> So I think it's better to do:
>
> kasan_unpoison_shadow(area->addr, requested_size);
> requested_size = round_up(requested_size, KASAN_SHADOW_SCALE_SIZE);
> kasan_poison_shadow(area->addr + requested_size,
> area->size - requested_size,
> KASAN_VMALLOC_INVALID);
Will do for v2.
Regards,
Daniel
next prev parent reply other threads:[~2019-07-29 10:15 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-25 5:55 [PATCH 0/3] " Daniel Axtens
2019-07-25 5:55 ` [PATCH 1/3] " Daniel Axtens
2019-07-25 7:35 ` Dmitry Vyukov
2019-07-25 7:51 ` Dmitry Vyukov
2019-07-25 10:06 ` Marco Elver
2019-07-25 10:11 ` Mark Rutland
2019-07-25 11:38 ` Marco Elver
2019-07-25 15:25 ` Daniel Axtens
2019-07-26 5:11 ` Daniel Axtens
2019-07-26 9:55 ` Marco Elver
2019-07-26 10:32 ` Marco Elver
2019-07-29 10:15 ` Daniel Axtens [this message]
2019-07-29 10:28 ` Dmitry Vyukov
2019-07-25 5:55 ` [PATCH 2/3] fork: support VMAP_STACK with KASAN_VMALLOC Daniel Axtens
2019-07-25 7:37 ` Dmitry Vyukov
2019-07-25 5:55 ` [PATCH 3/3] x86/kasan: support KASAN_VMALLOC Daniel Axtens
2019-07-25 7:49 ` Dmitry Vyukov
2019-07-25 15:08 ` Andy Lutomirski
2019-07-25 15:39 ` Daniel Axtens
2019-07-25 16:32 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87blxdgn9k.fsf@dja-thinkpad.axtens.net \
--to=dja@axtens.net \
--cc=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox