Re: [PATCH 7/7] Enable KASan for arm

Re: [PATCH 7/7] Enable KASan for arm

[Liuwenliang (Abbott Liu)]

On 03/20/2018 2:30 AM, kbuild test robot wrote:
>All errors (new ones prefixed by >>):
>
>   arch/arm/kernel/entry-common.S: Assembler messages:
>>> arch/arm/kernel/entry-common.S:85: Error: invalid constant (ffffffffb6e00000) after fixup

I'm sorry!
We need to add the fellowing code to solve the upper error:
> git diff
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index b7d0c6c..9b728c5 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -82,7 +82,8 @@ ret_fast_syscall:
        str     r0, [sp, #S_R0 + S_OFF]!        @ save returned r0
        disable_irq_notrace                     @ disable interrupts
        ldr     r2, [tsk, #TI_ADDR_LIMIT]
-	cmp     r2, #TASK_SIZE
+	ldr		r1, =TASK_SIZE
+	cmp		r2, r1
        blne    addr_limit_check_failed
        ldr     r1, [tsk, #TI_FLAGS]            @ re-check for syscall tracing
        tst     r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK

[PATCH v2 0/7] KASan for arm

[Abbott Liu]

Changelog:
v2 - v1
- Fixed some compiling error which happens on changing kernel compression
  mode to lzma/xz/lzo/lz4.
  ---Reported by: Florian Fainelli <f.fainelli@gmail.com>,
	     Russell King - ARM Linux <linux@armlinux.org.uk>
- Fixed a compiling error cause by some older arm instruction set(armv4t)
  don't suppory movw/movt which is reported by kbuild.
- Changed the pte flag from _L_PTE_DEFAULT | L_PTE_DIRTY | L_PTE_XN to
  pgprot_val(PAGE_KERNEL).
  ---Reported by: Russell King - ARM Linux <linux@armlinux.org.uk>
- Moved Enable KASan patch as the last one.
  ---Reported by: Florian Fainelli <f.fainelli@gmail.com>,
     Russell King - ARM Linux <linux@armlinux.org.uk>
- Moved the definitions of cp15 registers from 
  arch/arm/include/asm/kvm_hyp.h to arch/arm/include/asm/cp15.h.
  ---Asked by: Mark Rutland <mark.rutland@arm.com>
- Merge the following commits into the commit
  Define the virtual space of KASan's shadow region:
  1) Define the virtual space of KASan's shadow region;
  2) Avoid cleaning the KASan shadow area's mapping table;
  3) Add KASan layout;
- Merge the following commits into the commit
  Initialize the mapping of KASan shadow memory:
  1) Initialize the mapping of KASan shadow memory;
  2) Add support arm LPAE;
  3) Don't need to map the shadow of KASan's shadow memory;
     ---Reported by: Russell King - ARM Linux <linux@armlinux.org.uk>
  4) Change mapping of kasan_zero_page int readonly.

Hi,all:
   These patches add arch specific code for kernel address sanitizer
(see Documentation/kasan.txt).

   1/8 of kernel addresses reserved for shadow memory. There was no
big enough hole for this, so virtual addresses for shadow were
stolen from user space.

   At early boot stage the whole shadow region populated with just
one physical page (kasan_zero_page). Later, this page reused
as readonly zero shadow for some memory that KASan currently
don't track (vmalloc).

  After mapping the physical memory, pages for shadow memory are
allocated and mapped.
  
  KASan's stack instrumentation significantly increases stack's
consumption, so CONFIG_KASAN doubles THREAD_SIZE.

  Functions like memset/memmove/memcpy do a lot of memory accesses.
If bad pointer passed to one of these function it is important
to catch this. Compiler's instrumentation cannot do this since
these functions are written in assembly.

  KASan replaces memory functions with manually instrumented variants.
Original functions declared as weak symbols so strong definitions
in mm/kasan/kasan.c could replace them. Original functions have aliases
with '__' prefix in name, so we could call non-instrumented variant
if needed.

  Some files built without kasan instrumentation (e.g. mm/slub.c).
Original mem* function replaced (via #define) with prefixed variants
to disable memory access checks for such files.

  On arm LPAE architecture,  the mapping table of KASan shadow memory(if
PAGE_OFFSET is 0xc0000000, the KASan shadow memory's virtual space is
0xb6e000000~0xbf000000) can't be filled in do_translation_fault function,
because kasan instrumentation maybe cause do_translation_fault function
accessing KASan shadow memory. The accessing of KASan shadow memory in
do_translation_fault function maybe cause dead circle. So the mapping table
of KASan shadow memory need be copyed in pgd_alloc function.


Most of the code comes from:
https://github.com/aryabinin/linux/commit/0b54f17e70ff50a902c4af05bb92716eb95acefe

These patches are tested on vexpress-ca15, vexpress-ca9



Cc: Andrey Ryabinin <a.ryabinin@samsung.com>
Tested-by: Abbott Liu <liuwenliang@huawei.com>
Signed-off-by: Abbott Liu <liuwenliang@huawei.com>

Abbott Liu (3):
  2 1-byte checks more safer for memory_is_poisoned_16
  Add TTBR operator for kasan_init
  Define the virtual space of KASan's shadow region

Andrey Ryabinin (4):
  Disable instrumentation for some code
  Replace memory function for kasan
  Initialize the mapping of KASan shadow memory
  Enable KASan for arm

 arch/arm/Kconfig                      |   1 +
 arch/arm/boot/compressed/Makefile     |   1 +
 arch/arm/boot/compressed/decompress.c |   2 +
 arch/arm/boot/compressed/libfdt_env.h |   2 +
 arch/arm/include/asm/cp15.h           | 104 ++++++++++++
 arch/arm/include/asm/kasan.h          |  23 +++
 arch/arm/include/asm/kasan_def.h      |  52 ++++++
 arch/arm/include/asm/kvm_hyp.h        |  52 ------
 arch/arm/include/asm/memory.h         |   5 +
 arch/arm/include/asm/pgalloc.h        |   7 +-
 arch/arm/include/asm/string.h         |  17 ++
 arch/arm/include/asm/thread_info.h    |   4 +
 arch/arm/kernel/entry-armv.S          |   5 +-
 arch/arm/kernel/entry-common.S        |   6 +-
 arch/arm/kernel/head-common.S         |   7 +-
 arch/arm/kernel/setup.c               |   2 +
 arch/arm/kernel/unwind.c              |   3 +-
 arch/arm/kvm/hyp/cp15-sr.c            |  12 +-
 arch/arm/kvm/hyp/switch.c             |   6 +-
 arch/arm/lib/memcpy.S                 |   3 +
 arch/arm/lib/memmove.S                |   5 +-
 arch/arm/lib/memset.S                 |   3 +
 arch/arm/mm/Makefile                  |   3 +
 arch/arm/mm/init.c                    |   6 +
 arch/arm/mm/kasan_init.c              | 290 ++++++++++++++++++++++++++++++++++
 arch/arm/mm/mmu.c                     |   7 +-
 arch/arm/mm/pgd.c                     |  14 ++
 arch/arm/vdso/Makefile                |   2 +
 mm/kasan/kasan.c                      |  24 ++-
 29 files changed, 588 insertions(+), 80 deletions(-)
 create mode 100644 arch/arm/include/asm/kasan.h
 create mode 100644 arch/arm/include/asm/kasan_def.h
 create mode 100644 arch/arm/mm/kasan_init.c

-- 
2.9.0

[PATCH 7/7] Enable KASan for arm

[Abbott Liu]

From: Andrey Ryabinin <a.ryabinin@samsung.com>

This patch enable kernel address sanitizer for arm.

Cc: Andrey Ryabinin <a.ryabinin@samsung.com>
Tested-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Abbott Liu <liuwenliang@huawei.com>
---
 arch/arm/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 7e3d535..ac2287b 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -49,6 +49,7 @@ config ARM
 	select HAVE_ARCH_BITREVERSE if (CPU_32v7M || CPU_32v7) && !CPU_32v6
 	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL && !CPU_ENDIAN_BE32 && MMU
 	select HAVE_ARCH_KGDB if !CPU_ENDIAN_BE32 && MMU
+	select HAVE_ARCH_KASAN if MMU
 	select HAVE_ARCH_MMAP_RND_BITS if MMU
 	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
 	select HAVE_ARCH_THREAD_STRUCT_WHITELIST
-- 
2.9.0

Re: [PATCH 7/7] Enable KASan for arm

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 4310 bytes --]

Hi Andrey,

I love your patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v4.16-rc6]
[cannot apply to next-20180319]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Abbott-Liu/KASan-for-arm/20180319-120138
config: arm-allmodconfig (attached as .config)
compiler: arm-linux-gnueabi-gcc (Debian 7.2.0-11) 7.2.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        make.cross ARCH=arm 

All errors (new ones prefixed by >>):

   arch/arm/kernel/entry-common.S: Assembler messages:
>> arch/arm/kernel/entry-common.S:85: Error: invalid constant (ffffffffb6e00000) after fixup

vim +85 arch/arm/kernel/entry-common.S

^1da177e4 Linus Torvalds  2005-04-16   68  
3302caddf Russell King    2015-08-20   69  	/* Ok, we need to do extra processing, enter the slow path. */
^1da177e4 Linus Torvalds  2005-04-16   70  fast_work_pending:
^1da177e4 Linus Torvalds  2005-04-16   71  	str	r0, [sp, #S_R0+S_OFF]!		@ returned r0
3302caddf Russell King    2015-08-20   72  	/* fall through to work_pending */
3302caddf Russell King    2015-08-20   73  #else
3302caddf Russell King    2015-08-20   74  /*
3302caddf Russell King    2015-08-20   75   * The "replacement" ret_fast_syscall for when tracing or context tracking
3302caddf Russell King    2015-08-20   76   * is enabled.  As we will need to call out to some C functions, we save
3302caddf Russell King    2015-08-20   77   * r0 first to avoid needing to save registers around each C function call.
3302caddf Russell King    2015-08-20   78   */
3302caddf Russell King    2015-08-20   79  ret_fast_syscall:
3302caddf Russell King    2015-08-20   80   UNWIND(.fnstart	)
3302caddf Russell King    2015-08-20   81   UNWIND(.cantunwind	)
3302caddf Russell King    2015-08-20   82  	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
3302caddf Russell King    2015-08-20   83  	disable_irq_notrace			@ disable interrupts
e33f8d326 Thomas Garnier  2017-09-07   84  	ldr	r2, [tsk, #TI_ADDR_LIMIT]
e33f8d326 Thomas Garnier  2017-09-07  @85  	cmp	r2, #TASK_SIZE
e33f8d326 Thomas Garnier  2017-09-07   86  	blne	addr_limit_check_failed
3302caddf Russell King    2015-08-20   87  	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
2404269bc Thomas Garnier  2017-09-07   88  	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
3302caddf Russell King    2015-08-20   89  	beq	no_work_pending
3302caddf Russell King    2015-08-20   90   UNWIND(.fnend		)
3302caddf Russell King    2015-08-20   91  ENDPROC(ret_fast_syscall)
3302caddf Russell King    2015-08-20   92  
3302caddf Russell King    2015-08-20   93  	/* Slower path - fall through to work_pending */
3302caddf Russell King    2015-08-20   94  #endif
3302caddf Russell King    2015-08-20   95  
3302caddf Russell King    2015-08-20   96  	tst	r1, #_TIF_SYSCALL_WORK
3302caddf Russell King    2015-08-20   97  	bne	__sys_trace_return_nosave
3302caddf Russell King    2015-08-20   98  slow_work_pending:
^1da177e4 Linus Torvalds  2005-04-16   99  	mov	r0, sp				@ 'regs'
^1da177e4 Linus Torvalds  2005-04-16  100  	mov	r2, why				@ 'syscall'
0a267fa6a Al Viro         2012-07-19  101  	bl	do_work_pending
662852178 Al Viro         2012-07-19  102  	cmp	r0, #0
81783786d Al Viro         2012-07-19  103  	beq	no_work_pending
662852178 Al Viro         2012-07-19  104  	movlt	scno, #(__NR_restart_syscall - __NR_SYSCALL_BASE)
81783786d Al Viro         2012-07-19  105  	ldmia	sp, {r0 - r6}			@ have to reload r0 - r6
81783786d Al Viro         2012-07-19  106  	b	local_restart			@ ... and off we go
e83dd3770 Drew Richardson 2015-08-06  107  ENDPROC(ret_fast_syscall)
81783786d Al Viro         2012-07-19  108  

:::::: The code at line 85 was first introduced by commit
:::::: e33f8d32677fa4f4f8996ef46748f86aac81ccff arm/syscalls: Optimize address limit check

:::::: TO: Thomas Garnier <thgarnie@google.com>
:::::: CC: Thomas Gleixner <tglx@linutronix.de>

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 65135 bytes --]