From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49369EEAA5D for ; Thu, 14 Sep 2023 17:47:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D2FCE8D0019; Thu, 14 Sep 2023 13:47:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CDF8D8D0001; Thu, 14 Sep 2023 13:47:04 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BCF378D0019; Thu, 14 Sep 2023 13:47:04 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id A9AD28D0001 for ; Thu, 14 Sep 2023 13:47:04 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 84DE1140453 for ; Thu, 14 Sep 2023 17:47:04 +0000 (UTC) X-FDA: 81235933968.02.89A0503 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) by imf28.hostedemail.com (Postfix) with ESMTP id BE388C001E for ; Thu, 14 Sep 2023 17:47:02 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=JuJeCtNm; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf28.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.216.54 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1694713622; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=J3P8BZDl5uXhLdi7mCkkSTzXwn0E2WaaQT91SGIepdI=; b=digeMMXAGsKVluHN2zLBF2YOEZ8QUGn+4KMGTarqHPpLneo6VbcODswZmYlwD+iBYPyVxa dZm4gw8o70kTRR77/PEjG2la4PDBWC7R7GodEnQECeqg7/i5OlD29uv+BV/dZmCxCzLs6B ZTDXzfNAJNemskbXYw7BOQCH+sSKmp8= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=JuJeCtNm; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf28.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.216.54 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1694713622; a=rsa-sha256; cv=none; b=StUim1sFDw/uzFwA23/3IMt5MG6jduFlnPUmR9llC0fjHES0W9vOJCTyfqHrR26suS+JP7 +fYy6q40iFjAzloZ13mpTOF6jepGi3xu3ddO+02Xkhfy9cO/mHCXpBfRO/QU7ME+X9vQAa sjZqNPg1DReWJoMcsGermMpsZnwQ3LY= Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-26fb8225268so968635a91.1 for ; Thu, 14 Sep 2023 10:47:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694713621; x=1695318421; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=J3P8BZDl5uXhLdi7mCkkSTzXwn0E2WaaQT91SGIepdI=; b=JuJeCtNmq3OFcN1pzGCLdN2D+rCwjq88+NpjNkw2YJrMUKkcuoDgRWJxjXX9sI56oK p1kjgHF5p2xmk/OG6tWkyg2nZqsPBddAVET/uVRGdgLFy0+T67fE3Chl2mnXpo/G6RII jzynth6/rpyBnQmEoq8gGEMQyIVEw/7qhjiJBRYsniyTiTm7EXt6WTRFgNa8X6f/ccgE OsUIzbppzDnV5ggzVg1z8LTwp8EhtLOykCIxmflAYd2uYG/Gg/cDT4MB4L1kJljiQjF9 sSQTBnTSRBdnZ5YP8U+5g0RcYupzZeCDJhJUeMBpYtgUDamrlJPdwqVzU74J0WUEe2oJ P2fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694713621; x=1695318421; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=J3P8BZDl5uXhLdi7mCkkSTzXwn0E2WaaQT91SGIepdI=; b=mCLGeO2Uu+oeZFHZ7raa5SiKwRBilPDkxwH85aB6v2ikqKsO4er6c7VvPJ3KwBMbHz dWHOVUA2Fo4zdAmborLc2CGwiwIogIj+LQWx5+nN7a9PYz67JZ+yK5BzGTwXjpOBLqyB R3fuXciI01YsYhvhsXswhDSUhIxv6Jc+GLCFdoOzfNf+gWlkU2Ur9SP1w8dFHBzusURY Gz/GyTuzDnHLS3ZE1e7JP/ycK9x4Vla4L3qJXSxvGRSSfi7dw9L+p2WomI5ApXlB6sj4 oRCDvk9z70VtoYLlWG7TUlKGzV7mfyiw0SFgxr51CGB9JxFuaZjVeJaIEBt77ucv8ikR wTFw== X-Gm-Message-State: AOJu0Yxjy0Pjmpi6PjvZSyg4gb8W9Ma5z9/TUt4KmdGyY9sOExisZ1qN mU00NfsORpO2B5Eb6Pk8KVBrsGSh2fHJmE9xeqE= X-Google-Smtp-Source: AGHT+IGPp/DAIdRihdOyWbn7a+/dY0934SRhirtwacdlLAZjTTKnNrCTNn7WivJjY3pfaJKBk1H17/lGSRWMortnyyU= X-Received: by 2002:a17:90b:1d87:b0:268:5bed:708e with SMTP id pf7-20020a17090b1d8700b002685bed708emr5548210pjb.24.1694713621533; Thu, 14 Sep 2023 10:47:01 -0700 (PDT) MIME-Version: 1.0 References: <20230914080833.50026-1-haibo.li@mediatek.com> In-Reply-To: <20230914080833.50026-1-haibo.li@mediatek.com> From: Andrey Konovalov Date: Thu, 14 Sep 2023 19:46:50 +0200 Message-ID: Subject: Re: [PATCH] kasan:fix access invalid shadow address when input is illegal To: Haibo Li Cc: linux-kernel@vger.kernel.org, xiaoming.yu@mediatek.com, Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Matthias Brugger , AngeloGioacchino Del Regno , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: BE388C001E X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 5fqo1rp4wmxxbaq4fawk4s1txgdy9hni X-HE-Tag: 1694713622-244687 X-HE-Meta: U2FsdGVkX1+uVnwSCSj1lYWVDytKfgMD0fy79PO7spJ8AVrFWcc4aDyaMB7G21JZTl/gNY5cRpdfWk5Eu7CxiSm4/DB4DVeLWVZVMpbEQhy84hWOp0lvoGNyBZc4Cm5d//POi5rxxsEeKuU14TTLiH+p9zKVQs6zzScq39f/fWo6weh7drnTbXysNaaIv0BTBlfY0K9/W9FolLypHa3C6XEBwYQh9xeHQQe3JwzGLAC+0hRsxqfAat/u5/U9WzoXVX7vUQ0QUCymqPWdOX35PLGhJIgPlzg5N41RsNeUOhzVU3zdw0i70fi1R6rWXg84VriqW/wgP3v2N+6Wn07JzI0HbjpAaLlSLkn5YGLOiNUYgYrevJG5OrJsYbx/+OqrixDqj5DbspjH8SKI/JfU2mT4NxXkq+ZwGzh4OvUQu1Rn1ODezM/YH46YL/D/M2P/Q7m0y4PKVCGLbPhcIQT0BdVRkugtP2TiZEyr9Py+4Ls2w4uhYrOE4OSDoHJYM2n7MMfODkxGOfVXIrF9KIQFT1FVUadi97YOFRLAbTg1H4cJzAJ2HmCYlDoifQ0aGKM5CDCi66QUsxKEIA96/2pYF6cwFW+f8by1RDKz7yR1z5kDrjJHX9n54Olf/s6iqiWPUyLFO4s4KzcCOwSsR3US7Z1QHTmGjXfEqe/D5VMRrb7mxGRuj1ahpkDDfxoTHllP/H7eu/t4hIGOy/ynWpfbEwINdAYi7WGtm1PIhSqQ6XlMsbz73VcBqrUQPPxMwRdiraMwRwN3IsMPiun25QrhJnxL/cP5z18SmAXPxbo3dy+Ta+DA7GhfDwAGZMuJzZ+nm8Nw9sAZQwHur2C5gf4rHlKP+wntzlCwyxwuP+CoYcLaKdN6xGBl2WK+AoSw3WIzB730cYyy5bwbtGQSNIfjW/8NW+II4jQxkHhSbvOc+V+GwYOnMRZ+3BximZsAe0KY688/kAzK5NWgXnMiM8W Nd/HQjbi q8efEH3c9TDBwlDMsReuendWddZnoqqaq+W6P11wS0GUJKTi6/NC8b69MTucvkIDstB2JP2PaX7EM9Z66c8hx0T18X1Tnp4PRjgpj0ESnbjIzzIdxSY/rNI1gAs40VTzXW5P9grJFtCzKLfYC2vKsmrocS3goMKuCrY9UCAO5HS1L8PYQl/68fpefukifqXYcs7Nx8tQOvFAooEBUZA2GUSr/YDkXjQML8Z7N9s7q5D0QYaS+R8ASSsn4Njuh6OjEGF/rZ92ZaAtqMdqap+AL1dqeG1oulsuTboFGi0RsIhMwISu9fnm+t1LEfY2kuG2/hKvG8CVjdDJTbOAuAOsDf/lnToEurNFhsWbjcZXBEDqOFz+Sdf2EvPe66p5Dt1fKuGRV8qLbH9OTLxZyygRz25PDfivUPPlAdLOuT9LyESCstO2vFDCj71L/xkGbjPaPdVa0K1psn3xPH7JT/p1VlUErkd1OVhjbpkK2LKRoWl5w8zo= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Sep 14, 2023 at 10:08=E2=80=AFAM 'Haibo Li' via kasan-dev wrote: > > when the input address is illegal,the corresponding shadow address > from kasan_mem_to_shadow may have no mapping in mmu table. > Access such shadow address causes kernel oops. > Here is a sample about oops on arm64(VA 39bit) with KASAN_SW_TAGS on: > > [ffffffb80aaaaaaa] pgd=3D000000005d3ce003, p4d=3D000000005d3ce003, > pud=3D000000005d3ce003, pmd=3D0000000000000000 > Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP > Modules linked in: > CPU: 3 PID: 100 Comm: sh Not tainted 6.6.0-rc1-dirty #43 > Hardware name: linux,dummy-virt (DT) > pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=3D--) > pc : __hwasan_load8_noabort+0x5c/0x90 > lr : do_ib_ob+0xf4/0x110 > ffffffb80aaaaaaa is the shadow address for efffff80aaaaaaaa. > The problem is reading invalid shadow in kasan_check_range. > > The generic kasan also has similar oops. > > To fix it,check shadow address by reading it with no fault. > > After this patch,KASAN is able to report invalid memory access > for this case. Hi Haibo, I thought this should be covered by the kasan_non_canonical_hook handler, which prints some additional information about how the GPF could be caused by accessing shadow memory. Does it not work in your case? It might be that we need to add kasan_non_canonical_hook to some other arm64 internal fault handler functions then. Thanks!