Re: [PATCH] kasan:fix access invalid shadow address when input is illegal

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Jann Horn <jannh@google.com>
To: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Haibo Li <haibo.li@mediatek.com>,
	 linux-kernel@vger.kernel.org, xiaoming.yu@mediatek.com,
	 Andrey Ryabinin <ryabinin.a.a@gmail.com>,
	Alexander Potapenko <glider@google.com>,
	 Dmitry Vyukov <dvyukov@google.com>,
	Vincenzo Frascino <vincenzo.frascino@arm.com>,
	 Matthias Brugger <matthias.bgg@gmail.com>,
	 AngeloGioacchino Del Regno
	<angelogioacchino.delregno@collabora.com>,
	kasan-dev@googlegroups.com,  linux-mm@kvack.org,
	linux-arm-kernel@lists.infradead.org,
	 linux-mediatek@lists.infradead.org,
	Mark Rutland <mark.rutland@arm.com>
Subject: Re: [PATCH] kasan:fix access invalid shadow address when input is illegal
Date: Thu, 14 Sep 2023 22:40:43 +0200	[thread overview]
Message-ID: <CAG48ez0aenPmr=d35UGa4_BiCwYU1-JHhD_2ygThvjOEXEM7bQ@mail.gmail.com> (raw)
In-Reply-To: <CA+fCnZemM-jJxX+=2W162NJkUC6aZXNJiVLa-=ia=L3CmE8ZTQ@mail.gmail.com>

On Thu, Sep 14, 2023 at 10:35 PM Andrey Konovalov <andreyknvl@gmail.com> wrote:
> On Thu, Sep 14, 2023 at 8:29 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> > > --- a/mm/kasan/kasan.h
> > > +++ b/mm/kasan/kasan.h
> > > @@ -304,8 +304,17 @@ static __always_inline bool addr_has_metadata(const void *addr)
> > >  #ifdef __HAVE_ARCH_SHADOW_MAP
> > >       return (kasan_mem_to_shadow((void *)addr) != NULL);
> > >  #else
> > > -     return (kasan_reset_tag(addr) >=
> > > -             kasan_shadow_to_mem((void *)KASAN_SHADOW_START));
> > > +     u8 *shadow, shadow_val;
> > > +
> > > +     if (kasan_reset_tag(addr) <
> > > +             kasan_shadow_to_mem((void *)KASAN_SHADOW_START))
> > > +             return false;
> > > +     /* use read with nofault to check whether the shadow is accessible */
> > > +     shadow = kasan_mem_to_shadow((void *)addr);
> > > +     __get_kernel_nofault(&shadow_val, shadow, u8, fault);
> > > +     return true;
> > > +fault:
> > > +     return false;
> > >  #endif
> > >  }
> >
> > Are we able to identify a Fixes: target for this?
> > 9d7b7dd946924de43021f57a8bee122ff0744d93 ("kasan: split out
> > print_report from __kasan_report") altered the code but I expect the
> > bug was present before that commit.
> >
> > Seems this bug has been there for over a year.  Can you suggest why it
> > has been discovered after such a lengthy time?
>
> Accessing unmapped memory with KASAN always led to a crash when
> checking shadow memory. This was reported/discussed before. To improve
> crash reporting for this case, Jann added kasan_non_canonical_hook and
> Mark integrated it into arm64. But AFAIU, for some reason, it stopped
> working.
>
> Instead of this patch, we need to figure out why
> kasan_non_canonical_hook stopped working and fix it.
>
> This approach taken by this patch won't work for shadow checks added
> by compiler instrumentation. It only covers explicitly checked
> accesses, such as via memcpy, etc.

FWIW, AFAICS kasan_non_canonical_hook() currently only does anything
under CONFIG_KASAN_INLINE; I think the idea when I added that was that
it assumes that when KASAN checks an access in out-of-line
instrumentation or a slowpath, it will do the required checks to avoid
this kind of fault?

next prev parent reply	other threads:[~2023-09-14 20:41 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-14  8:08 Haibo Li
2023-09-14 17:46 ` Andrey Konovalov
2023-09-14 18:29 ` Andrew Morton
2023-09-14 20:34   ` Andrey Konovalov
2023-09-14 20:40     ` Jann Horn [this message]
2023-09-15  1:51       ` Andrey Konovalov
2023-09-15  2:45         ` Haibo Li
2023-09-15  9:40           ` Haibo Li
2023-09-15 16:53             ` Andrey Konovalov
2023-09-15 16:50           ` Andrey Konovalov
2023-09-15 17:04             ` Jann Horn
2023-09-18  8:12               ` Haibo Li
2023-09-18  7:25             ` Haibo Li

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAG48ez0aenPmr=d35UGa4_BiCwYU1-JHhD_2ygThvjOEXEM7bQ@mail.gmail.com' \
    --to=jannh@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@gmail.com \
    --cc=angelogioacchino.delregno@collabora.com \
    --cc=dvyukov@google.com \
    --cc=glider@google.com \
    --cc=haibo.li@mediatek.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mediatek@lists.infradead.org \
    --cc=linux-mm@kvack.org \
    --cc=mark.rutland@arm.com \
    --cc=matthias.bgg@gmail.com \
    --cc=ryabinin.a.a@gmail.com \
    --cc=vincenzo.frascino@arm.com \
    --cc=xiaoming.yu@mediatek.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox