From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E510FEEAA71 for ; Thu, 14 Sep 2023 20:41:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 382A86B00B2; Thu, 14 Sep 2023 16:41:26 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 32DE06B00BD; Thu, 14 Sep 2023 16:41:26 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1AB2A6B00BF; Thu, 14 Sep 2023 16:41:26 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 024BF6B00B2 for ; Thu, 14 Sep 2023 16:41:25 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id C6791A0669 for ; Thu, 14 Sep 2023 20:41:25 +0000 (UTC) X-FDA: 81236373330.09.94833CA Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by imf25.hostedemail.com (Postfix) with ESMTP id 0356AA0024 for ; Thu, 14 Sep 2023 20:41:23 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="zMAG/x4w"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf25.hostedemail.com: domain of jannh@google.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1694724084; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fAwsTmQ+ELNb0oAFR4fBQd1wUmizG7i6iQSI6zVD64o=; b=bc1xq2hfPztxVtb//IxTrJt/9I/etmwkGyMU27OmNymi8P59J2XTjd3hZMfggnuWB5yPMo iFuaF2lA61UNeYohbU3aZd+ZkS6XkBn6pV1lmBbnjMxIumCeHLf0FxPmklIKt7GHO+s9Nq LGIXGIeJBN8LVXNKR0FuKkuD1OWQ1d0= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="zMAG/x4w"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf25.hostedemail.com: domain of jannh@google.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1694724084; a=rsa-sha256; cv=none; b=zzWo+YAxYEZ9wUruL3WMQ47XyVrdRnBVjgtp45ZXmQvXhyCCZ/yYrCZ2lW3ymYP2IqAPYY 2U9+7oajpaG0dYUcm71ai/FUhGB7kN1wxa36hHG4ebogYYkRwFUxl6j+NT95lgpFJ1Oeod WGEE3FiK8LPzS1UTQ0xxfiKbqJt4y2s= Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-402bec56ca6so23455e9.0 for ; Thu, 14 Sep 2023 13:41:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1694724082; x=1695328882; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=fAwsTmQ+ELNb0oAFR4fBQd1wUmizG7i6iQSI6zVD64o=; b=zMAG/x4w0C1F/D4AQc70JgoUwXNfaqt5/CynnTPsCSmFbjmPT2ALmh6KpbzVMdcWGP 5Tw8JXZH/W0T8VEC6Qm2QTsOLqIMetNHuvS+5+hwU5QUreTS8LZZkssxTAS/Ty/C4Zcn i0pkYRcIKXohsNzNW1wdtKIsg21qcgUgjNHTajDS3FbfPSJIYe7vc6eMurKzs5wA4mzD sCajRLKf06VFra+pRV9DFVlrluRB9w/pwElincVksGfyljPu3BzS5/nd4i5I0DdkNUhl wkk2d5EOJfCXMkJLdWBcj9gc3MTd1+MN7T01G+oDM3W3xwLwaSp/fXXraCiEUQKT1/Iw O7nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694724082; x=1695328882; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fAwsTmQ+ELNb0oAFR4fBQd1wUmizG7i6iQSI6zVD64o=; b=kklSpe5h4LfyPzJUR3N+3G1jNaJhVzZP6DhZsy/fXSIvMeRfEFk0IgAZyeXXiZxYMR mRyDTOs5V8F/inCu7GvGWCJhSj49gfooN2ql0rzmAKefc7UkOWI6Zvgqq58KlX8F75c7 Cc10uurvGNqRc6e+mhlN5ouelrnxnXm5RFkrQwZkkjaBQNyn8gtKMhQjzyKKCYNHVz0w PEzXHz36rS5gS7mKLx+SUz4rAJZthTRkGMnlzokc30wxuKinWm1Pg0Xftt6yRbSPfGxX /91FQILa8ipUH1X6Tn5Z1CTv6kMJaF+zZS8HZwGS2tZXPZ6vTdq4naJZmrl18tNDG1x0 +4Qg== X-Gm-Message-State: AOJu0YxMSr/3nV+2SYjDAdd0an0IMjUpI/U6ovJZHfYR2iDviddvB3vc hOFffUcfGdWCaq7sXfz1zMBZwa2efCnTggyfX74keA== X-Google-Smtp-Source: AGHT+IHsHkVsQuKN291JYs5H+1PLqW9iIMxkotXRW4DbVVL1elJDo88rYPVS0anHPmaVmfAA+Q/VHLHfVqUdniinZt8= X-Received: by 2002:a05:600c:1e05:b0:3fe:dd72:13ae with SMTP id ay5-20020a05600c1e0500b003fedd7213aemr45137wmb.0.1694724082359; Thu, 14 Sep 2023 13:41:22 -0700 (PDT) MIME-Version: 1.0 References: <20230914080833.50026-1-haibo.li@mediatek.com> <20230914112915.81f55863c0450195b4ed604a@linux-foundation.org> In-Reply-To: From: Jann Horn Date: Thu, 14 Sep 2023 22:40:43 +0200 Message-ID: Subject: Re: [PATCH] kasan:fix access invalid shadow address when input is illegal To: Andrey Konovalov Cc: Andrew Morton , Haibo Li , linux-kernel@vger.kernel.org, xiaoming.yu@mediatek.com, Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , Matthias Brugger , AngeloGioacchino Del Regno , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, Mark Rutland Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 0356AA0024 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: fc3js7idi9aobme8jhw97go8wk3cqyh3 X-HE-Tag: 1694724083-63388 X-HE-Meta: U2FsdGVkX18Yfn1Dnf/te3VQHD7npJkUtIyom6Fb7mwEnSaLa/Nvf0eU6dwMIb99xoPvQoVo4mKuAi7C3XBFc2d/9e64ogUFxVwY1fTLFKI5v4EcDDh6aR0qH+INa7iyW1foMyr7mXKfSoUdWfejx1mbXkiCZuZ6PenSSUb1f7EHFIji5P9/0MXb1Hvngn/cPlwOUn6zB2zp7maN8Ao4vZSjetUvwwkDTpkyybOW/iQ890yX/QfyETmUcIL1iLsapq1Cdum2pvsNY3NWMuCK0eUvFKnNOgdLki7GAYBbaKT0ge4KYKdnqmLyoXgXTOprbeNqm9nKeRufBtFqeM/ad2GPY+Te/pmexUFdlp6Q4l9lk/OX23R8e0CmxVM4JEJFj1An+soBrMDJBPasOhX+H3/vtMaL07rM2SotfGufVEaBloNy0PixKcFciv/tUnB04jGeMoRTCFRLJlPXMDDSKlmwhrr0ASkB432I3MDiOpbaYgSSesGZwrPejSTlzN8ML2UXqzHabBjG0ewAwmmYkt4bfuNAl5Gq30rUVeIDWdqYTdCb0Uu0m/6mWQi08kmATAcnzkMDhtg4c1dpBTwiIEGgQQpYZE/72tVdu3Ad5WXreI4YMMZfb3rZivvLQnKvzDSmLuF/rRc6dfnocY23jKC8XW5rCJRH5wLW2vHX9jb+96Xie5afUsNLJMXCKcirqT4VnQ4xackL8zzpLOswHrbXGs2Q5wBG8Iprg3voJcN2JscBRQTNzIQGMFzLsVdqz0PvMljzQYQrA2NUKPwYV0xnQYWxDiqw5AZ4dYP+ZUUoIHpuDw8Rg/33ofqLHz8cB0p01EYTjLHNvU/Vd5sjr8q4CdJv0LwtFqYLtHBUNLh0FUvdMKuKdmEUmG/86Y6kEMVPhymozOx1w5fR7T9YMuy+4Mg7IO+D2lyXuIGbDxAOvu1Fu5GpByLrD6EOSrR9w7Qo3Dv7nG7lpKfuA3X cFAB/Jn8 OfRjU8yv5MJ6leSyhZD1ObDg2D1T84Yy4zCxK8ScOgCBshcEvQhhiWXPNrneMVHDKBFKaVCwnIE6dJScmYHewfifu8GonmLG0ZrsFHmmG2jZhiC778DqxdlgYVnYRyoZHXAHAW4B1dThS7PwPJVPj45jkv5k7NAZQmHOBvdGLcc48AiyS5/vz7DfZRIwj2Slr9EAunNf/IZxoc3PivltJIGrdMKNsRKvitegbSmFB9pIZ420qZlzyWz6XOvygbDB/aBphGtv4QZeiI5r+1nyu+kn/OmRvxlATd3+HDYh8lXiFIuBM719225r05j898Ci4ZwfD740PlftpNjqD6gQvz6s1Lyr/raJnWqp32K4OrJiim0q+noGZ00fOgZVfLsfHa99doBR4khK/L1Q= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Sep 14, 2023 at 10:35=E2=80=AFPM Andrey Konovalov wrote: > On Thu, Sep 14, 2023 at 8:29=E2=80=AFPM Andrew Morton wrote: > > > --- a/mm/kasan/kasan.h > > > +++ b/mm/kasan/kasan.h > > > @@ -304,8 +304,17 @@ static __always_inline bool addr_has_metadata(co= nst void *addr) > > > #ifdef __HAVE_ARCH_SHADOW_MAP > > > return (kasan_mem_to_shadow((void *)addr) !=3D NULL); > > > #else > > > - return (kasan_reset_tag(addr) >=3D > > > - kasan_shadow_to_mem((void *)KASAN_SHADOW_START)); > > > + u8 *shadow, shadow_val; > > > + > > > + if (kasan_reset_tag(addr) < > > > + kasan_shadow_to_mem((void *)KASAN_SHADOW_START)) > > > + return false; > > > + /* use read with nofault to check whether the shadow is accessi= ble */ > > > + shadow =3D kasan_mem_to_shadow((void *)addr); > > > + __get_kernel_nofault(&shadow_val, shadow, u8, fault); > > > + return true; > > > +fault: > > > + return false; > > > #endif > > > } > > > > Are we able to identify a Fixes: target for this? > > 9d7b7dd946924de43021f57a8bee122ff0744d93 ("kasan: split out > > print_report from __kasan_report") altered the code but I expect the > > bug was present before that commit. > > > > Seems this bug has been there for over a year. Can you suggest why it > > has been discovered after such a lengthy time? > > Accessing unmapped memory with KASAN always led to a crash when > checking shadow memory. This was reported/discussed before. To improve > crash reporting for this case, Jann added kasan_non_canonical_hook and > Mark integrated it into arm64. But AFAIU, for some reason, it stopped > working. > > Instead of this patch, we need to figure out why > kasan_non_canonical_hook stopped working and fix it. > > This approach taken by this patch won't work for shadow checks added > by compiler instrumentation. It only covers explicitly checked > accesses, such as via memcpy, etc. FWIW, AFAICS kasan_non_canonical_hook() currently only does anything under CONFIG_KASAN_INLINE; I think the idea when I added that was that it assumes that when KASAN checks an access in out-of-line instrumentation or a slowpath, it will do the required checks to avoid this kind of fault?