From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B82A6C2B9F7 for ; Wed, 26 May 2021 10:45:51 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 61E71613D3 for ; Wed, 26 May 2021 10:45:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 61E71613D3 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id EEB206B0036; Wed, 26 May 2021 06:45:50 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EC2486B006E; Wed, 26 May 2021 06:45:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D48926B0070; Wed, 26 May 2021 06:45:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 8CE206B0036 for ; Wed, 26 May 2021 06:45:50 -0400 (EDT) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 3092F181AF5C3 for ; Wed, 26 May 2021 10:45:50 +0000 (UTC) X-FDA: 78183051660.29.59C42CC Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) by imf16.hostedemail.com (Postfix) with ESMTP id 6DF1C8019130 for ; Wed, 26 May 2021 10:45:43 +0000 (UTC) Received: by mail-lj1-f182.google.com with SMTP id w15so995105ljo.10 for ; Wed, 26 May 2021 03:45:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZCPVokWE1AyOEscX7jaiabsUe6gkJI6ggVf14NskmoY=; b=ch89FkFB9G3c7WHWOle+xvBtvF6UQevtOtw1ef4A9CSUyGhtnWC3r2VLRrFc6MDmT+ oBF5tRBO3gX7jWe/7KOsAVZef2b5FJWjKYrT2oQY8gtEBFJS+bMdRtIf3QN9dkgP4x2g j9wEJSUmXYOMuhk1oqMqUX/14DxSPyDAIoioaTqAeEwp9x2O3UjcUP1cX7fBjQtVckz+ Rsam9imrVNHATza/+LVPWiGFLBSsq1wJotRaiRPo3XP4Cn/OHL7LRVQRh8QhTulv/TFQ wC+BQLv27ehfMItWPvt1/0L2evkIdNeURbcV/5p+rhjZ4Kh/J7GMgEg5HYWaC4jJHstu 5Eug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZCPVokWE1AyOEscX7jaiabsUe6gkJI6ggVf14NskmoY=; b=LbIdVaeZff/Iwysr34JdQguyvz6ZrdqZYNZT+kuv6vLdrRkox2dCDfIdm6tzU5qSiH v+t1DLOPypmUzI0Ip8IfKXwdk344iFr1vqyPZ84NlIUwMO8TZ8yArYtZIFzvzmgHLSGF pHVMZI8nJiS8bshiXHf8tlDa2zyMPvpYFKeeAOdLEEQK17dxjM2bmQ2u4/37qKRs/fW+ hl18ahsD9yqISu9HNWo38xo+ZLHp5EivhaQONwRrd2EFHOLfE3+Pl8OdShNgGPxBLi93 YIEH0mpeEO9TQekH+zLmRJja1yZ8EU5DRMZahCdQbSkY4/XkTgC9VXmIzpUVMnKqx5x8 y2jw== X-Gm-Message-State: AOAM5327dV6FP4sqx576Ld002XTRrrVaMj8UDXCz5RRKkQfDaObeaKA6 6fRc5bkSr9BIjn9wnVOsn/zNdNZlGs6oR6ZnosZFiQ== X-Google-Smtp-Source: ABdhPJwtlWneKyaJYggfkkmcz9peqAxNxGg21PU6qlhImA4LfKjtbybYU/dYZl7UzxgpVzAIgrZuNJPacaoVM1K6HQM= X-Received: by 2002:a2e:9f16:: with SMTP id u22mr1711064ljk.43.1622025948035; Wed, 26 May 2021 03:45:48 -0700 (PDT) MIME-Version: 1.0 References: <31b6c0c44cb385667287c826528ad422c6433091.1620849613.git.pcc@google.com> In-Reply-To: From: Jann Horn Date: Wed, 26 May 2021 12:45:21 +0200 Message-ID: Subject: Re: [PATCH v3 3/3] kasan: allow freed user page poisoning to be disabled with HW tags To: Andrey Konovalov , Peter Collingbourne Cc: Alexander Potapenko , Catalin Marinas , Vincenzo Frascino , Andrew Morton , Evgenii Stepanov , Linux Memory Management List , Linux ARM Content-Type: text/plain; charset="UTF-8" Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=google.com header.s=20161025 header.b=ch89FkFB; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf16.hostedemail.com: domain of jannh@google.com designates 209.85.208.182 as permitted sender) smtp.mailfrom=jannh@google.com X-Stat-Signature: amqt1hikaxthhn63tur76ejxq8pj9ap5 X-Rspamd-Queue-Id: 6DF1C8019130 X-Rspamd-Server: rspam02 X-HE-Tag: 1622025943-489452 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, May 26, 2021 at 12:07 AM Andrey Konovalov wrote: > On Wed, May 12, 2021 at 11:09 PM Peter Collingbourne wrote: > > Poisoning freed pages protects against kernel use-after-free. The > > likelihood of such a bug involving kernel pages is significantly higher > > than that for user pages. At the same time, poisoning freed pages can > > impose a significant performance cost, which cannot always be justified > > for user pages given the lower probability of finding a bug. Therefore, > > make it possible to configure the kernel to disable freed user page > > poisoning when using HW tags via the new kasan.skip_user_poison_on_free > > command line option. > > So the potential scenario that would be undetectable with > kasan.skip_user_poison_on_free enabled is: 1) kernel allocates a user > page and maps it for userspace, 2) the page gets freed in the kernel, > 3) kernel accesses the page leading to a use-after-free. Is this > correct? > > If bugs involving use-after-free accesses on user pages is something > that is extremely rare, perhaps we could just change the default and > avoid adding a command line switch. > > Jann, maybe you have an idea of how common something like this is or > have other inputs? GFP_USER is kind of a squishy concept, and if you grep around for it in the kernel tree, you can see it being used for all kinds of things - including SKBs in some weird ISDN driver, various types of BPF allocations, and so on. It's probably the wrong flag to hook if you want something that means "these pages will mostly be accessed from userspace". My guess is that what pcc@ is actually interested in are probably mainly anonymous pages, and to a lesser degree also page cache pages? Those use the more specific GFP_HIGHUSER_MOVABLE (which indicates that the kernel will usually not be holding any direct pointers to the page outside of rmap/pagecache logic, and that any kernel access to the pages will be using the kmap API). It's probably safe to assume that the majority of kernel bugs won't directly involve GFP_HIGHUSER_MOVABLE memory - that's probably mostly only going to happen if there are bugs in code that grabs pages with get_user_pages* and then kmap()s them, or if there's something broken in the pipe logic, or maybe an OOB issue in filesystem parsing code (?), or something like that.