From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FCC3C43334 for ; Tue, 12 Jul 2022 13:52:09 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C33E2940089; Tue, 12 Jul 2022 09:52:08 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BE311940063; Tue, 12 Jul 2022 09:52:08 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AACEC940089; Tue, 12 Jul 2022 09:52:08 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 9CFDD940063 for ; Tue, 12 Jul 2022 09:52:08 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay13.hostedemail.com (Postfix) with ESMTP id 71E6B60CA8 for ; Tue, 12 Jul 2022 13:52:08 +0000 (UTC) X-FDA: 79678586736.04.8E63965 Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181]) by imf17.hostedemail.com (Postfix) with ESMTP id 1C2C440069 for ; Tue, 12 Jul 2022 13:52:07 +0000 (UTC) Received: by mail-yb1-f181.google.com with SMTP id g4so14018539ybg.9 for ; Tue, 12 Jul 2022 06:52:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hWp5/64or+mP5imIMCPIUbpfNaM35wXtmKXqwrNhd14=; b=fLRarT5d7pJmh7A50/oCtJdSEsMl6AUE3JJAWBUs5VRHku5TfmA2ZaNuN9yxSHaiIN uwtuacBFDfHbwF6Bm+jjGZvODksVkWM5jxN3OkliOz894DxvftnJTqBwbIKjL3a5Jg7O aD/FvQUvMXwFSfDXS95BPdRaSu7iLOPKW1iUcwu/8mbh2rgEJYfXBSvs5rJCN+tbCW5B j9nesILDH3K0YJDH31eTwvUt6JTHN6f/36ZkIpJmZn5kpG6CapCdvx0JiOFJWYt0Wlhp +g0M1lIyMMzrKYY4H+JmEQ3F9zNBW040MDY9TBTTgYfY69+SrLs4HRdOEbdtzaKYoX2a DFuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hWp5/64or+mP5imIMCPIUbpfNaM35wXtmKXqwrNhd14=; b=BnSkiOcmbxao80RMRAniirfxcLLdCMEucdQ4pNU+Layrjj4hdW/sEdjgDS2NBaC4Ac 1VVtmMZmqj5tcFQ6mSJVfFyBsrKMFdJCWt0qVZ8mk2QBR8zFYg06ThEjqrGyRPccR3mA xfX58KVIcTYq+zKaFNn+KezFYh8yYhVl0xXzihZzBFM4nadD+qWQce4aGz4+KdKsfo2R /MRkXjkSnuxHOBaOlyRgyPYIzwnwWGQU9ZscyTghkDZUR2oy/K7V0KZ9LWSJJ8ZwlliD TThdjyyb0qMtNqmfE4fkZ1ooKImaG+dIG2SbtG0VhkDiau69uoWvB4/Qi+/Kqi2nKwAC YdHg== X-Gm-Message-State: AJIora/RjAxEvkvC6te2LQM19KK1xR0YG4D/nhtShC57if4TMN0EVLGN eYe4P3OwK6+Qmt082gpjGD+c/RyESxHKxlHV+I1prw== X-Google-Smtp-Source: AGRyM1vaXhDrW9SzgGVGnQeO3sKZbN8zrYy0RbeU0jBi1M5Io3ShqhFaENqRfTiUKywPAI3ytd02a4hWcGbWqnCnWlg= X-Received: by 2002:a5b:10a:0:b0:66d:d8e3:9da2 with SMTP id 10-20020a5b010a000000b0066dd8e39da2mr22834061ybx.87.1657633927213; Tue, 12 Jul 2022 06:52:07 -0700 (PDT) MIME-Version: 1.0 References: <20220701142310.2188015-1-glider@google.com> <20220701142310.2188015-19-glider@google.com> In-Reply-To: <20220701142310.2188015-19-glider@google.com> From: Marco Elver Date: Tue, 12 Jul 2022 15:51:31 +0200 Message-ID: Subject: Re: [PATCH v4 18/45] instrumented.h: add KMSAN support To: Alexander Potapenko Cc: Alexander Viro , Alexei Starovoitov , Andrew Morton , Andrey Konovalov , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Christoph Hellwig , Christoph Lameter , David Rientjes , Dmitry Vyukov , Eric Dumazet , Greg Kroah-Hartman , Herbert Xu , Ilya Leoshkevich , Ingo Molnar , Jens Axboe , Joonsoo Kim , Kees Cook , Mark Rutland , Matthew Wilcox , "Michael S. Tsirkin" , Pekka Enberg , Peter Zijlstra , Petr Mladek , Steven Rostedt , Thomas Gleixner , Vasily Gorbik , Vegard Nossum , Vlastimil Babka , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=fLRarT5d; spf=pass (imf17.hostedemail.com: domain of elver@google.com designates 209.85.219.181 as permitted sender) smtp.mailfrom=elver@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1657633928; a=rsa-sha256; cv=none; b=UEjblSXBwcrhNjGBCT8C7DPfd34LWsYwOqizg6JfOKXPSioUyl0PEcw6ngD8j6JLtLjvDt JhfKxfnsmPXUMTyQ53UA2+p79Z0GdbUWxz0NefCV4ihka0tQ5ub0sQXzTkPH/PSDr4J/TD KrcExfwQQHifFr8Hpf95EjUDMA13KDA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1657633928; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=hWp5/64or+mP5imIMCPIUbpfNaM35wXtmKXqwrNhd14=; b=N0jKYcIkvjL88TwYDPv9IW7a2QvA86r4I73WpPxyN7cQIzSoAlKbS6v/i+k5ls8epX/29x TRLJLC/LEmrzZ2L6bRvxPsN10N5lFno4W+0oNfqMx4ZRSzOjZ+tcWpDKwvkH8fnOMPvxXE EpUaQStP/vNiSFbOFQNqcFB0gVxRKOg= Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=fLRarT5d; spf=pass (imf17.hostedemail.com: domain of elver@google.com designates 209.85.219.181 as permitted sender) smtp.mailfrom=elver@google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspam-User: X-Rspamd-Server: rspam09 X-Stat-Signature: o9botxp4fr9j7brdno6txcreasmffgpt X-Rspamd-Queue-Id: 1C2C440069 X-HE-Tag: 1657633927-42894 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, 1 Jul 2022 at 16:24, Alexander Potapenko wrote: > > To avoid false positives, KMSAN needs to unpoison the data copied from > the userspace. To detect infoleaks - check the memory buffer passed to > copy_to_user(). > > Signed-off-by: Alexander Potapenko Reviewed-by: Marco Elver With the code simplification below. [...] > --- a/mm/kmsan/hooks.c > +++ b/mm/kmsan/hooks.c > @@ -212,6 +212,44 @@ void kmsan_iounmap_page_range(unsigned long start, unsigned long end) > } > EXPORT_SYMBOL(kmsan_iounmap_page_range); > > +void kmsan_copy_to_user(void __user *to, const void *from, size_t to_copy, > + size_t left) > +{ > + unsigned long ua_flags; > + > + if (!kmsan_enabled || kmsan_in_runtime()) > + return; > + /* > + * At this point we've copied the memory already. It's hard to check it > + * before copying, as the size of actually copied buffer is unknown. > + */ > + > + /* copy_to_user() may copy zero bytes. No need to check. */ > + if (!to_copy) > + return; > + /* Or maybe copy_to_user() failed to copy anything. */ > + if (to_copy <= left) > + return; > + > + ua_flags = user_access_save(); > + if ((u64)to < TASK_SIZE) { > + /* This is a user memory access, check it. */ > + kmsan_internal_check_memory((void *)from, to_copy - left, to, > + REASON_COPY_TO_USER); This could just do "} else {" and the stuff below, and would result in simpler code with no explicit "return" and no duplicated user_access_restore(). > + user_access_restore(ua_flags); > + return; > + } > + /* Otherwise this is a kernel memory access. This happens when a compat > + * syscall passes an argument allocated on the kernel stack to a real > + * syscall. > + * Don't check anything, just copy the shadow of the copied bytes. > + */ > + kmsan_internal_memmove_metadata((void *)to, (void *)from, > + to_copy - left); > + user_access_restore(ua_flags); > +} > +EXPORT_SYMBOL(kmsan_copy_to_user);