| Message ID | 20211214162050.660953-42-glider@google.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Add KernelMemorySanitizer infrastructure | expand |
On Tue, Dec 14, 2021 at 05:20:48PM +0100, Alexander Potapenko wrote: > Heap and stack initialization is great, but not when we are trying > uses of uninitialized memory. When the kernel is built with KMSAN, > having kernel memory initialization enabled may introduce false > negatives. > > We disable CONFIG_INIT_STACK_ALL_PATTERN and CONFIG_INIT_STACK_ALL_ZERO > under CONFIG_KMSAN, making it impossible to auto-initialize stack > variables in KMSAN builds. We also disable CONFIG_INIT_ON_ALLOC_DEFAULT_ON > and CONFIG_INIT_ON_FREE_DEFAULT_ON to prevent accidental use of heap > auto-initialization. > > We however still let the users enable heap auto-initialization at > boot-time (by setting init_on_alloc=1 or init_on_free=1), in which case > a warning is printed. > > Signed-off-by: Alexander Potapenko <glider@google.com> > --- > Link: https://linux-review.googlesource.com/id/I86608dd867018683a14ae1870f1928ad925f42e9 > --- > mm/page_alloc.c | 4 ++++ > security/Kconfig.hardening | 4 ++++ > 2 files changed, 8 insertions(+) > > diff --git a/mm/page_alloc.c b/mm/page_alloc.c > index fa8029b714a81..4218dea0c76a2 100644 > --- a/mm/page_alloc.c > +++ b/mm/page_alloc.c > @@ -855,6 +855,10 @@ void init_mem_debugging_and_hardening(void) > else > static_branch_disable(&init_on_free); > > + if (IS_ENABLED(CONFIG_KMSAN) && > + (_init_on_alloc_enabled_early || _init_on_free_enabled_early)) > + pr_info("mem auto-init: please make sure init_on_alloc and init_on_free are disabled when running KMSAN\n"); > + > #ifdef CONFIG_DEBUG_PAGEALLOC > if (!debug_pagealloc_enabled()) > return; > diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening > index d051f8ceefddd..bd13a46024457 100644 > --- a/security/Kconfig.hardening > +++ b/security/Kconfig.hardening > @@ -106,6 +106,7 @@ choice > config INIT_STACK_ALL_PATTERN > bool "pattern-init everything (strongest)" > depends on CC_HAS_AUTO_VAR_INIT_PATTERN > + depends on !KMSAN > help > Initializes everything on the stack (including padding) > with a specific debug value. This is intended to eliminate > @@ -124,6 +125,7 @@ choice > config INIT_STACK_ALL_ZERO > bool "zero-init everything (strongest and safest)" > depends on CC_HAS_AUTO_VAR_INIT_ZERO > + depends on !KMSAN So this means KMSAN is a developer debugging feature only and should never be turned on on a real device/server that has users? thanks, greg k-h
On Tue, Dec 14, 2021 at 5:38 PM Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote: > > > @@ -124,6 +125,7 @@ choice > > config INIT_STACK_ALL_ZERO > > bool "zero-init everything (strongest and safest)" > > depends on CC_HAS_AUTO_VAR_INIT_ZERO > > + depends on !KMSAN > > So this means KMSAN is a developer debugging feature only and should > never be turned on on a real device/server that has users? 100% correct. KMSAN is way slower than KASAN, it also eats 2/3 of your memory to store the metadata. I thought it was sort of self-evident, but I can surely mention this explicitly in the cover letter.
On Tue, Dec 14, 2021 at 06:00:41PM +0100, Alexander Potapenko wrote: > On Tue, Dec 14, 2021 at 5:38 PM Greg Kroah-Hartman > <gregkh@linuxfoundation.org> wrote: > > > > > @@ -124,6 +125,7 @@ choice > > > config INIT_STACK_ALL_ZERO > > > bool "zero-init everything (strongest and safest)" > > > depends on CC_HAS_AUTO_VAR_INIT_ZERO > > > + depends on !KMSAN > > > > So this means KMSAN is a developer debugging feature only and should > > never be turned on on a real device/server that has users? > > 100% correct. KMSAN is way slower than KASAN, it also eats 2/3 of your > memory to store the metadata. > I thought it was sort of self-evident, but I can surely mention this > explicitly in the cover letter. Please mention it here and in the Kconfig option for it as well (don't know if it was there or not.) Also you might want to print out very large "DO NOT USE THIS ON A REAL MACHINE" to the kernel log when booting, like other kernel options are starting to do that should not be enabled. thanks, greg k-h
diff --git a/mm/page_alloc.c b/mm/page_alloc.c index fa8029b714a81..4218dea0c76a2 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -855,6 +855,10 @@ void init_mem_debugging_and_hardening(void) else static_branch_disable(&init_on_free); + if (IS_ENABLED(CONFIG_KMSAN) && + (_init_on_alloc_enabled_early || _init_on_free_enabled_early)) + pr_info("mem auto-init: please make sure init_on_alloc and init_on_free are disabled when running KMSAN\n"); + #ifdef CONFIG_DEBUG_PAGEALLOC if (!debug_pagealloc_enabled()) return; diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index d051f8ceefddd..bd13a46024457 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -106,6 +106,7 @@ choice config INIT_STACK_ALL_PATTERN bool "pattern-init everything (strongest)" depends on CC_HAS_AUTO_VAR_INIT_PATTERN + depends on !KMSAN help Initializes everything on the stack (including padding) with a specific debug value. This is intended to eliminate @@ -124,6 +125,7 @@ choice config INIT_STACK_ALL_ZERO bool "zero-init everything (strongest and safest)" depends on CC_HAS_AUTO_VAR_INIT_ZERO + depends on !KMSAN help Initializes everything on the stack (including padding) with a zero value. This is intended to eliminate all @@ -208,6 +210,7 @@ config STACKLEAK_RUNTIME_DISABLE config INIT_ON_ALLOC_DEFAULT_ON bool "Enable heap memory zeroing on allocation by default" + depends on !KMSAN help This has the effect of setting "init_on_alloc=1" on the kernel command line. This can be disabled with "init_on_alloc=0". @@ -220,6 +223,7 @@ config INIT_ON_ALLOC_DEFAULT_ON config INIT_ON_FREE_DEFAULT_ON bool "Enable heap memory zeroing on free by default" + depends on !KMSAN help This has the effect of setting "init_on_free=1" on the kernel command line. This can be disabled with "init_on_free=0".
Heap and stack initialization is great, but not when we are trying uses of uninitialized memory. When the kernel is built with KMSAN, having kernel memory initialization enabled may introduce false negatives. We disable CONFIG_INIT_STACK_ALL_PATTERN and CONFIG_INIT_STACK_ALL_ZERO under CONFIG_KMSAN, making it impossible to auto-initialize stack variables in KMSAN builds. We also disable CONFIG_INIT_ON_ALLOC_DEFAULT_ON and CONFIG_INIT_ON_FREE_DEFAULT_ON to prevent accidental use of heap auto-initialization. We however still let the users enable heap auto-initialization at boot-time (by setting init_on_alloc=1 or init_on_free=1), in which case a warning is printed. Signed-off-by: Alexander Potapenko <glider@google.com> --- Link: https://linux-review.googlesource.com/id/I86608dd867018683a14ae1870f1928ad925f42e9 --- mm/page_alloc.c | 4 ++++ security/Kconfig.hardening | 4 ++++ 2 files changed, 8 insertions(+)