From patchwork Mon Nov 2 16:04:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Konovalov X-Patchwork-Id: 11874349 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4735C92A for ; Mon, 2 Nov 2020 16:07:13 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E57312074F for ; Mon, 2 Nov 2020 16:07:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="eK4arbIO" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E57312074F Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 123B86B0089; Mon, 2 Nov 2020 11:07:04 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 0A9CF6B008C; Mon, 2 Nov 2020 11:07:04 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E8F916B0098; Mon, 2 Nov 2020 11:07:03 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0199.hostedemail.com [216.40.44.199]) by kanga.kvack.org (Postfix) with ESMTP id B32616B0089 for ; Mon, 2 Nov 2020 11:07:03 -0500 (EST) Received: from smtpin18.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 2C926181AEF09 for ; Mon, 2 Nov 2020 16:07:03 +0000 (UTC) X-FDA: 77439957126.18.stone82_020a259272b1 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin18.hostedemail.com (Postfix) with ESMTP id 96F2E10042602 for ; Mon, 2 Nov 2020 16:05:59 +0000 (UTC) X-Spam-Summary: 1,0,0,68f4c9b25538aad8,d41d8cd98f00b204,3zi6gxwokcecjwm0n7tw4upxxpun.lxvurw36-vvt4jlt.x0p@flex--andreyknvl.bounces.google.com,,RULES_HIT:2:41:69:152:355:379:541:800:960:966:973:988:989:1042:1260:1277:1313:1314:1345:1359:1431:1437:1516:1518:1535:1593:1594:1605:1730:1747:1777:1792:2196:2199:2393:2553:2559:2562:2918:3138:3139:3140:3141:3142:3152:3865:3866:3867:3868:3870:3871:3872:3874:4049:4120:4250:4321:4385:4605:5007:6261:6653:6742:7875:7904:8603:9969:10004:11026:11232:11233:11473:11658:11914:12043:12296:12297:12438:12555:12895:12986:14096:14097:14394:14659:21080:21365:21433:21444:21451:21627:21772:21939:21966:21990:30012:30054:30055:30062:30070:30090,0,RBL:209.85.219.201:@flex--andreyknvl.bounces.google.com:.lbl8.mailshell.net-66.100.201.100 62.18.0.100;04yfote55q8tj6x4jj9z6fur3494oypg6h3aw3c6jw4n46wa9wfi63igikwn4xe.fhz5y1wosmj1pdj6pdup5o9ikpqaqdcj1krip8xjobwbtwm5937uzk1ipwf5kxx.1-lbl8.mailshell.net-223.238.255.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:no ne,Domai X-HE-Tag: stone82_020a259272b1 X-Filterd-Recvd-Size: 9888 Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) by imf03.hostedemail.com (Postfix) with ESMTP for ; Mon, 2 Nov 2020 16:05:59 +0000 (UTC) Received: by mail-yb1-f201.google.com with SMTP id b189so14673629ybh.5 for ; Mon, 02 Nov 2020 08:05:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:in-reply-to:message-id:mime-version:references:subject :from:to:cc; bh=C6Op3yFR6sxPD/1lbh7YRsoWm4fdKowdqrD7aVgHz7A=; b=eK4arbIOS/5CHXcBJkTH59HHa0MKkTascEGPXT+1ixgKvZv0bcE/6+XhQsfyK7wfNV XWVq1H7NQIUKj0Ym6RDI+B1A42pL3f6o6yiDf6bCPcjVo+Q4nSzm0sJcwBmsZ3znAvub o/CVyctUdC6pdZZlwWHfOP2logitn0/CKWxGPG1vN5U2YXZoWxBdHUo2KUfnH7+w56UT T9YY/6+sF/oAXKcgriNid4j+mOWnf/THnMpVaYTNZqq+If84CMuhJK7MkrvfI0oSvxB0 k1RP6xh8iOPCnXqqTduFHiZTfh08Q0JpkFFCmCQjHMpGVdi0FeAZmbUu0bNn/7Xd22Ue wj8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=C6Op3yFR6sxPD/1lbh7YRsoWm4fdKowdqrD7aVgHz7A=; b=k71KYntbP/wQPHXx4epI2x5ZqDWMoc6Qy7tybNbFwZFzqhaVJF1cCyEQrvSuqyTuj2 gXiotn4VYakou3I9oiSkC7c4jcvkEsMBcIdkrohBaPWg9CEzKEuDAniSlDFIFqDFX+FY YK1oy6Z17/By1JmiTMyflm6vx0ARSp/1TgtHzlFtxvKuV5zWoREAgV7mwv1KmqTD0gEJ JJ3bWb61ICSN0w9zouvrv2Ft+yXkVN4Y5ONiezLUeKBulaZQH6DaN+JZt9zEkwEOTo8G yy01NoMKHb9f3SwKM/Z6UjA0CqqUIJr1TGT65HPsXLDsWJ6IVv0gmsdwuy206EW5WmyY 24NA== X-Gm-Message-State: AOAM5314PittFFChreJ6gptCVoUXX+19qwV4t3+zCRbioaD6BrUodo9V DJwwBAtherc/UIucTD2gdXqnayKW8U4G61Pj X-Google-Smtp-Source: ABdhPJyZJ/CYYJqXZkKp1UOBlXcHvrdLsNlEtg7oTktfVAwxxBNv7ahUE7dmUZPZiQ1e0fUVJdTQV1KPO3eI7u/q X-Received: from andreyknvl3.muc.corp.google.com ([2a00:79e0:15:13:7220:84ff:fe09:7e9d]) (user=andreyknvl job=sendgmr) by 2002:a25:d284:: with SMTP id j126mr21605003ybg.220.1604333158481; Mon, 02 Nov 2020 08:05:58 -0800 (PST) Date: Mon, 2 Nov 2020 17:04:18 +0100 In-Reply-To: Message-Id: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.29.1.341.ge80a0c044ae-goog Subject: [PATCH v7 38/41] kasan, mm: reset tags when accessing metadata From: Andrey Konovalov To: Catalin Marinas , Will Deacon Cc: Vincenzo Frascino , kasan-dev@googlegroups.com, Dmitry Vyukov , Andrey Ryabinin , Alexander Potapenko , Marco Elver , Evgenii Stepanov , Elena Petrova , Branislav Rankov , Kevin Brodsky , Andrew Morton , linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Kernel allocator code accesses metadata for slab objects, that may lie out-of-bounds of the object itself, or be accessed when an object is freed. Such accesses trigger tag faults and lead to false-positive reports with hardware tag-based KASAN. Software KASAN modes disable instrumentation for allocator code via KASAN_SANITIZE Makefile macro, and rely on kasan_enable/disable_current() annotations which are used to ignore KASAN reports. With hardware tag-based KASAN neither of those options are available, as it doesn't use compiler instrumetation, no tag faults are ignored, and MTE is disabled after the first one. Instead, reset tags when accessing metadata (currently only for SLUB). Signed-off-by: Andrey Konovalov Signed-off-by: Vincenzo Frascino Acked-by: Marco Elver --- Change-Id: I39f3c4d4f29299d4fbbda039bedf230db1c746fb --- mm/page_alloc.c | 4 +++- mm/page_poison.c | 2 +- mm/slub.c | 29 ++++++++++++++++------------- 3 files changed, 20 insertions(+), 15 deletions(-) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 23f5066bd4a5..6231a6e456cf 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -1195,8 +1195,10 @@ static void kernel_init_free_pages(struct page *page, int numpages) /* s390's use of memset() could override KASAN redzones. */ kasan_disable_current(); - for (i = 0; i < numpages; i++) + for (i = 0; i < numpages; i++) { + page_kasan_tag_reset(page + i); clear_highpage(page + i); + } kasan_enable_current(); } diff --git a/mm/page_poison.c b/mm/page_poison.c index ae0482cded87..e6c994af7518 100644 --- a/mm/page_poison.c +++ b/mm/page_poison.c @@ -53,7 +53,7 @@ static void poison_page(struct page *page) /* KASAN still think the page is in-use, so skip it. */ kasan_disable_current(); - memset(addr, PAGE_POISON, PAGE_SIZE); + memset(kasan_reset_tag(addr), PAGE_POISON, PAGE_SIZE); kasan_enable_current(); kunmap_atomic(addr); } diff --git a/mm/slub.c b/mm/slub.c index b30be2385d1c..df2fd5b57df1 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -249,7 +249,7 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr, { #ifdef CONFIG_SLAB_FREELIST_HARDENED /* - * When CONFIG_KASAN_SW_TAGS is enabled, ptr_addr might be tagged. + * When CONFIG_KASAN_SW/HW_TAGS is enabled, ptr_addr might be tagged. * Normally, this doesn't cause any issues, as both set_freepointer() * and get_freepointer() are called with a pointer with the same tag. * However, there are some issues with CONFIG_SLUB_DEBUG code. For @@ -275,6 +275,7 @@ static inline void *freelist_dereference(const struct kmem_cache *s, static inline void *get_freepointer(struct kmem_cache *s, void *object) { + object = kasan_reset_tag(object); return freelist_dereference(s, object + s->offset); } @@ -304,6 +305,7 @@ static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp) BUG_ON(object == fp); /* naive detection of double free or corruption */ #endif + freeptr_addr = (unsigned long)kasan_reset_tag((void *)freeptr_addr); *(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr); } @@ -538,8 +540,8 @@ static void print_section(char *level, char *text, u8 *addr, unsigned int length) { metadata_access_enable(); - print_hex_dump(level, text, DUMP_PREFIX_ADDRESS, 16, 1, addr, - length, 1); + print_hex_dump(level, kasan_reset_tag(text), DUMP_PREFIX_ADDRESS, + 16, 1, addr, length, 1); metadata_access_disable(); } @@ -570,7 +572,7 @@ static struct track *get_track(struct kmem_cache *s, void *object, p = object + get_info_end(s); - return p + alloc; + return kasan_reset_tag(p + alloc); } static void set_track(struct kmem_cache *s, void *object, @@ -583,7 +585,8 @@ static void set_track(struct kmem_cache *s, void *object, unsigned int nr_entries; metadata_access_enable(); - nr_entries = stack_trace_save(p->addrs, TRACK_ADDRS_COUNT, 3); + nr_entries = stack_trace_save(kasan_reset_tag(p->addrs), + TRACK_ADDRS_COUNT, 3); metadata_access_disable(); if (nr_entries < TRACK_ADDRS_COUNT) @@ -747,7 +750,7 @@ static __printf(3, 4) void slab_err(struct kmem_cache *s, struct page *page, static void init_object(struct kmem_cache *s, void *object, u8 val) { - u8 *p = object; + u8 *p = kasan_reset_tag(object); if (s->flags & SLAB_RED_ZONE) memset(p - s->red_left_pad, val, s->red_left_pad); @@ -777,7 +780,7 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, u8 *addr = page_address(page); metadata_access_enable(); - fault = memchr_inv(start, value, bytes); + fault = memchr_inv(kasan_reset_tag(start), value, bytes); metadata_access_disable(); if (!fault) return 1; @@ -873,7 +876,7 @@ static int slab_pad_check(struct kmem_cache *s, struct page *page) pad = end - remainder; metadata_access_enable(); - fault = memchr_inv(pad, POISON_INUSE, remainder); + fault = memchr_inv(kasan_reset_tag(pad), POISON_INUSE, remainder); metadata_access_disable(); if (!fault) return 1; @@ -1118,7 +1121,7 @@ void setup_page_debug(struct kmem_cache *s, struct page *page, void *addr) return; metadata_access_enable(); - memset(addr, POISON_INUSE, page_size(page)); + memset(kasan_reset_tag(addr), POISON_INUSE, page_size(page)); metadata_access_disable(); } @@ -1566,10 +1569,10 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, * Clear the object and the metadata, but don't touch * the redzone. */ - memset(object, 0, s->object_size); + memset(kasan_reset_tag(object), 0, s->object_size); rsize = (s->flags & SLAB_RED_ZONE) ? s->red_left_pad : 0; - memset((char *)object + s->inuse, 0, + memset((char *)kasan_reset_tag(object) + s->inuse, 0, s->size - s->inuse - rsize); } @@ -2883,10 +2886,10 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, stat(s, ALLOC_FASTPATH); } - maybe_wipe_obj_freeptr(s, object); + maybe_wipe_obj_freeptr(s, kasan_reset_tag(object)); if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) - memset(object, 0, s->object_size); + memset(kasan_reset_tag(object), 0, s->object_size); slab_post_alloc_hook(s, objcg, gfpflags, 1, &object);