From patchwork Tue Jan 17 16:35:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13104864 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B138C3DA78 for ; Tue, 17 Jan 2023 16:35:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D3A556B0073; Tue, 17 Jan 2023 11:35:58 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id CC4926B0074; Tue, 17 Jan 2023 11:35:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B3DCE6B0075; Tue, 17 Jan 2023 11:35:58 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 9A6C76B0073 for ; Tue, 17 Jan 2023 11:35:58 -0500 (EST) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 439DFC07AB for ; Tue, 17 Jan 2023 16:35:58 +0000 (UTC) X-FDA: 80364842796.05.0ED4F1F Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by imf09.hostedemail.com (Postfix) with ESMTP id 67697140017 for ; Tue, 17 Jan 2023 16:35:56 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=QeCeDVWg; spf=pass (imf09.hostedemail.com: domain of jannh@google.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1673973356; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=ZnZx85Sf0ezER0rilQtZPHDwVHsmiiEfW3AZAr5ZtFc=; b=AqRBXNbjKzMT2PB3uJ4A76GS9x1Bkugs9ny8O2MbT3WhGsIDHCjo1TQDOl1LjA2s45UPkG cTG9+1VsJ4rRjzNiyIduOinMttc7hwtyl8FpXx0F37TJptFONrjgRDQSVC6yG7a2nUZdUI +L4xLoUhUIDhh0PjfKjpRpWs3/0Tb/U= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=QeCeDVWg; spf=pass (imf09.hostedemail.com: domain of jannh@google.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1673973356; a=rsa-sha256; cv=none; b=7V8gwMCerZU+2yYpEZEZpmKmnIOYs+2NwpAKfIYqvCaSKqm/WFEG51sZDkuxL/Z3McgoQJ 1FuBCTANquOtT8qAOFoW+Fe+oH8zzQFtv9PCa5xvtC7Kph0hlKnTTpH5i7efi2rGlGR9YY xtiMECb6tHjrXKKmRUXYBByhO2vIg/o= Received: by mail-wm1-f41.google.com with SMTP id g10so22726076wmo.1 for ; Tue, 17 Jan 2023 08:35:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ZnZx85Sf0ezER0rilQtZPHDwVHsmiiEfW3AZAr5ZtFc=; b=QeCeDVWgByy16VG/MS4W5/YqPsrRtIYCfxrL4a6dZ+jZ6vmgpog/rXDT+QwoBwEzWa TRUNErkvo/oGfg/S/j+KWbMIOr9GiSqQngzTIWk7ya/FeORgOym/kAENGgZexeyu18HF yCRYWDe2hV+jEemvGLePPiYEwI381jYY3y/y9LZS5uAltHoWHi7ranAoS88vZqFoWym9 wLzh3dk9TQeSL9/t0u5QaQsBZGZ+3sI/nHXgFAdMhtOWE4hJwCEkI6j4hLp24hoEDchK uX93pmOD/0EkL+C75TSWbZrUBdq+LaGuOCUxJltawuwbrpRugoZ3Y0i5OZwf9lD0QSWx 2RUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZnZx85Sf0ezER0rilQtZPHDwVHsmiiEfW3AZAr5ZtFc=; b=JAtuun7pE4sC+w+M9DkFm5HFFIlE3IEZBDbDmFPqdy6liNzUjhIOfIZiq4vXkvn1J1 Xfnx5F2U8XyjVgmzYZrRxLFON9uZKrfeXggEVvFbXXRQlNnB7v6iKVQDom+iA7MsHxYn Qnp+FerxGwsD9D+VTjS3ef3HN3I0Tbxsen10geVn8KYuNITB5AeVMkROpv0K8HQh4mww Yv3OiES/e2/MeGB8IZSyFzzCbqntGqp25QY2TX6zQ2uPcJvEgQYt5pBOjGUfSUTNjw6r vX+ENfj0RZfx2pH+TVQuY8uUM2Pth/F0tOS++cezGZrTeuin1E8KUMnojWEy47zIWHFY Rdvg== X-Gm-Message-State: AFqh2krh1N6QApkAtEtt3AM4uSho6Ilrb075WkdWeS4BhMakR2qO2JBG GmPRkgA09xrQWrbhBmqyDV6C7g== X-Google-Smtp-Source: AMrXdXtfymwl0mGkq0lJ5rS3lmAK1qgKiocFOzgCqZmkdq6hC54QQMHrTm3liJbZGL1Y6YgJUf16Pw== X-Received: by 2002:a05:600c:1d92:b0:3d0:30c8:c47b with SMTP id p18-20020a05600c1d9200b003d030c8c47bmr2335336wms.2.1673973354962; Tue, 17 Jan 2023 08:35:54 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:9df1:9663:75e8:617c]) by smtp.gmail.com with ESMTPSA id l24-20020a05600c1d1800b003db09692364sm2302292wms.11.2023.01.17.08.35.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Jan 2023 08:35:53 -0800 (PST) From: Jann Horn To: Andrew Morton , linux-mm@kvack.org Cc: Uladzislau Rezki , Christoph Hellwig , Andy Lutomirski , linux-kernel@vger.kernel.org, Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , kasan-dev@googlegroups.com Subject: [PATCH] fork, vmalloc: KASAN-poison backing pages of vmapped stacks Date: Tue, 17 Jan 2023 17:35:43 +0100 Message-Id: <20230117163543.1049025-1-jannh@google.com> X-Mailer: git-send-email 2.39.0.314.g84b9a713c41-goog MIME-Version: 1.0 X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 67697140017 X-Stat-Signature: 8ged564z9mr7e3rrcccfrtqwdj9tgt6b X-Rspam-User: X-HE-Tag: 1673973356-917189 X-HE-Meta: U2FsdGVkX1/hbObrpUQw6ZwCREu7+JZyTDpMjFUyaol4oumVNUVvwtEUcpMF67Ithp7+dOLLrbpSdk5T42e9w2k5lcBxZrrWr8Kj82H06CU74KlCLtpyGL1moFcan2YF0kBWx7htdqBg2BLgeWd+RbPUOItMtM6vJMmuMQIhklOBE7+k33bWsdEbBfg2TwBTDHA8FmWniRyCGQgewghSFI1ndgba8lZOQdtW6/dkWoljVSEGU48TYzszqZZEdKgVKqPcUPpICXtmq/3DPG1tA1yyrtjN79rUQ6K4u/Lo8pgRmicj7zUg43jkvV+Hnz1VfJyvY1FTcg0ECPah1FiCJueGSjmOFJOEB8qGUZyn89sQ8/j3pDXeZ8wbRx4BTt4HXsN8aDdSXyV/F0lcD9fQ/p5Qs8MqFGHZeImpw+GE4qgRrLx8S13JtrmfOrX/eFtoFgFWwpJXcEueMZYX0nyn1DsQdKcSHfpF8n649GdxY70tCf0cUHk71fJB+tktFQGnzWfKUwzXRRKB0kOfCx+yD3Waxb4msufWImj9Pmsn8OnsETk0OEbTH/u4sfpDAZCsyiPq8pUZipeilC4GJN6P/hFxlCSdSAa5+jCgfdSgeqHB2JpV28KEOiJFL7HHiHFrFpWbI/VoXVhQpisC4johyQ9tN7n/HG6AoxGeKiYi2qw/o9aAocbsCvnQgA6qr3rotG/SivQ1EXHKMWye5McdbrOgqj6p26eiHmae1qx+qFRemjn1SAIl2VK2eR+3ZGa2A+/acF6VGPpGkPEIekDmJbl29GJOLuwT40grpimaeTMa3/0TgTmQsy8xJ/LhpN3pahy/eKmwRADNWmqPfSW5uFA1X9Z9LIyQYyGwANw7eI1xfEyVqtsntyWC0HuJzbmqoZPbbTp8yoQhIQQYp7yGi4r1vCaLHG2rCLCau3dBz3HvTAvL5k9IllwA6bIItX5gwuzllXO7ylbXBeCYeuM mngaL9yI LFMdvdJOM0+8PCJxGI4wpyVIG51OkQTEFA/jT9JU3CDJjsZz1LUXnxLfMR+AReG2yyWNqrTnTpJv6rKct8+Lytz2QIy8Qif/tc1lxBQ0LE+EsNmc0/hPNCIYiSvxQcZ81XjGvZs1uoOpMWOaib93tXkzbQvczGM7utVhYL8jM/EEK6SF4KbvyxWm4aWb/yCDnGgo7yolkR6BgnqE= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: KASAN (except in HW_TAGS mode) tracks memory state based on virtual addresses. The mappings of kernel stack pages in the linear mapping are currently marked as fully accessible. Since stack corruption issues can cause some very gnarly errors, let's be extra careful and tell KASAN to forbid accesses to stack memory through the linear mapping. Signed-off-by: Jann Horn --- I wrote this after seeing https://lore.kernel.org/all/Y8W5rjKdZ9erIF14@casper.infradead.org/ and wondering about possible ways that this kind of stack corruption could be sneaking past KASAN. That's proooobably not the explanation, but still... include/linux/vmalloc.h | 6 ++++++ kernel/fork.c | 10 ++++++++++ mm/vmalloc.c | 24 ++++++++++++++++++++++++ 3 files changed, 40 insertions(+) base-commit: 5dc4c995db9eb45f6373a956eb1f69460e69e6d4 diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h index 096d48aa3437..bfb50178e5e3 100644 --- a/include/linux/vmalloc.h +++ b/include/linux/vmalloc.h @@ -297,4 +297,10 @@ bool vmalloc_dump_obj(void *object); static inline bool vmalloc_dump_obj(void *object) { return false; } #endif +#if defined(CONFIG_MMU) && (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) +void vmalloc_poison_backing_pages(const void *addr); +#else +static inline void vmalloc_poison_backing_pages(const void *addr) {} +#endif + #endif /* _LINUX_VMALLOC_H */ diff --git a/kernel/fork.c b/kernel/fork.c index 9f7fe3541897..5c8c103a3597 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -321,6 +321,16 @@ static int alloc_thread_stack_node(struct task_struct *tsk, int node) vfree(stack); return -ENOMEM; } + + /* + * A virtually-allocated stack's memory should only be accessed through + * the vmalloc area, not through the linear mapping. + * Inform KASAN that all accesses through the linear mapping should be + * reported (instead of permitting all accesses through the linear + * mapping). + */ + vmalloc_poison_backing_pages(stack); + /* * We can't call find_vm_area() in interrupt context, and * free_thread_stack() can be called in interrupt context, diff --git a/mm/vmalloc.c b/mm/vmalloc.c index ca71de7c9d77..10c79c53cf5c 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4042,6 +4042,30 @@ void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms) } #endif /* CONFIG_SMP */ +#if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) +/* + * Poison the KASAN shadow for the linear mapping of the pages used as stack + * memory. + * NOTE: This makes no sense in HW_TAGS mode because HW_TAGS marks physical + * memory, not virtual memory. + */ +void vmalloc_poison_backing_pages(const void *addr) +{ + struct vm_struct *area; + int i; + + if (WARN(!PAGE_ALIGNED(addr), "bad address (%p)\n", addr)) + return; + + area = find_vm_area(addr); + if (WARN(!area, "nonexistent vm area (%p)\n", addr)) + return; + + for (i = 0; i < area->nr_pages; i++) + kasan_poison_pages(area->pages[i], 0, false); +} +#endif + #ifdef CONFIG_PRINTK bool vmalloc_dump_obj(void *object) {