| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Nov 2017 10:09:11 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Andy Lutomirski <luto@...nel.org>
Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
kasan-dev <kasan-dev@...glegroups.com>, X86 ML <x86@...nel.org>,
Borislav Petkov <bpetkov@...e.de>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Brian Gerst <brgerst@...il.com>,
Dave Hansen <dave.hansen@...el.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Josh Poimboeuf <jpoimboe@...hat.com>
Subject: Re: KASAN help, please (Re: [PATCH 00/16] Entry stuff, in decent
shape now)
On Mon, Nov 20, 2017 at 10:44 PM, Andy Lutomirski <luto@...nel.org> wrote:
> On Mon, Nov 20, 2017 at 9:07 AM, Andy Lutomirski <luto@...nel.org> wrote:
>> This sets up stack switching, including for SYSCALL. I think it's
>> in decent shape.
>>
>> Known issues:
>> - KASAN is likely to be busted. This could be fixed either by teaching
>> KASAN that cpu_entry_area contains valid stacks (I have no clue how
>> to go about doing this) or by rigging up the IST entry code to switch
>> RSP to point to the direct-mapped copy of the stacks before calling
>> into non-KASAN-excluded C code.
>>
>
> I tried to fix the KASAN issue, and I'm doing something wrong. I'm
> building this tree:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/commit/?h=x86/entry_stack&id=8319677bd04a1ab291ca71fe1da7aa023306e4a9
>
> for 64 bits with KASAN on. The relevant commit is:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/commit/?h=x86/entry_stack&id=a4bdb48c3469708b6b51e5ab90d27bf0c859000c
>
> If I run tools/testing/selftests/single_step_syscall_32, then the
> kernel goes into lala land and infinite loops. The root cause seems
> to we're hitting do_debug with RSP pointing into the fixmap,
> specifically in the cpu_entry_area's exception stack, with a value of
> roughly 0xffffffffff1bd108. The KASAN instrumentation in do_debug is
> then getting a page fault. I think my KASAN setup code should be
> populating the KASAN data there and, indeed, gdb seems to be able to
> access the faulting address. So I'm confused.
Hi,
I don't have any great insights.
You have stack instrumentation turned on, right? And the fault happens
on stack instrumentation?
Stack instrumentation is turned on with gcc7+ I think. And as the
result compiler adds redzones on stack and poisons/unpoisons shadow
for them in function prologue/epilogue.
The fact that KASAN instrumentation faults, but gdb can access it
sounds strange. KASAN instrumentation is no magic, it just does not a
normal memory load. Please check exact faulting address. KASAN can do
accesses with large offset from RSP.
Does the fault happen before/after kasan_early_init? Before that there
is a different bootstrap shadow mapped by kasan_map_early_shadow.
Does the fault happen on read access or write access? Stack
instrumentation does write into shadow, but some parts of shadow are
mapped with a single read-only page. Can gdb write to that address?
Is it possible that the stack has overflowed? I see that we increase
EXCEPTION_STACK_ORDER by order 1 under KASAN (from 4k page to 8k
pages), but it may be not enough. Normal stacks are increased from 16k
to 32k.
Last stupid question: why is it -1 here:
FIX_CPU_ENTRY_AREA_BOTTOM = FIX_CPU_ENTRY_AREA_TOP +
(CPU_ENTRY_AREA_PAGES * NR_CPUS) - 1,
?
Say CPU_ENTRY_AREA_PAGES=1 (we need only 1 page) and NR_CPUS=1, then
the increment will be 0, which looks wrong for any case (must be at
least 1, right?).
Powered by blists - more mailing lists