lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 23 Nov 2023 09:39:39 +0900
From:   Hyeonggon Yoo <42.hyeyoo@...il.com>
To:     andrey.konovalov@...ux.dev
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Andrey Konovalov <andreyknvl@...il.com>,
        Marco Elver <elver@...gle.com>,
        Alexander Potapenko <glider@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Vlastimil Babka <vbabka@...e.cz>, kasan-dev@...glegroups.com,
        Evgenii Stepanov <eugenis@...gle.com>,
        Oscar Salvador <osalvador@...e.de>,
        Feng Tang <feng.tang@...el.com>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org,
        Andrey Konovalov <andreyknvl@...gle.com>
Subject: Re: [PATCH mm] slub, kasan: improve interaction of KASAN and
 slub_debug poisoning

On Thu, Nov 23, 2023 at 8:12 AM <andrey.konovalov@...ux.dev> wrote:
>
> From: Andrey Konovalov <andreyknvl@...gle.com>
>
> When both KASAN and slub_debug are enabled, when a free object is being
> prepared in setup_object, slub_debug poisons the object data before KASAN
> initializes its per-object metadata.
>
> Right now, in setup_object, KASAN only initializes the alloc metadata,
> which is always stored outside of the object. slub_debug is aware of
> this and it skips poisoning and checking that memory area.
>
> However, with the following patch in this series, KASAN also starts
> initializing its free medata in setup_object. As this metadata might be
> stored within the object, this initialization might overwrite the
> slub_debug poisoning. This leads to slub_debug reports.
>
> Thus, skip checking slub_debug poisoning of the object data area that
> overlaps with the in-object KASAN free metadata.
>
> Also make slub_debug poisoning of tail kmalloc redzones more precise when
> KASAN is enabled: slub_debug can still poison and check the tail kmalloc
> allocation area that comes after the KASAN free metadata.
>
> Signed-off-by: Andrey Konovalov <andreyknvl@...gle.com>

Thank you for looking at this quickly!
Unfortunately the problem isn't fixed yet with the patch.

I applied this on top of linux-next and built a kernel with the same config,
it is still stuck at boot.

[dmesg]

[    0.000000] Linux version
6.7.0-rc2-next-20231122-00001-gfc1613c2f6f3
(hyeyoo@...alhost.localdomain) (gcc (GCC) 11.33
[    0.000000] Command line: console=ttyS0 root=/dev/sda1 nokaslr
[    0.000000] RIP: 0010:setup_arch (arch/x86/kernel/setup.c:443
arch/x86/kernel/setup.c:665 arch/x86/kernel/setup.c:81
[ 0.000000] Code: b6 0a 08 00 48 89 c5 48 85 c0 0f 84 58 13 00 00 48
c1 e8 03 48 83 05 4e a9 66 00 01 80 3c 18 00 0f3

Code starting with the faulting instruction
===========================================
   0:   b6 0a                   mov    $0xa,%dh
   2:   08 00                   or     %al,(%rax)
   4:   48 89 c5                mov    %rax,%rbp
   7:   48 85 c0                test   %rax,%rax
   a:   0f 84 58 13 00 00       je     0x1368
  10:   48 c1 e8 03             shr    $0x3,%rax
  14:   48 83 05 4e a9 66 00    addq   $0x1,0x66a94e(%rip)        # 0x66a96a
  1b:   01
  1c:   80 3c 18 00             cmpb   $0x0,(%rax,%rbx,1)
  20:   f3                      repz
[    0.000000] RSP: 0000:ffffffff86207e00 EFLAGS: 00010046 ORIG_RAX:
0000000000000009
[    0.000000] RAX: 1fffffffffe40069 RBX: dffffc0000000000 RCX: 1ffffffff1230a30
[    0.000000] RDX: 0000000000000000 RSI: 0107d62120059000 RDI: ffffffff89185180
[    0.000000] RBP: ffffffffff200348 R08: 8000000000000163 R09: 1ffffffff1230a28
[    0.000000] R10: ffffffff89194150 R11: 0000000000000000 R12: 0000000000000010
[    0.000000] R13: ffffffffff200354 R14: 0107d62120058348 R15: 0107d62120058348
[    0.000000] FS:  0000000000000000(0000) GS:ffffffff88f75000(0000)
knlGS:0000000000000000
[    0.000000] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    0.000000] CR2: ffffffffff200348 CR3: 0000000009128000 CR4: 00000000000000b0
[    0.000000] Call Trace:
[    0.000000]  <TASK>
[    0.000000] ? show_regs (arch/x86/kernel/dumpstack.c:478)
[    0.000000] ? early_fixup_exception (arch/x86/mm/extable.c:364)
[    0.000000] ? do_early_exception (arch/x86/kernel/head64.c:423)
[    0.000000] ? early_idt_handler_common (arch/x86/kernel/head_64.S:555)
[    0.000000] ? setup_arch (arch/x86/kernel/setup.c:443
arch/x86/kernel/setup.c:665 arch/x86/kernel/setup.c:814)
[    0.000000] ? __pfx_setup_arch (arch/x86/kernel/setup.c:728)
[    0.000000] ? vprintk_default (kernel/printk/printk.c:2318)
[    0.000000] ? vprintk (kernel/printk/printk_safe.c:45)
[    0.000000] ? _printk (kernel/printk/printk.c:2328)
[    0.000000] ? __pfx__printk (kernel/printk/printk.c:2323)
[    0.000000] ? init_cgroup_root (kernel/cgroup/cgroup.c:2054)
[    0.000000] ? cgroup_init_early (kernel/cgroup/cgroup.c:6077
(discriminator 13))
[    0.000000] ? start_kernel (init/main.c:897 (discriminator 3))
[    0.000000] ? x86_64_start_reservations (arch/x86/kernel/head64.c:543)
[    0.000000] ? x86_64_start_kernel (arch/x86/kernel/head64.c:536)
[    0.000000] ? secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:432)
[    0.000000]  </TASK>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ