| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250416180440.231949-1-smostafa@google.com> Date: Wed, 16 Apr 2025 18:04:30 +0000 From: Mostafa Saleh <smostafa@...gle.com> To: kvmarm@...ts.linux.dev, kasan-dev@...glegroups.com, linux-hardening@...r.kernel.org, linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org Cc: will@...nel.org, maz@...nel.org, oliver.upton@...ux.dev, broonie@...nel.org, catalin.marinas@....com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com, kees@...nel.org, elver@...gle.com, andreyknvl@...il.com, ryabinin.a.a@...il.com, akpm@...ux-foundation.org, yuzenghui@...wei.com, suzuki.poulose@....com, joey.gouly@....com, masahiroy@...nel.org, nathan@...nel.org, nicolas.schier@...ux.dev, Mostafa Saleh <smostafa@...gle.com> Subject: [PATCH 0/4] KVM: arm64: UBSAN at EL2 Many of the sanitizers the kernel supports are disabled when running in EL2 with nvhe/hvhe/proctected modes, some of those are easier (and makes more sense) to integrate than others. Last year, kCFI support was added in [1] This patchset adds support for UBSAN in EL2. UBSAN can run in 2 modes: 1) “Normal” (CONFIG_UBSAN_TRAP=n): In this mode the compiler will do the UBSAN checks and insert some function calls in case of failures, it can provide more information(ex: what is the value of the out of bound) about the failures through those function arguments, and those functions(implemented in lib/ubsan.c) will print a report with such errors. 2) Trap (CONFIG_UBSAN_TRAP=y): This is a minimal mode, where similarly, the compiler will do the checks, but instead of doing function calls, it would do a “brk #imm” (for ARM64) with a unique code with the failure type, but without any extra information (ex: only print the out-bound line but not the index) For nvhe/hvhe/proctected modes, #2 would be suitable, as there is no way to print reports from EL2, so similarly to kCFI(even with permissive) it would cause the hypervisor to panic. But that means that for EL2 we need to compile the code with the same options as used by “CONFIG_UBSAN_TRAP” independently from the kernel config. This patch series adds a new KCONFIG for ARM64 to choose to enable UBSAN separately for the modes mentioned. The same logic decoding the kernel UBSAN is reused, so the messages from the hypervisor will look similar as: [ 29.215332] kvm [190]: nVHE hyp UBSAN: array index out of bounds at: [<ffff8000811f2344>] __kvm_nvhe_handle___pkvm_init_vm+0xa8/0xac! In this patch set, the same UBSAN options(for check types) are used for both EL1/EL2, although a case can be made to have separate options (leading to totally separate CFLAGS) if we want EL2 to be compiled with stricter checks for something as protected mode. However, re-using the current flags, makes code re-use easier for report_ubsan_failure() and Makefile.ubsan [1] https://lore.kernel.org/all/20240610063244.2828978-1-ptosi@google.com/ Mostafa Saleh (4): arm64: Introduce esr_is_ubsan_brk() ubsan: Remove regs from report_ubsan_failure() KVM: arm64: Introduce CONFIG_UBSAN_KVM_EL2 KVM: arm64: Handle UBSAN faults arch/arm64/include/asm/esr.h | 5 +++++ arch/arm64/kernel/traps.c | 4 ++-- arch/arm64/kvm/handle_exit.c | 6 ++++++ arch/arm64/kvm/hyp/nvhe/Makefile | 6 ++++++ arch/x86/kernel/traps.c | 2 +- include/linux/ubsan.h | 6 +++--- lib/Kconfig.ubsan | 9 +++++++++ lib/ubsan.c | 8 +++++--- scripts/Makefile.ubsan | 5 ++++- 9 files changed, 41 insertions(+), 10 deletions(-) -- 2.49.0.604.gff1f9ca942-goog
Powered by blists - more mailing lists