| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Oct 2015 17:15:35 +0300
From: Andrey Ryabinin <aryabinin@...tuozzo.com>
To: Dmitry Vyukov <dvyukov@...gle.com>, Ingo Molnar <mingo@...nel.org>
CC: LKML <linux-kernel@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
"H. Peter Anvin" <hpa@...or.com>,
"x86@...nel.org" <x86@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Andy Lutomirski <luto@...capital.net>,
Andrey Konovalov <andreyknvl@...gle.com>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
kasan-dev <kasan-dev@...glegroups.com>,
Borislav Petkov <bp@...en8.de>,
Denys Vlasenko <dvlasenk@...hat.com>,
Andi Kleen <ak@...ux.intel.com>,
Sasha Levin <sasha.levin@...cle.com>,
Wolfram Gloger <wmglo@...t.med.uni-muenchen.de>
Subject: Re: [PATCH v2 2/2] x86/process: Silence KASAN warnings in get_wchan()
On 10/13/2015 04:57 PM, Dmitry Vyukov wrote:
> On Tue, Oct 13, 2015 at 3:48 PM, Ingo Molnar <mingo@...nel.org> wrote:
>>
>> * Andrey Ryabinin <aryabinin@...tuozzo.com> wrote:
>>
>>> get_wchan() is racy by design, it may access volatile stack
>>> of running task, thus it may access redzone in a stack frame
>>> and cause KASAN to warn about this.
>>>
>>> Use READ_ONCE_NOCHECK() to silence these warnings.
>>>
>>> Reported-by: Sasha Levin <sasha.levin@...cle.com>
>>> Signed-off-by: Andrey Ryabinin <aryabinin@...tuozzo.com>
>>> ---
>>> arch/x86/kernel/process.c | 6 +++---
>>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
>>> index 39e585a..e28db18 100644
>>> --- a/arch/x86/kernel/process.c
>>> +++ b/arch/x86/kernel/process.c
>>> @@ -550,14 +550,14 @@ unsigned long get_wchan(struct task_struct *p)
>>> if (sp < bottom || sp > top)
>>> return 0;
>>>
>>> - fp = READ_ONCE(*(unsigned long *)sp);
>>> + fp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
>>> do {
>>> if (fp < bottom || fp > top)
>>> return 0;
>>> - ip = READ_ONCE(*(unsigned long *)(fp + sizeof(unsigned long)));
>>> + ip = READ_ONCE_NOCHECK(*(unsigned long *)(fp + sizeof(unsigned long)));
>>> if (!in_sched_functions(ip))
>>> return ip;
>>> - fp = READ_ONCE(*(unsigned long *)fp);
>>> + fp = READ_ONCE_NOCHECK(*(unsigned long *)fp);
>>> } while (count++ < 16 && p->state != TASK_RUNNING);
>>> return 0;
>>> }
>>
>> Hm, exactly how is the 'red zone' defined? Is this about the current task mostly,
>> or when doing get_wchan() on other tasks?
>
>
> When code is compiled with AddressSanitizer, most variables on stack
> have redzones around them, on entry function "poisons" these redzones
> (any accesses to them will be flagged), on exit function "unpoisons"
> these redzones.
>
An example bellow (stolen from slides - http://events.linuxfoundation.org/sites/events/files/slides/LinuxCon%20North%20America%202015%20KernelAddressSanitizer.pdf)
The following function:
void foo(void) {
char a[328];
...
a[i] = 0;
}
will be transform by GCC to something like this:
void foo(void) {
char redzone1[32];
char a[328];
char redzone2[24];
char redzone3[32];
int *shadow = (&redzone1 >> 3) + shadow_offset;
shadow[0] = 0xf1f1f1f1; // poison redzone1
shadow[11] = 0xf4f4f400; // poison redzone2
shadow[12] = 0xf3f3f3f3; // poison redzone3
...
__asan_store1(&a[i]); //check access to a[i]
a[i] = 0;
shadow[0] = shadow[11] = shadow[12] = 0; //unpoison redzones.
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists