lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 6 Mar 2019 14:57:28 +0100
From:   Peter Zijlstra <peterz@...radead.org>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        Julien Thierry <julien.thierry@....com>,
        Will Deacon <will.deacon@....com>,
        Andy Lutomirski <luto@...capital.net>,
        Ingo Molnar <mingo@...nel.org>,
        Catalin Marinas <catalin.marinas@....com>,
        James Morse <james.morse@....com>, valentin.schneider@....com,
        Brian Gerst <brgerst@...il.com>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Andy Lutomirski <luto@...nel.org>,
        Borislav Petkov <bp@...en8.de>,
        Denys Vlasenko <dvlasenk@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>
Subject: Re: [PATCH 1/8] kasan,x86: Frob kasan_report() in an exception

On Wed, Mar 06, 2019 at 02:39:33PM +0100, Dmitry Vyukov wrote:
> On Wed, Mar 6, 2019 at 2:13 PM Peter Zijlstra <peterz@...radead.org> wrote:

> > annotated:
> >
> > 0000 0000000000000150 <__asan_load1>:
> > 0000  150:      48 b8 ff ff ff ff ff    movabs $0xffff7fffffffffff,%rax
> > 0007  157:      7f ff ff
> > 000a  15a:      53                      push   %rbx
> 
> /\/\/\/\/\/\
> 
> This push is unpleasant on hot fast path. I think we need to move
> whole report cold path into a separate noinline function as it is now,
> and that function will do the magic with smap. Then this won't prevent
> tail calling and won't affect fast-path codegen.

It's a bit daft of GCC to do that anyway; since it only uses that rbx
thing in the cold path at __asan_load1+0x30.

But yes, that wants fixing or something. Then again; a kernel with KASAN
on is unbearable slow anyway.

> > 000b  15b:      48 8b 4c 24 08          mov    0x8(%rsp),%rcx
> > 0010  160:      48 39 c7                cmp    %rax,%rdi
> > 0013  163:      76 24                   jbe    189 <__asan_load1+0x39>
> > 0015  165:      48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
> > 001c  16c:      fc ff df
> > 001f  16f:      48 89 fa                mov    %rdi,%rdx
> > 0022  172:      48 c1 ea 03             shr    $0x3,%rdx
> > 0026  176:      0f b6 04 02             movzbl (%rdx,%rax,1),%eax
> > 002a  17a:      84 c0                   test   %al,%al
> > 002c  17c:      75 02                   jne    180 <__asan_load1+0x30>
> > 002e  17e:      5b                      pop    %rbx
> > 002f  17f:      c3                      retq

^^^ hot path, vvv cold path

> > 0030  180:      89 fa                   mov    %edi,%edx
> > 0032  182:      83 e2 07                and    $0x7,%edx
> > 0035  185:      38 d0                   cmp    %dl,%al
> > 0037  187:      7f f5                   jg     17e <__asan_load1+0x2e>
> > 0039  189:      9c                      pushfq
> > 003a  18a:      5b                      pop    %rbx
> > 003b  18b:      90                      nop
> > 003c  18c:      90                      nop
> > 003d  18d:      90                      nop
> > 003e  18e:      31 d2                   xor    %edx,%edx
> > 0040  190:      be 01 00 00 00          mov    $0x1,%esi
> > 0045  195:      e8 00 00 00 00          callq  19a <__asan_load1+0x4a>
> > 0046                    196: R_X86_64_PLT32     __kasan_report-0x4
> > 004a  19a:      53                      push   %rbx
> > 004b  19b:      9d                      popfq
> > 004c  19c:      5b                      pop    %rbx
> > 004d  19d:      c3                      retq

> > +static __always_inline
> > +void kasan_report(unsigned long addr, size_t size, bool is_write, unsigned long ip)
> > +{
> > +       unsigned long flags;
> > +
> > +       flags = smap_save();
> 
> Previously you said that messing with smap here causes boot errors.
> Shouldn't we do smap_save iff kasan_report_enabled? Otherwise we just
> bail out, so no need to enable/disable smap.
> 
> > +       __kasan_report(addr, size, is_write, ip);
> > +       smap_restore(flags);
> > +
> > +}

Ah, you think I booted this :-) Still, this is only PUSHF;CLAC, which I
think should actually work really early. It was that #UD thing that
didn't work early, simply because we'd not set up the exception vector
yet when first this happens.

> > --- a/mm/kasan/generic_report.c
> > +++ b/mm/kasan/generic_report.c
> > @@ -118,14 +118,14 @@ const char *get_bug_type(struct kasan_ac
> >  #define DEFINE_ASAN_REPORT_LOAD(size)                     \
> >  void __asan_report_load##size##_noabort(unsigned long addr) \
> >  {                                                         \
> > -       kasan_report(addr, size, false, _RET_IP_);        \
> > +       __kasan_report(addr, size, false, _RET_IP_);      \
> 
> Unless I am missing something, this seems to make this patch no-op. We
> fixed kasan_report for smap, but here we now use __kasan_report which
> is not fixed. So this won't work with smap again?..

I've not found callers of __asan_report_load* with AC=1 in the kernel
yet. Under what condtions does GCC emit calls to these functions?

Powered by blists - more mailing lists