| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190809123745.GG48423@lakrids.cambridge.arm.com>
Date: Fri, 9 Aug 2019 13:37:46 +0100
From: Mark Rutland <mark.rutland@....com>
To: Daniel Axtens <dja@...ens.net>
Cc: kasan-dev@...glegroups.com, linux-mm@...ck.org, x86@...nel.org,
aryabinin@...tuozzo.com, glider@...gle.com, luto@...nel.org,
linux-kernel@...r.kernel.org, dvyukov@...gle.com
Subject: Re: [PATCH v3 1/3] kasan: support backing vmalloc space with real
shadow memory
On Thu, Aug 08, 2019 at 02:50:37PM +0100, Mark Rutland wrote:
> From looking at this for a while, there are a few more things we should
> sort out:
> * We can use the split pmd locks (used by both x86 and arm64) to
> minimize contention on the init_mm ptl. As apply_to_page_range()
> doesn't pass the corresponding pmd in, we'll have to re-walk the table
> in the callback, but I suspect that's better than having all vmalloc
> operations contend on the same ptl.
Just to point out: I was wrong about this. We don't initialise the split
pmd locks for the kernel page tables, so we have to use the init_mm ptl.
I've fixed that up in my kasan/vmalloc branch as below, which works for
me on arm64 (with another patch to prevent arm64 from using early shadow
for the vmalloc area).
Thanks,
Mark.
----
static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr, void *unused)
{
unsigned long page;
pte_t pte;
if (likely(!pte_none(*ptep)))
return 0;
page = __get_free_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
/*
* Ensure poisoning is visible before the shadow is made visible
* to other CPUs.
*/
smp_wmb();
spin_lock(&init_mm.page_table_lock);
if (likely(pte_none(*ptep))) {
set_pte_at(&init_mm, addr, ptep, pte);
page = 0;
}
spin_unlock(&init_mm.page_table_lock);
if (page)
free_page(page);
return 0;
}
int kasan_populate_vmalloc(unsigned long requested_size, struct vm_struct *area)
{
unsigned long shadow_start, shadow_end;
int ret;
shadow_start = (unsigned long)kasan_mem_to_shadow(area->addr);
shadow_start = ALIGN_DOWN(shadow_start, PAGE_SIZE);
shadow_end = (unsigned long)kasan_mem_to_shadow(area->addr + area->size),
shadow_end = ALIGN(shadow_end, PAGE_SIZE);
ret = apply_to_page_range(&init_mm, shadow_start,
shadow_end - shadow_start,
kasan_populate_vmalloc_pte, NULL);
if (ret)
return ret;
kasan_unpoison_shadow(area->addr, requested_size);
/*
* We have to poison the remainder of the allocation each time, not
* just when the shadow page is first allocated, because vmalloc may
* reuse addresses, and an early large allocation would cause us to
* miss OOBs in future smaller allocations.
*
* The alternative is to poison the shadow on vfree()/vunmap(). We
* don't because the unmapping the virtual addresses should be
* sufficient to find most UAFs.
*/
requested_size = round_up(requested_size, KASAN_SHADOW_SCALE_SIZE);
kasan_poison_shadow(area->addr + requested_size,
area->size - requested_size,
KASAN_VMALLOC_INVALID);
return 0;
}
Powered by blists - more mailing lists