lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <cc3a5a99-5c99-e526-a5e1-a566f8c412fb@arm.com>
Date:   Tue, 19 Jan 2021 18:58:11 +0000
From:   Vincenzo Frascino <vincenzo.frascino@....com>
To:     Andrey Konovalov <andreyknvl@...gle.com>
Cc:     Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        LKML <linux-kernel@...r.kernel.org>,
        kasan-dev <kasan-dev@...glegroups.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Leon Romanovsky <leonro@...lanox.com>
Subject: Re: [PATCH] kasan: Add explicit preconditions to kasan_report()

Hi Andrey,

On 1/19/21 6:27 PM, Andrey Konovalov wrote:
> On Tue, Jan 19, 2021 at 6:26 PM Vincenzo Frascino
> <vincenzo.frascino@....com> wrote:
>>
>> With the introduction of KASAN_HW_TAGS, kasan_report() dereferences
>> the address passed as a parameter.
>>
>> Add a comment to make sure that the preconditions to the function are
>> explicitly clarified.
>>
>> Note: An invalid address (e.g. NULL pointer address) passed to the
>> function when, KASAN_HW_TAGS is enabled, leads to a kernel panic.
>>
>> Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>
>> Cc: Alexander Potapenko <glider@...gle.com>
>> Cc: Dmitry Vyukov <dvyukov@...gle.com>
>> Cc: Leon Romanovsky <leonro@...lanox.com>
>> Cc: Andrey Konovalov <andreyknvl@...gle.com>
>> Signed-off-by: Vincenzo Frascino <vincenzo.frascino@....com>
>> ---
>>  mm/kasan/report.c | 11 +++++++++++
>>  1 file changed, 11 insertions(+)
>>
>> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
>> index c0fb21797550..2485b585004d 100644
>> --- a/mm/kasan/report.c
>> +++ b/mm/kasan/report.c
>> @@ -403,6 +403,17 @@ static void __kasan_report(unsigned long addr, size_t size, bool is_write,
>>         end_report(&flags);
>>  }
>>
>> +/**
>> + * kasan_report - report kasan fault details
>> + * @addr: valid address of the allocation where the tag fault was detected
>> + * @size: size of the allocation where the tag fault was detected
>> + * @is_write: the instruction that caused the fault was a read or write?
>> + * @ip: pointer to the instruction that cause the fault
>> + *
>> + * Note: When CONFIG_KASAN_HW_TAGS is enabled kasan_report() dereferences
>> + * the address to access the tags, hence it must be valid at this point in
>> + * order to not cause a kernel panic.
>> + */
> 
> It doesn't dereference the address, it just checks the tags, right?
> 

This is correct, just realized that the use of "dereference" here is misleading.

> Ideally, kasan_report() should survive that with HW_TAGS like with the
> other modes. The reason it doesn't is probably because of a blank
> addr_has_metadata() definition for HW_TAGS in mm/kasan/kasan.h. I
> guess we should somehow check that the memory comes from page_alloc or
> kmalloc. Or otherwise make sure that it has tags. Maybe there's an arm
> instruction to check whether the memory has tags?
> 

I agree, looking a second time at the code the problem comes from
addr_has_metadata():

...

[   18.127273] BUG: KASAN: invalid-access in 0x0
[   18.128604] Read at addr 0000000000000000 by task swapper/0/1
[   18.130311] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000000
[   18.131291] Mem abort info:
[   18.131696]   ESR = 0x96000004
[   18.132169]   EC = 0x25: DABT (current EL), IL = 32 bits
[   18.132953]   SET = 0, FnV = 0
[   18.133433]   EA = 0, S1PTW = 0
[   18.133907] Data abort info:
[   18.134308]   ISV = 0, ISS = 0x00000004
[   18.134883]   CM = 0, WnR = 0
[   18.135436] [0000000000000000] user address but active_mm is swapper
[   18.136372] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[   18.137280] Modules linked in:
[   18.138182] CPU: 2 PID: 1 Comm: swapper/0 Not tainted
5.11.0-rc4-00007-g86cba71f117-dirty #2
[   18.139275] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
[   18.140342] pstate: 60400085 (nZCv daIf +PAN -UAO -TCO BTYPE=--)
[   18.141324] pc : mte_get_mem_tag+0x24/0x40
[   18.142487] lr : print_tags+0x1c/0x40
[   18.143095] sp : ffff80001004bcf0
[   18.143570] x29: ffff80001004bcf0 x28: 0000000000000000
[   18.144526] x27: ffffd042f0bf04e0 x26: ffffd042f0ca1068
[   18.145369] x25: ffffd042f0bdde58 x24: ffffd042f1458000
[   18.146209] x23: 0000000000000000 x22: 0000000000000000
[   18.147047] x21: 0000000000000000 x20: 0000000000000000
[   18.147928] x19: 0000000000000000 x18: ffffffffffffffff
[   18.148928] x17: 000000000000000e x16: 0000000000000001
[   18.149837] x15: ffff80009004ba17 x14: 0000000000000006
[   18.150774] x13: ffffd042f11b27e0 x12: 0000000000000399
[   18.151653] x11: 0000000000000133 x10: ffffd042f11b27e0
[   18.152544] x9 : ffffd042f11b27e0 x8 : 00000000ffffefff
[   18.153443] x7 : ffffd042f120a7e0 x6 : ffffd042f120a7e0
[   18.154272] x5 : 000000000000bff4 x4 : 0000000000000000
[   18.155096] x3 : 0000000000000000 x2 : 0000000000000000
[   18.155958] x1 : 0000000000000000 x0 : 0000000000000000
[   18.157145] Call trace:
[   18.157615]  mte_get_mem_tag+0x24/0x40
[   18.158258]  kasan_report+0xec/0x1b0

...

I noticed it differently but you can easily reproduce it calling
kasan_report(0,0,0,0); from somewhere.

I will send a patch tomorrow that checks if the memory comes from page_alloc or
kmalloc. Not sure what you mean for "instruction to check whether the memory has
tags".

Thanks!

-- 
Regards,
Vincenzo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ