lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YEuEbRvzdf9x1yNI@elver.google.com>
Date:   Fri, 12 Mar 2021 16:10:37 +0100
From:   Marco Elver <elver@...gle.com>
To:     Andrey Konovalov <andreyknvl@...gle.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Alexander Potapenko <glider@...gle.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Dmitry Vyukov <dvyukov@...gle.com>, kasan-dev@...glegroups.com,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 10/11] kasan: docs: update ignoring accesses section

On Fri, Mar 12, 2021 at 03:24PM +0100, Andrey Konovalov wrote:
> Update the "Ignoring accesses" section in KASAN documentation:
> 
> - Mention __no_sanitize_address/noinstr.
> - Mention kasan_disable/enable_current().
> - Mention kasan_reset_tag()/page_kasan_tag_reset().
> - Readability and punctuation clean-ups.
> 
> Signed-off-by: Andrey Konovalov <andreyknvl@...gle.com>

Reviewed-by: Marco Elver <elver@...gle.com>

> ---
> 
> Changes in v1->v2:
> - Mention __no_sanitize_address/noinstr.
> - Reword the whole section to make it clear which method works for which
>   mode.
> ---
>  Documentation/dev-tools/kasan.rst | 34 +++++++++++++++++++++++++++----
>  1 file changed, 30 insertions(+), 4 deletions(-)
> 
> diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst
> index d0c1796122df..5749c14b38d0 100644
> --- a/Documentation/dev-tools/kasan.rst
> +++ b/Documentation/dev-tools/kasan.rst
> @@ -368,12 +368,18 @@ Ignoring accesses
>  ~~~~~~~~~~~~~~~~~
>  
>  Software KASAN modes use compiler instrumentation to insert validity checks.
> -Such instrumentation might be incompatible with some part of the kernel, and
> -therefore needs to be disabled. To disable instrumentation for specific files
> -or directories, add a line similar to the following to the respective kernel
> +Such instrumentation might be incompatible with some parts of the kernel, and
> +therefore needs to be disabled.
> +
> +Other parts of the kernel might access metadata for allocated objects.
> +Normally, KASAN detects and reports such accesses, but in some cases (e.g.,
> +in memory allocators), these accesses are valid.
> +
> +For software KASAN modes, to disable instrumentation for a specific file or
> +directory, add a ``KASAN_SANITIZE`` annotation to the respective kernel
>  Makefile:
>  
> -- For a single file (e.g. main.o)::
> +- For a single file (e.g., main.o)::
>  
>      KASAN_SANITIZE_main.o := n
>  
> @@ -381,6 +387,26 @@ Makefile:
>  
>      KASAN_SANITIZE := n
>  
> +For software KASAN modes, to disable instrumentation on a per-function basis,
> +use the KASAN-specific ``__no_sanitize_address`` function attribute or the
> +generic ``noinstr`` one.
> +
> +Note that disabling compiler instrumentation (either on a per-file or a
> +per-function basis) makes KASAN ignore the accesses that happen directly in
> +that code for software KASAN modes. It does not help when the accesses happen
> +indirectly (through calls to instrumented functions) or with the hardware
> +tag-based mode that does not use compiler instrumentation.
> +
> +For software KASAN modes, to disable KASAN reports in a part of the kernel code
> +for the current task, annotate this part of the code with a
> +``kasan_disable_current()``/``kasan_enable_current()`` section. This also
> +disables the reports for indirect accesses that happen through function calls.
> +
> +For tag-based KASAN modes (include the hardware one), to disable access
> +checking, use ``kasan_reset_tag()`` or ``page_kasan_tag_reset()``. Note that
> +temporarily disabling access checking via ``page_kasan_tag_reset()`` requires
> +saving and restoring the per-page KASAN tag via
> +``page_kasan_tag``/``page_kasan_tag_set``.
>  
>  Tests
>  ~~~~~
> -- 
> 2.31.0.rc2.261.g7f71774620-goog
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ