[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAG_fn=XX2exsGcD3ZR4LGw4Tqy_ietYe46WEOKt7a_nt9Gf=Cw@mail.gmail.com>
Date: Thu, 27 Oct 2022 16:24:55 -0700
From: Alexander Potapenko <glider@...gle.com>
To: Kees Cook <keescook@...omium.org>
Cc: Peter Zijlstra <peterz@...radead.org>,
Marco Elver <elver@...gle.com>, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, Andrew Morton <akpm@...ux-foundation.org>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org
Subject: Re: [PATCH] x86/uaccess: instrument copy_from_user_nmi()
On Thu, Oct 27, 2022 at 11:58 AM Kees Cook <keescook@...omium.org> wrote:
>
> On Thu, Oct 27, 2022 at 11:26:50AM -0700, Alexander Potapenko wrote:
> > On Thu, Oct 27, 2022 at 1:05 AM Peter Zijlstra <peterz@...radead.org> wrote:
> > >
> > > On Wed, Oct 26, 2022 at 11:38:53AM -0700, Alexander Potapenko wrote:
> > > > A bigger issue from the NMI perspective is probably
> > > > having __msan_poison_alloca() inserted in every non-noinstr kernel
> > > > function, because that hook may acquire the stackdepot lock.
> > >
> > > *urgghhh* that's broken, that must not be. There is a *TON* of NMI
> > > functions that are non-noinstr.
> >
> > __msan_poison_alloca() is guarded by kmsan_in_runtime(), which is
> > currently implemented as:
> >
> > static __always_inline bool kmsan_in_runtime(void)
> > {
> > if ((hardirq_count() >> HARDIRQ_SHIFT) > 1)
> > return true;
> > return kmsan_get_context()->kmsan_in_runtime;
> > }
> >
> > I think the easiest way to fix the NMI situation would be adding "if
> > in_nmi() return true"?
>
> It might help to look through these threads:
>
> https://lore.kernel.org/lkml/20220916135953.1320601-1-keescook@chromium.org/
> https://lore.kernel.org/all/20220919201648.2250764-1-keescook@chromium.org/
Sorry, I missed that letter, should have responded earlier.
> I wandered around attempting to deal with in_nmi(), etc. And in
> the end just drop the attempt to cover it. It's worth noting that
> copy_from_user_nmi() exists on 1 architecture and has exactly 1
> call-site...
It doesn't really matter for KASAN, because a missing addressability
check is a matter of missing some (possibly rare) bugs.
For KMSAN a missing initialization will result in false positives, and
we already started seeing them: show_opcodes() copies data to a local
and prints it, but without a call to kmsan_unpoison_memory() it will
result in error reports about opcodes[] being uninitialized.
So for this particular case I want to ensure kmsan_unpoison_memory()
can be called from NMI context (by removing the kmsan_in_runtime()
check from it), but to be on the safe side we'll also have to do
nothing in __msan_poison_alloca() under in_nmi().
> --
> Kees Cook
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Powered by blists - more mailing lists