| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG_fn=W_Vde+fXhLGDdt0Mu+6bG8LxLew052MdFy2Lqiyj1qLA@mail.gmail.com> Date: Wed, 4 Sep 2024 17:31:31 +0200 From: Alexander Potapenko <glider@...gle.com> To: Samuel Holland <samuel.holland@...ive.com> Cc: Marc Zyngier <maz@...nel.org>, Andrey Konovalov <andreyknvl@...il.com>, Aleksandr Nogikh <nogikh@...gle.com>, kasan-dev <kasan-dev@...glegroups.com>, Will Deacon <will@...nel.org>, syzbot <syzbot+908886656a02769af987@...kaller.appspotmail.com>, catalin.marinas@....com, linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [arm?] upstream test error: KASAN: invalid-access Write in setup_arch > >>>> Who knows enough about KASAN to dig into this? > >> > >> This looks related to Samuel's "arm64: Fix KASAN random tag seed > >> initialization" patch that landed in August. > > > > f75c235565f9 arm64: Fix KASAN random tag seed initialization > > > > $ git describe --contains f75c235565f9 --match=v\* > > v6.11-rc4~15^2 > > > > So while this is in -rc4, -rc6 still has the same issue (with GCC -- > > clang is OK). > > I wouldn't expect it to be related to my patch. smp_build_mpidr_hash() gets > called before kasan_init_sw_tags() both before and after applying my patch. Hm, you are right, this problem indeed dates back to v6.9 or earlier. > Since the variable in question is a stack variable, the random tag is generated > by GCC, not the kernel function. > > Since smp_build_mpidr_hash() is inlined into setup_arch(), which also calls > kasan_init(), maybe the issue is that GCC tries to allocate the local variable > and write the tag to shadow memory before kasan_init() actually sets up the > shadow memory? Should it be inlined at all? setup_arch() is a __no_sanitize_address function, and smp_build_mpidr_hash() is an instrumented one. The latter is not supposed to be inlined into the former, unless the latter is always_inline (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67368, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89124). The report seems to go away if I mark smp_build_mpidr_hash() as noinline. This doesn't explain, though, why Clang build doesn't work at all... > > Regards, > Samuel > > >> I am a bit surprised the bug is reported before the > >> "KernelAddressSanitizer initialized" banner is printed - I thought we > >> shouldn't be reporting anything until the tool is fully initialized. > > > > Specially if this can report false positives... > > > > Thanks, > > > > M. > > > -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Liana Sebastian Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
Powered by blists - more mailing lists