| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87ldzotct7.fsf@gmail.com>
Date: Thu, 19 Sep 2024 11:17:16 +0530
From: Ritesh Harjani (IBM) <ritesh.list@...il.com>
To: Christophe Leroy <christophe.leroy@...roup.eu>, linuxppc-dev@...ts.ozlabs.org,
Cc: Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>, Madhavan Srinivasan <maddy@...ux.ibm.com>, Hari Bathini <hbathini@...ux.ibm.com>, "Aneesh Kumar K . V" <aneesh.kumar@...nel.org>, Donet Tom <donettom@...ux.vnet.ibm.com>, Pavithra Prakash <pavrampu@...ux.vnet.ibm.com>, Nirjhar Roy <nirjhar@...ux.ibm.com>, LKML <linux-kernel@...r.kernel.org>, kasan-dev@...glegroups.com, Disha Goel <disgoel@...ux.ibm.com>, Alexander Potapenko <glider@...gle.com>
Subject: Re: [RFC v2 02/13] powerpc: mm: Fix kfence page fault reporting
Christophe Leroy <christophe.leroy@...roup.eu> writes:
> Le 19/09/2024 à 04:56, Ritesh Harjani (IBM) a écrit :
>> copy_from_kernel_nofault() can be called when doing read of /proc/kcore.
>> /proc/kcore can have some unmapped kfence objects which when read via
>> copy_from_kernel_nofault() can cause page faults. Since *_nofault()
>> functions define their own fixup table for handling fault, use that
>> instead of asking kfence to handle such faults.
>>
>> Hence we search the exception tables for the nip which generated the
>> fault. If there is an entry then we let the fixup table handler handle the
>> page fault by returning an error from within ___do_page_fault().
>
> Searching the exception table is a heavy operation and all has been done
> in the past to minimise the number of times it is called, see for
> instance commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy
> search_exception_tables() verification")
This should not cause latency in user page fault paths. We call
search_exception_tables() only when there is a page fault for kernel
address (which isn't that common right) which otherwise kfence will handle.
>
> Also, by trying to hide false positives you also hide real ones. For
I believe these should be false negatives. If kernel functions provides an
exception table to handle such a fault, then shouldn't it be handled via
fixup table provided rather then via kfence?
> instance if csum_partial_copy_generic() is using a kfence protected
> area, it will now go undetected.
I can go and look into usages of csum_partial_copy_generic(). But can
you please expand more here on what you meant?
... so if a fault occurs for above case, this patch will just let the
fixup table handle that fault rather than kfence reporting it and
returning 0.
The issue we see here is when unmapped kfence addresses get accessed via
*_nofault() variants which causes kfence to report a false negative
(this happens when we use read /proc/kcore or tools like perf read that)
This is because as per my understanding copy_from_kernel_nofault()
should return -EFAULT from it's fixup table if a fault occurs...
whereas with kfence it will report the warning and will return 0 after
kfence handled the fault.
I see other archs too calling fixup_table() in their fault handling
routine before allowing kfence to handle the fault.
>
> IIUC, here your problem is limited to copy_from_kernel_nofault(). You
> should handle the root cause, not its effects. For that, you could
> perform additional verifications in copy_from_kernel_nofault_allowed().
Sorry, why make copy_from_kernel_nofault() as a special case for powerpc?
I don't see any other arch making copy_from_kernel_nofault() as a
special case. Shouldn't Kernel faults be handled via fixup_table(), if
it is supplied, before kfence handling it?
(maybe I am missing something)
-ritesh
Powered by blists - more mailing lists