lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z0RWcgrQASMIleRn@J2N7QTR9R3>
Date: Mon, 25 Nov 2024 10:50:48 +0000
From: Mark Rutland <mark.rutland@....com>
To: Lukas Wunner <lukas@...ner.de>
Cc: Ard Biesheuvel <ardb@...nel.org>,
	Catalin Marinas <catalin.marinas@....com>,
	Will Deacon <will@...nel.org>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Zorro Lang <zlang@...hat.com>,
	Vegard Nossum <vegard.nossum@...cle.com>,
	Joey Gouly <joey.gouly@....com>,
	linux-arm-kernel@...ts.infradead.org, linux-crypto@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH for-next/fixes] arm64/mm: Fix false-positive
 !virt_addr_valid() for kernel image

On Mon, Nov 25, 2024 at 10:54:49AM +0100, Lukas Wunner wrote:
> On Sun, Nov 24, 2024 at 06:13:26PM +0100, Ard Biesheuvel wrote:
> > > On Sun, 24 Nov 2024 at 17:16, Lukas Wunner <lukas@...ner.de> wrote:
> > > > Zorro reports a false-positive BUG_ON() when running crypto selftests on
> > > > boot:  Since commit 1e562deacecc ("crypto: rsassa-pkcs1 - Migrate to
> > > > sig_alg backend"), test_sig_one() invokes an RSA verify operation with a
> > > > test vector in the kernel's .rodata section.  The test vector is passed
> > > > to sg_set_buf(), which performs a virt_addr_valid() check.
> > > >
> > > > On arm64, virt_addr_valid() returns false for kernel image addresses
> > > > such as this one, even though they're valid virtual addresses.
> > > > x86 returns true for kernel image addresses, so the BUG_ON() does not
> > > > occur there.  In fact, x86 has been doing so for 16 years, i.e. since
> > > > commit af5c2bd16ac2 ("x86: fix virt_addr_valid() with
> > > > CONFIG_DEBUG_VIRTUAL=y, v2").
> > > >
> > > > Do the same on arm64 to avoid the false-positive BUG_ON() and to achieve
> > > > consistent virt_addr_valid() behavior across arches.
> [...]
> > that doesn't mean doing DMA from the kernel image is a great
> > idea. Allocations in the linear map are rounded up to cacheline size
> > to ensure that they are safe for non-coherent DMA, but this does not
> > apply to the kernel image. .rodata should still be safe in this
> > regard, but the general idea of allowing kernel image addresses in
> > places where DMA'able virtual addresses are expected is something we
> > should consider with care.
> 
> Other arches do not seem to be concerned about this and
> let virt_addr_valid() return true for the kernel image.
> It's not clear why arm64 is special and needs to return false.
> 
> However, I agree there's hardly ever a reason to DMA from/to the
> .text section.  From a security perspective, constraining this to
> .rodata seems reasonable to me and I'll be happy to amend the patch
> to that effect if that's the consensus.

Instead, can we update the test to use lm_alias() on the symbols in
question? That'll convert a kernel image address to its linear map
alias, and then that'll work with virt_addr_valid(), virt_to_phys(),
etc.

I don't think it's generally a good idea to relax virt_addr_valid() to
accept addresses outside of the linear map, regardless of what other
architectures do. We've had issues in the past with broken conversions,
and the fixups in virt_to_phys() is really only there as a best-effort
way to not crash and allow the warning messages to get out.

Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ