lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+fCnZeEm+-RzqEXp1FqYJ5Gsm+mUZh5k3nq=92ZuTiqwsaWvA@mail.gmail.com>
Date: Tue, 25 Feb 2025 22:38:06 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>, Vitaly Buka <vitalybuka@...gle.com>
Cc: kees@...nel.org, julian.stecklina@...erus-technology.de, 
	kevinloughlin@...gle.com, peterz@...radead.org, tglx@...utronix.de, 
	justinstitt@...gle.com, catalin.marinas@....com, wangkefeng.wang@...wei.com, 
	bhe@...hat.com, ryabinin.a.a@...il.com, kirill.shutemov@...ux.intel.com, 
	will@...nel.org, ardb@...nel.org, jason.andryuk@....com, 
	dave.hansen@...ux.intel.com, pasha.tatashin@...een.com, 
	guoweikang.kernel@...il.com, dwmw@...zon.co.uk, mark.rutland@....com, 
	broonie@...nel.org, apopple@...dia.com, bp@...en8.de, rppt@...nel.org, 
	kaleshsingh@...gle.com, richard.weiyang@...il.com, luto@...nel.org, 
	glider@...gle.com, pankaj.gupta@....com, pawan.kumar.gupta@...ux.intel.com, 
	kuan-ying.lee@...onical.com, tony.luck@...el.com, tj@...nel.org, 
	jgross@...e.com, dvyukov@...gle.com, baohua@...nel.org, 
	samuel.holland@...ive.com, dennis@...nel.org, akpm@...ux-foundation.org, 
	thomas.weissschuh@...utronix.de, surenb@...gle.com, kbingham@...nel.org, 
	ankita@...dia.com, nathan@...nel.org, ziy@...dia.com, xin@...or.com, 
	rafael.j.wysocki@...el.com, andriy.shevchenko@...ux.intel.com, cl@...ux.com, 
	jhubbard@...dia.com, hpa@...or.com, scott@...amperecomputing.com, 
	david@...hat.com, jan.kiszka@...mens.com, vincenzo.frascino@....com, 
	corbet@....net, maz@...nel.org, mingo@...hat.com, arnd@...db.de, 
	ytcoode@...il.com, xur@...gle.com, morbo@...gle.com, 
	thiago.bauermann@...aro.org, linux-doc@...r.kernel.org, 
	kasan-dev@...glegroups.com, linux-kernel@...r.kernel.org, 
	llvm@...ts.linux.dev, linux-mm@...ck.org, 
	linux-arm-kernel@...ts.infradead.org, x86@...nel.org
Subject: Re: [PATCH v2 01/14] kasan: sw_tags: Use arithmetic shift for shadow computation

On Tue, Feb 25, 2025 at 9:13 PM Maciej Wieczor-Retman
<maciej.wieczor-retman@...el.com> wrote:
>
> >>Thanks for letting me know about the tag resets, that should make changing the
> >>check in kasan_non_canonical_hook() easier.
> >
> >Ah, but the [0xff00000000000000, 0xffffffffffffffff] won't be true for x86
> >right? Here the tag reset function only resets bits 60:57. So I presume
> >[0x3e00000000000000, 0xffffffffffffffff] would be the range?
>
> Sorry, brain freeze, I meant [0x1e00000000000000, 0xffffffffffffffff]

+Vitaly, who implemented [1]

Ah, so when the compiler calculates the shadow memory address on x86,
it does | 0x7E (== 0x3F << 1) [2] for when CompileKernel == true,
because LAM uses bits [62:57], I see.

What value can bit 63 and take for _valid kernel_ pointers (on which
KASAN is intended to operate)? If it is always 1, we could arguably
change the compiler to do | 0xFE for CompileKernel. Which would leave
us with only one region to check: [0xfe00000000000000,
0xffffffffffffffff]. But I don't know whether changing the compiler
makes sense: it technically does as instructed by the LAM spec.
(Vitaly, any thoughts? For context: we are discussing how to check
whether a pointer can be a result of a memory-to-shadow mapping
applied to a potentially invalid pointer in kernel HWASAN.)

With the way the compiler works right now, for the perfectly precise
check, I think we need to check 2 ranges: [0xfe00000000000000,
0xffffffffffffffff] for when bit 63 is set (of a potentially-invalid
pointer to which memory-to-shadow mapping is to be applied) and
[0x7e00000000000000, 0x7fffffffffffffff] for when bit 63 is reset. Bit
56 ranges through [0, 1] in both cases.

However, in these patches, you use only bits [60:57]. The compiler is
not aware of this, so it still sets bits [62:57], and we end up with
the same two ranges. But in the KASAN code, you only set bits [60:57],
and thus we can end up with 8 potential ranges (2 possible values for
each of the top 3 bits), which gets complicated. So checking only one
range that covers all of them seems to be reasonable for simplicity
even though not entirely precise. And yes, [0x1e00000000000000,
0xffffffffffffffff] looks like the what we need.

[1] https://github.com/llvm/llvm-project/commit/cb6099ba43b9262a317083858a29fd31af7efa5c
[2] https://github.com/llvm/llvm-project/blob/llvmorg-20-init/llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp#L1259

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ