| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <qnxlqbc4cs7izjilisbjlrup4zyntjyucvfa4s6eegn72wfbkd@czthvwkdvo3v> Date: Wed, 26 Feb 2025 17:42:18 +0100 From: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com> To: Andrey Konovalov <andreyknvl@...il.com> CC: Vitaly Buka <vitalybuka@...gle.com>, <kees@...nel.org>, <julian.stecklina@...erus-technology.de>, <kevinloughlin@...gle.com>, <peterz@...radead.org>, <tglx@...utronix.de>, <justinstitt@...gle.com>, <catalin.marinas@....com>, <wangkefeng.wang@...wei.com>, <bhe@...hat.com>, <ryabinin.a.a@...il.com>, <kirill.shutemov@...ux.intel.com>, <will@...nel.org>, <ardb@...nel.org>, <jason.andryuk@....com>, <dave.hansen@...ux.intel.com>, <pasha.tatashin@...een.com>, <guoweikang.kernel@...il.com>, <dwmw@...zon.co.uk>, <mark.rutland@....com>, <broonie@...nel.org>, <apopple@...dia.com>, <bp@...en8.de>, <rppt@...nel.org>, <kaleshsingh@...gle.com>, <richard.weiyang@...il.com>, <luto@...nel.org>, <glider@...gle.com>, <pankaj.gupta@....com>, <pawan.kumar.gupta@...ux.intel.com>, <kuan-ying.lee@...onical.com>, <tony.luck@...el.com>, <tj@...nel.org>, <jgross@...e.com>, <dvyukov@...gle.com>, <baohua@...nel.org>, <samuel.holland@...ive.com>, <dennis@...nel.org>, <akpm@...ux-foundation.org>, <thomas.weissschuh@...utronix.de>, <surenb@...gle.com>, <kbingham@...nel.org>, <ankita@...dia.com>, <nathan@...nel.org>, <ziy@...dia.com>, <xin@...or.com>, <rafael.j.wysocki@...el.com>, <andriy.shevchenko@...ux.intel.com>, <cl@...ux.com>, <jhubbard@...dia.com>, <hpa@...or.com>, <scott@...amperecomputing.com>, <david@...hat.com>, <jan.kiszka@...mens.com>, <vincenzo.frascino@....com>, <corbet@....net>, <maz@...nel.org>, <mingo@...hat.com>, <arnd@...db.de>, <ytcoode@...il.com>, <xur@...gle.com>, <morbo@...gle.com>, <thiago.bauermann@...aro.org>, <linux-doc@...r.kernel.org>, <kasan-dev@...glegroups.com>, <linux-kernel@...r.kernel.org>, <llvm@...ts.linux.dev>, <linux-mm@...ck.org>, <linux-arm-kernel@...ts.infradead.org>, <x86@...nel.org> Subject: Re: [PATCH v2 01/14] kasan: sw_tags: Use arithmetic shift for shadow computation On 2025-02-25 at 22:38:06 +0100, Andrey Konovalov wrote: >On Tue, Feb 25, 2025 at 9:13 PM Maciej Wieczor-Retman ><maciej.wieczor-retman@...el.com> wrote: >> >> >>Thanks for letting me know about the tag resets, that should make changing the >> >>check in kasan_non_canonical_hook() easier. >> > >> >Ah, but the [0xff00000000000000, 0xffffffffffffffff] won't be true for x86 >> >right? Here the tag reset function only resets bits 60:57. So I presume >> >[0x3e00000000000000, 0xffffffffffffffff] would be the range? >> >> Sorry, brain freeze, I meant [0x1e00000000000000, 0xffffffffffffffff] > >+Vitaly, who implemented [1] > >Ah, so when the compiler calculates the shadow memory address on x86, >it does | 0x7E (== 0x3F << 1) [2] for when CompileKernel == true, >because LAM uses bits [62:57], I see. Thanks for the links, now I see what you meant. > >What value can bit 63 and take for _valid kernel_ pointers (on which >KASAN is intended to operate)? If it is always 1, we could arguably >change the compiler to do | 0xFE for CompileKernel. Which would leave >us with only one region to check: [0xfe00000000000000, >0xffffffffffffffff]. But I don't know whether changing the compiler >makes sense: it technically does as instructed by the LAM spec. >(Vitaly, any thoughts? For context: we are discussing how to check >whether a pointer can be a result of a memory-to-shadow mapping >applied to a potentially invalid pointer in kernel HWASAN.) With LAM, valid pointers need to have bits 63 and 56 equal for 5 level paging and bits 63 and 47 equal for 4 level paging. Both set for kernel addresses and both clear for user addresses. >With the way the compiler works right now, for the perfectly precise >check, I think we need to check 2 ranges: [0xfe00000000000000, >0xffffffffffffffff] for when bit 63 is set (of a potentially-invalid >pointer to which memory-to-shadow mapping is to be applied) and >[0x7e00000000000000, 0x7fffffffffffffff] for when bit 63 is reset. Bit >56 ranges through [0, 1] in both cases. > >However, in these patches, you use only bits [60:57]. The compiler is >not aware of this, so it still sets bits [62:57], and we end up with >the same two ranges. But in the KASAN code, you only set bits [60:57], >and thus we can end up with 8 potential ranges (2 possible values for >each of the top 3 bits), which gets complicated. So checking only one >range that covers all of them seems to be reasonable for simplicity >even though not entirely precise. And yes, [0x1e00000000000000, >0xffffffffffffffff] looks like the what we need. Aren't the 2 ranges you mentioned in the previous paragraph still valid, no matter what bits the __tag_set() function uses? I mean bits 62:57 are still reset by the compiler so bits 62:61 still won't matter. For example addresses 0x1e00000000000000 and 0x3e00000000000000 will resolve to the same thing after the compiler is done with them right? > >[1] https://github.com/llvm/llvm-project/commit/cb6099ba43b9262a317083858a29fd31af7efa5c >[2] https://github.com/llvm/llvm-project/blob/llvmorg-20-init/llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp#L1259 -- Kind regards Maciej Wieczór-Retman
Powered by blists - more mailing lists