lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CA+fCnZdUFO0+G9HHy4oaQfEx8sm3D_ZfxdkH3y2ZojjYqTN74Q@mail.gmail.com>
Date: Wed, 26 Feb 2025 20:44:35 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
Cc: Vitaly Buka <vitalybuka@...gle.com>, kees@...nel.org, 
	julian.stecklina@...erus-technology.de, kevinloughlin@...gle.com, 
	peterz@...radead.org, tglx@...utronix.de, justinstitt@...gle.com, 
	catalin.marinas@....com, wangkefeng.wang@...wei.com, bhe@...hat.com, 
	ryabinin.a.a@...il.com, kirill.shutemov@...ux.intel.com, will@...nel.org, 
	ardb@...nel.org, jason.andryuk@....com, dave.hansen@...ux.intel.com, 
	pasha.tatashin@...een.com, guoweikang.kernel@...il.com, dwmw@...zon.co.uk, 
	mark.rutland@....com, broonie@...nel.org, apopple@...dia.com, bp@...en8.de, 
	rppt@...nel.org, kaleshsingh@...gle.com, richard.weiyang@...il.com, 
	luto@...nel.org, glider@...gle.com, pankaj.gupta@....com, 
	pawan.kumar.gupta@...ux.intel.com, kuan-ying.lee@...onical.com, 
	tony.luck@...el.com, tj@...nel.org, jgross@...e.com, dvyukov@...gle.com, 
	baohua@...nel.org, samuel.holland@...ive.com, dennis@...nel.org, 
	akpm@...ux-foundation.org, thomas.weissschuh@...utronix.de, surenb@...gle.com, 
	kbingham@...nel.org, ankita@...dia.com, nathan@...nel.org, ziy@...dia.com, 
	xin@...or.com, rafael.j.wysocki@...el.com, andriy.shevchenko@...ux.intel.com, 
	cl@...ux.com, jhubbard@...dia.com, hpa@...or.com, 
	scott@...amperecomputing.com, david@...hat.com, jan.kiszka@...mens.com, 
	vincenzo.frascino@....com, corbet@....net, maz@...nel.org, mingo@...hat.com, 
	arnd@...db.de, ytcoode@...il.com, xur@...gle.com, morbo@...gle.com, 
	thiago.bauermann@...aro.org, linux-doc@...r.kernel.org, 
	kasan-dev@...glegroups.com, linux-kernel@...r.kernel.org, 
	llvm@...ts.linux.dev, linux-mm@...ck.org, 
	linux-arm-kernel@...ts.infradead.org, x86@...nel.org
Subject: Re: [PATCH v2 01/14] kasan: sw_tags: Use arithmetic shift for shadow computation

On Wed, Feb 26, 2025 at 5:43 PM Maciej Wieczor-Retman
<maciej.wieczor-retman@...el.com> wrote:
>
> >What value can bit 63 and take for _valid kernel_ pointers (on which
> >KASAN is intended to operate)? If it is always 1, we could arguably
> >change the compiler to do | 0xFE for CompileKernel. Which would leave
> >us with only one region to check: [0xfe00000000000000,
> >0xffffffffffffffff]. But I don't know whether changing the compiler
> >makes sense: it technically does as instructed by the LAM spec.
> >(Vitaly, any thoughts? For context: we are discussing how to check
> >whether a pointer can be a result of a memory-to-shadow mapping
> >applied to a potentially invalid pointer in kernel HWASAN.)
>
> With LAM, valid pointers need to have bits 63 and 56 equal for 5 level paging
> and bits 63 and 47 equal for 4 level paging. Both set for kernel addresses and
> both clear for user addresses.

Ah, OK. Then I guess we could even change to compiler to do | 0xFF,
same as arm. But I don't know if this makes sense.

> >With the way the compiler works right now, for the perfectly precise
> >check, I think we need to check 2 ranges: [0xfe00000000000000,
> >0xffffffffffffffff] for when bit 63 is set (of a potentially-invalid
> >pointer to which memory-to-shadow mapping is to be applied) and
> >[0x7e00000000000000, 0x7fffffffffffffff] for when bit 63 is reset. Bit
> >56 ranges through [0, 1] in both cases.
> >
> >However, in these patches, you use only bits [60:57]. The compiler is
> >not aware of this, so it still sets bits [62:57], and we end up with
> >the same two ranges. But in the KASAN code, you only set bits [60:57],
> >and thus we can end up with 8 potential ranges (2 possible values for
> >each of the top 3 bits), which gets complicated. So checking only one
> >range that covers all of them seems to be reasonable for simplicity
> >even though not entirely precise. And yes, [0x1e00000000000000,
> >0xffffffffffffffff] looks like the what we need.
>
> Aren't the 2 ranges you mentioned in the previous paragraph still valid, no
> matter what bits the __tag_set() function uses? I mean bits 62:57 are still
> reset by the compiler so bits 62:61 still won't matter. For example addresses
> 0x1e00000000000000 and 0x3e00000000000000 will resolve to the same thing after
> the compiler is done with them right?

Ah, yes, you're right, it's the same 2 ranges.

I was thinking about the outline instrumentation mode, where the
shadow address would be calculated based on resetting only bits
[60:57]. But then there we have a addr_has_metadata() check in
kasan_check_range(), so KASAN should not try to deference a bad shadow
address and thus should not reach kasan_non_canonical_hook() anyway.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ