lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250326203926.GA10484@ax162>
Date: Wed, 26 Mar 2025 13:39:26 -0700
From: Nathan Chancellor <nathan@...nel.org>
To: Jann Horn <jannh@...gle.com>, Arnd Bergmann <arnd@...db.de>
Cc: Marco Elver <elver@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>,
	kasan-dev@...glegroups.com, linux-arch@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rwonce: handle KCSAN like KASAN in read_word_at_a_time()

Hi Jann,

On Tue, Mar 25, 2025 at 05:01:34PM +0100, Jann Horn wrote:
> Also, since this read can be racy by design, we should technically do
> READ_ONCE(), so add that.
> 
> Fixes: dfd402a4c4ba ("kcsan: Add Kernel Concurrency Sanitizer infrastructure")
> Signed-off-by: Jann Horn <jannh@...gle.com>
...
> diff --git a/include/asm-generic/rwonce.h b/include/asm-generic/rwonce.h
> index 8d0a6280e982..e9f2b84d2338 100644
> --- a/include/asm-generic/rwonce.h
> +++ b/include/asm-generic/rwonce.h
> @@ -79,11 +79,14 @@ unsigned long __read_once_word_nocheck(const void *addr)
>  	(typeof(x))__read_once_word_nocheck(&(x));			\
>  })
>  
> -static __no_kasan_or_inline
> +static __no_sanitize_or_inline
>  unsigned long read_word_at_a_time(const void *addr)
>  {
> +	/* open-coded instrument_read(addr, 1) */
>  	kasan_check_read(addr, 1);
> -	return *(unsigned long *)addr;
> +	kcsan_check_read(addr, 1);
> +
> +	return READ_ONCE(*(unsigned long *)addr);

I bisected a boot hang that I see on arm64 with LTO enabled to this
change as commit ece69af2ede1 ("rwonce: handle KCSAN like KASAN in
read_word_at_a_time()") in -next. With LTO, READ_ONCE() gets upgraded to
ldar / ldapr, which requires an aligned address to access, but
read_word_at_a_time() can be called with an unaligned address. I
confirmed this should be the root cause by removing the READ_ONCE()
added above or removing the selects of DCACHE_WORD_ACCESS and
HAVE_EFFICIENT_UNALIGNED_ACCESS in arch/arm64/Kconfig, which avoids
the crash.

Cheers,
Nathan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ