lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG_fn=UF1JmwMmPJd_CJQSzQAfA_z5fQ1MKaKXDv3N5+s3f6qg@mail.gmail.com>
Date: Thu, 27 Mar 2025 08:29:18 +0100
From: Alexander Potapenko <glider@...gle.com>
To: Jann Horn <jannh@...gle.com>
Cc: Will Deacon <will@...nel.org>, kasan-dev <kasan-dev@...glegroups.com>, 
	Andrey Ryabinin <ryabinin.a.a@...il.com>, kernel list <linux-kernel@...r.kernel.org>, 
	Linux ARM <linux-arm-kernel@...ts.infradead.org>, 
	Catalin Marinas <catalin.marinas@....com>, Andrey Konovalov <andreyknvl@...il.com>, 
	Dmitry Vyukov <dvyukov@...gle.com>, Vincenzo Frascino <vincenzo.frascino@....com>
Subject: Re: does software KASAN not instrument READ_ONCE() on arm64 with LTO?

On Thu, Mar 27, 2025 at 12:10 AM Jann Horn <jannh@...gle.com> wrote:
>
> Hi!
>
> I just realized - arm64 redefines __READ_ONCE() to use inline assembly
> instead of a volatile load, and ASAN is designed to not instrument asm
> statement operands (not even memory operands).

Nice catch!

> (I think I may have a years-old LLVM patch somewhere that changes
> that, but I vaguely recall being told once that that's an intentional
> design decision. I might be misremembering that though...)

We have some best-effort asm instrumentation in KMSAN (see
https://llvm.org/doxygen/MemorySanitizer_8cpp_source.html#l04968) and
could potentially do something similar for KASAN, but if I remember
correctly there were some corner cases with unknown argument sizes and
with percpu instrumentation (at least on x86 percpu accesses receive
an offset of the variable in .data..percpu, not the actual address).

> So because __READ_ONCE() does not call anything like
> instrument_read(), I think instrumentation-based KASAN in LTO arm64
> builds probably doesn't cover READ_ONCE() accesses?
>
> A quick test seems to confirm this: https://godbolt.org/z/8oYfaExYf

So should it be enough to call instrument_read()?


-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ