| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202504161255.7583BC11@keescook> Date: Wed, 16 Apr 2025 12:56:28 -0700 From: Kees Cook <kees@...nel.org> To: Mostafa Saleh <smostafa@...gle.com> Cc: kvmarm@...ts.linux.dev, kasan-dev@...glegroups.com, linux-hardening@...r.kernel.org, linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, will@...nel.org, maz@...nel.org, oliver.upton@...ux.dev, broonie@...nel.org, catalin.marinas@....com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com, elver@...gle.com, andreyknvl@...il.com, ryabinin.a.a@...il.com, akpm@...ux-foundation.org, yuzenghui@...wei.com, suzuki.poulose@....com, joey.gouly@....com, masahiroy@...nel.org, nathan@...nel.org, nicolas.schier@...ux.dev Subject: Re: [PATCH 0/4] KVM: arm64: UBSAN at EL2 On Wed, Apr 16, 2025 at 06:04:30PM +0000, Mostafa Saleh wrote: > Many of the sanitizers the kernel supports are disabled when running > in EL2 with nvhe/hvhe/proctected modes, some of those are easier > (and makes more sense) to integrate than others. > Last year, kCFI support was added in [1] > > This patchset adds support for UBSAN in EL2. > UBSAN can run in 2 modes: > 1) “Normal” (CONFIG_UBSAN_TRAP=n): In this mode the compiler will > do the UBSAN checks and insert some function calls in case of > failures, it can provide more information(ex: what is the value of > the out of bound) about the failures through those function arguments, > and those functions(implemented in lib/ubsan.c) will print a report with > such errors. > > 2) Trap (CONFIG_UBSAN_TRAP=y): This is a minimal mode, where similarly, > the compiler will do the checks, but instead of doing function calls, > it would do a “brk #imm” (for ARM64) with a unique code with the failure > type, but without any extra information (ex: only print the out-bound line > but not the index) > > For nvhe/hvhe/proctected modes, #2 would be suitable, as there is no way to > print reports from EL2, so similarly to kCFI(even with permissive) it would > cause the hypervisor to panic. > > But that means that for EL2 we need to compile the code with the same options > as used by “CONFIG_UBSAN_TRAP” independently from the kernel config. > > This patch series adds a new KCONFIG for ARM64 to choose to enable UBSAN > separately for the modes mentioned. > > The same logic decoding the kernel UBSAN is reused, so the messages from > the hypervisor will look similar as: > [ 29.215332] kvm [190]: nVHE hyp UBSAN: array index out of bounds at: [<ffff8000811f2344>] __kvm_nvhe_handle___pkvm_init_vm+0xa8/0xac! > > In this patch set, the same UBSAN options(for check types) are used for both > EL1/EL2, although a case can be made to have separate options (leading to > totally separate CFLAGS) if we want EL2 to be compiled with stricter checks > for something as protected mode. > However, re-using the current flags, makes code re-use easier for > report_ubsan_failure() and Makefile.ubsan > > [1] https://lore.kernel.org/all/20240610063244.2828978-1-ptosi@google.com/ > > > Mostafa Saleh (4): > arm64: Introduce esr_is_ubsan_brk() > ubsan: Remove regs from report_ubsan_failure() > KVM: arm64: Introduce CONFIG_UBSAN_KVM_EL2 > KVM: arm64: Handle UBSAN faults > > arch/arm64/include/asm/esr.h | 5 +++++ > arch/arm64/kernel/traps.c | 4 ++-- > arch/arm64/kvm/handle_exit.c | 6 ++++++ > arch/arm64/kvm/hyp/nvhe/Makefile | 6 ++++++ > arch/x86/kernel/traps.c | 2 +- > include/linux/ubsan.h | 6 +++--- > lib/Kconfig.ubsan | 9 +++++++++ > lib/ubsan.c | 8 +++++--- > scripts/Makefile.ubsan | 5 ++++- > 9 files changed, 41 insertions(+), 10 deletions(-) Nice! I assume this will go via the arm64 tree? I could carry it also, if I get arm64 maintainer Acks... -Kees -- Kees Cook
Powered by blists - more mailing lists