| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fd65b0ec35f52c6bc714ff333241b828ff74604d.1755004923.git.maciej.wieczor-retman@intel.com>
Date: Tue, 12 Aug 2025 15:23:53 +0200
From: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
To: nathan@...nel.org,
arnd@...db.de,
broonie@...nel.org,
Liam.Howlett@...cle.com,
urezki@...il.com,
will@...nel.org,
kaleshsingh@...gle.com,
rppt@...nel.org,
leitao@...ian.org,
coxu@...hat.com,
surenb@...gle.com,
akpm@...ux-foundation.org,
luto@...nel.org,
jpoimboe@...nel.org,
changyuanl@...gle.com,
hpa@...or.com,
dvyukov@...gle.com,
kas@...nel.org,
corbet@....net,
vincenzo.frascino@....com,
smostafa@...gle.com,
nick.desaulniers+lkml@...il.com,
morbo@...gle.com,
andreyknvl@...il.com,
alexander.shishkin@...ux.intel.com,
thiago.bauermann@...aro.org,
catalin.marinas@....com,
ryabinin.a.a@...il.com,
jan.kiszka@...mens.com,
jbohac@...e.cz,
dan.j.williams@...el.com,
joel.granados@...nel.org,
baohua@...nel.org,
kevin.brodsky@....com,
nicolas.schier@...ux.dev,
pcc@...gle.com,
andriy.shevchenko@...ux.intel.com,
wei.liu@...nel.org,
bp@...en8.de,
ada.coupriediaz@....com,
xin@...or.com,
pankaj.gupta@....com,
vbabka@...e.cz,
glider@...gle.com,
jgross@...e.com,
kees@...nel.org,
jhubbard@...dia.com,
joey.gouly@....com,
ardb@...nel.org,
thuth@...hat.com,
pasha.tatashin@...een.com,
kristina.martsenko@....com,
bigeasy@...utronix.de,
maciej.wieczor-retman@...el.com,
lorenzo.stoakes@...cle.com,
jason.andryuk@....com,
david@...hat.com,
graf@...zon.com,
wangkefeng.wang@...wei.com,
ziy@...dia.com,
mark.rutland@....com,
dave.hansen@...ux.intel.com,
samuel.holland@...ive.com,
kbingham@...nel.org,
trintaeoitogc@...il.com,
scott@...amperecomputing.com,
justinstitt@...gle.com,
kuan-ying.lee@...onical.com,
maz@...nel.org,
tglx@...utronix.de,
samitolvanen@...gle.com,
mhocko@...e.com,
nunodasneves@...ux.microsoft.com,
brgerst@...il.com,
willy@...radead.org,
ubizjak@...il.com,
peterz@...radead.org,
mingo@...hat.com,
sohil.mehta@...el.com
Cc: linux-mm@...ck.org,
linux-kbuild@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
x86@...nel.org,
llvm@...ts.linux.dev,
kasan-dev@...glegroups.com,
linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH v4 17/18] mm: Unpoison vms[area] addresses with a common tag
The problem presented here is related to NUMA systems and tag-based
KASAN mode. It can be explained in the following points:
1. There can be more than one virtual memory chunk.
2. Chunk's base address has a tag.
3. The base address points at the first chunk and thus inherits
the tag of the first chunk.
4. The subsequent chunks will be accessed with the tag from the
first chunk.
5. Thus, the subsequent chunks need to have their tag set to
match that of the first chunk.
Unpoison all vms[]->addr memory and pointers with the same tag to
resolve the mismatch.
Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
---
Changelog v4:
- Move tagging the vms[]->addr to this new patch and leave refactoring
there.
- Comment the fix to provide some context.
mm/kasan/shadow.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c
index b41f74d68916..ee2488371784 100644
--- a/mm/kasan/shadow.c
+++ b/mm/kasan/shadow.c
@@ -646,13 +646,21 @@ void __kasan_poison_vmalloc(const void *start, unsigned long size)
kasan_poison(start, size, KASAN_VMALLOC_INVALID, false);
}
+/*
+ * A tag mismatch happens when calculating per-cpu chunk addresses, because
+ * they all inherit the tag from vms[0]->addr, even when nr_vms is bigger
+ * than 1. This is a problem because all the vms[]->addr come from separate
+ * allocations and have different tags so while the calculated address is
+ * correct the tag isn't.
+ */
void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms)
{
int area;
for (area = 0 ; area < nr_vms ; area++) {
kasan_poison(vms[area]->addr, vms[area]->size,
- arch_kasan_get_tag(vms[area]->addr), false);
+ arch_kasan_get_tag(vms[0]->addr), false);
+ arch_kasan_set_tag(vms[area]->addr, arch_kasan_get_tag(vms[0]->addr));
}
}
--
2.50.1
Powered by blists - more mailing lists