| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1cd29a46-3c17-42ca-af41-ed0a645b29c3@gmail.com>
Date: Wed, 27 Aug 2025 16:45:03 +0200
From: Andrey Ryabinin <ryabinin.a.a@...il.com>
To: Tengda Wu <wutengda@...weicloud.com>, x86@...nel.org
Cc: Thomas Gleixner <tglx@...utronix.de>,
Alexander Potapenko <glider@...gle.com>,
Andrey Konovalov <andreyknvl@...il.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, Dmitry Vyukov
<dvyukov@...gle.com>, Ingo Molnar <mingo@...hat.com>,
linux-kernel@...r.kernel.org, Peter Zijlstra <peterz@...radead.org>,
Josh Poimboeuf <jpoimboe@...hat.com>
Subject: Re: [PATCH -next] x86: Prevent KASAN false positive warnings in
__show_regs()
On 8/18/25 3:07 PM, Tengda Wu wrote:
> When process A accesses process B's `regs` from stack memory through
> __show_regs(), the stack of process B keeps changing during runtime.
> This causes false positives like "stack out-of-bounds" [1] or
> "out-of-bounds" [2] warnings when reading `regs` contents.
>
> Add __no_sanitize_address attribute to __show_regs() to suppress these
> false positives while maintaining the ability to debug register states
> across processes.
>
> [1] https://lore.kernel.org/all/000000000000cb8e3a05c4ed84bb@google.com/
> [2] A similar KASAN report:
> [332706.552324] BUG: KASAN: out-of-bounds in __show_regs+0x4b/0x340
> [332706.552433] Read of size 8 at addr ffff88d24999fb20 by task sysrq_t_test.sh/3977032
> [332706.552562]
> [332706.552652] CPU: 36 PID: 3977032 Comm: sysrq_t_test.sh Kdump: loaded Not tainted 6.6.0+ #20
> [332706.552783] Hardware name: Huawei RH2288H V3/BC11HGSA0, BIOS 3.35 10/20/2016
> [332706.552906] Call Trace:
> [332706.552998] <TASK>
> [332706.553089] dump_stack_lvl+0x32/0x50
> [332706.553193] print_address_description.constprop.0+0x6b/0x3d0
> [332706.553303] print_report+0xbe/0x280
> [332706.553409] ? __virt_addr_valid+0xed/0x160
> [332706.553512] ? __show_regs+0x4b/0x340
> [332706.553612] kasan_report+0xa8/0xe0
> [332706.553716] ? __show_regs+0x4b/0x340
> [332706.553816] ? asm_exc_page_fault+0x22/0x30
> [332706.553919] __show_regs+0x4b/0x340
> [332706.554021] ? asm_exc_page_fault+0x22/0x30
> [332706.554123] show_trace_log_lvl+0x274/0x3b0
> [332706.554229] ? load_elf_binary+0xf6e/0x1610
> [332706.554330] ? rep_stos_alternative+0x40/0x80
> [332706.554439] sched_show_task+0x211/0x290
> [332706.554544] ? __pfx_sched_show_task+0x10/0x10
> [332706.554648] ? _find_next_bit+0x6/0xc0
> [332706.554749] ? _find_next_bit+0x37/0xc0
> [332706.554852] show_state_filter+0x72/0x130
> [332706.554956] sysrq_handle_showstate+0x7/0x10
> [332706.555062] __handle_sysrq+0x146/0x2d0
> [332706.555165] write_sysrq_trigger+0x2f/0x50
> [332706.555270] proc_reg_write+0xdd/0x140
> [332706.555372] vfs_write+0x1ff/0x5f0
> [332706.555474] ? __pfx_vfs_write+0x10/0x10
> [332706.555576] ? __pfx___handle_mm_fault+0x10/0x10
> [332706.555682] ? __fget_light+0x99/0xf0
> [332706.555785] ksys_write+0xb8/0x150
> [332706.555887] ? __pfx_ksys_write+0x10/0x10
> [332706.555989] ? ktime_get_coarse_real_ts64+0x4e/0x70
> [332706.556094] do_syscall_64+0x55/0x100
> [332706.556196] entry_SYSCALL_64_after_hwframe+0x78/0xe2
>
> Fixes: 3b3fa11bc700 ("x86/dumpstack: Print any pt_regs found on the stack")
> Signed-off-by: Tengda Wu <wutengda@...weicloud.com>
> ---
> arch/x86/include/asm/kdebug.h | 2 +-
> arch/x86/kernel/process_32.c | 1 +
> arch/x86/kernel/process_64.c | 1 +
> 3 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/include/asm/kdebug.h b/arch/x86/include/asm/kdebug.h
> index d1514e70477b..2e0570d75bbc 100644
> --- a/arch/x86/include/asm/kdebug.h
> +++ b/arch/x86/include/asm/kdebug.h
> @@ -36,7 +36,7 @@ extern void die(const char *, struct pt_regs *,long);
> void die_addr(const char *str, struct pt_regs *regs, long err, long gp_addr);
> extern int __must_check __die(const char *, struct pt_regs *, long);
> extern void show_stack_regs(struct pt_regs *regs);
> -extern void __show_regs(struct pt_regs *regs, enum show_regs_mode,
> +extern void __no_sanitize_address __show_regs(struct pt_regs *regs, enum show_regs_mode,
> const char *log_lvl);
> extern void show_iret_regs(struct pt_regs *regs, const char *log_lvl);
> extern unsigned long oops_begin(void);
> diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
> index 3ef15c2f152f..1b7ed4dee18b 100644
> --- a/arch/x86/kernel/process_32.c
> +++ b/arch/x86/kernel/process_32.c
> @@ -56,6 +56,7 @@
>
> #include "process.h"
>
> +__no_sanitize_address
> void __show_regs(struct pt_regs *regs, enum show_regs_mode mode,
> const char *log_lvl)
> {
> diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
> index 52a5c03c353c..921c96154ce3 100644
> --- a/arch/x86/kernel/process_64.c
> +++ b/arch/x86/kernel/process_64.c
> @@ -66,6 +66,7 @@
> #include "process.h"
>
> /* Prints also some state that isn't saved in the pt_regs */
> +__no_sanitize_address
> void __show_regs(struct pt_regs *regs, enum show_regs_mode mode,
> const char *log_lvl)
> {
__no_sanitize_address affects only __show_regs() function.
But the `regs` are passed down in show_iret_regs()->show_ip()->show_opcodes()
and all these also accesses `regs`
I see several options here:
1. Use kasan_disable_current()/kasan_enable_current() to wrap code accessing `regs`.
And maybe something like:
if (!on_current_stack(regs))
kasan_disable_current();
so we skip kasan reports only if `regs` belong to other task.
2. Sprinkle over __no_sanitize_address all functions accessing `regs`.
But this disable all memory access checks all the time in these functions.
3. Use READ_ONCE_NOCHECK() to read regs->
4. Introduce memcpy_no_sanitize_address(), and use it to copy snapshot of `regs`
somewhere (on the stack of current task ?). But pt_regs is 168 bytes, I'm not sure if this
is acceptable stack usage increment.
Powered by blists - more mailing lists