| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+fCnZdUMTQNq=hgn8KbNwv2+LsRqoZ_R0CK0uWnjB41nHzvyg@mail.gmail.com>
Date: Wed, 5 Nov 2025 02:13:22 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: Maciej Wieczor-Retman <m.wieczorretman@...me>
Cc: Andrey Ryabinin <ryabinin.a.a@...il.com>, Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>, Vincenzo Frascino <vincenzo.frascino@....com>,
Andrew Morton <akpm@...ux-foundation.org>, Marco Elver <elver@...gle.com>, stable@...r.kernel.org,
Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>, Baoquan He <bhe@...hat.com>,
kasan-dev@...glegroups.com, linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1 2/2] kasan: Unpoison vms[area] addresses with a common tag
On Tue, Nov 4, 2025 at 3:49 PM Maciej Wieczor-Retman
<m.wieczorretman@...me> wrote:
>
> From: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
>
> A KASAN tag mismatch, possibly causing a kernel panic, can be observed
> on systems with a tag-based KASAN enabled and with multiple NUMA nodes.
> It was reported on arm64 and reproduced on x86. It can be explained in
> the following points:
>
> 1. There can be more than one virtual memory chunk.
> 2. Chunk's base address has a tag.
> 3. The base address points at the first chunk and thus inherits
> the tag of the first chunk.
> 4. The subsequent chunks will be accessed with the tag from the
> first chunk.
> 5. Thus, the subsequent chunks need to have their tag set to
> match that of the first chunk.
>
> Unpoison all vm_structs after allocating them for the percpu allocator.
> Use the same tag to resolve the pcpu chunk address mismatch.
>
> Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS")
> Cc: <stable@...r.kernel.org> # 6.1+
> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
> Tested-by: Baoquan He <bhe@...hat.com>
> ---
> Changelog v1 (after splitting of from the KASAN series):
> - Rewrite the patch message to point at the user impact of the issue.
> - Move helper to common.c so it can be compiled in all KASAN modes.
>
> mm/kasan/common.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/mm/kasan/common.c b/mm/kasan/common.c
> index c63544a98c24..a6bbc68984cd 100644
> --- a/mm/kasan/common.c
> +++ b/mm/kasan/common.c
> @@ -584,12 +584,20 @@ bool __kasan_check_byte(const void *address, unsigned long ip)
> return true;
> }
>
> +/*
> + * A tag mismatch happens when calculating per-cpu chunk addresses, because
> + * they all inherit the tag from vms[0]->addr, even when nr_vms is bigger
> + * than 1. This is a problem because all the vms[]->addr come from separate
> + * allocations and have different tags so while the calculated address is
> + * correct the tag isn't.
> + */
> void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms)
> {
> int area;
>
> for (area = 0 ; area < nr_vms ; area++) {
> kasan_poison(vms[area]->addr, vms[area]->size,
> - arch_kasan_get_tag(vms[area]->addr), false);
> + arch_kasan_get_tag(vms[0]->addr), false);
> + arch_kasan_set_tag(vms[area]->addr, arch_kasan_get_tag(vms[0]->addr));
set_tag() does not set the tag in place, its return value needs to be assigned.
So if this patch fixes the issue, there's something off (is
vms[area]->addr never used for area != 0)?
> }
> }
> --
> 2.51.0
>
>
Powered by blists - more mailing lists