| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+fCnZeuGdKSEm11oGT6FS71_vGq1vjq-xY36kxVdFvwmag2ZQ@mail.gmail.com>
Date: Fri, 5 Dec 2025 02:09:06 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: Maciej Wieczor-Retman <m.wieczorretman@...me>
Cc: Andrey Ryabinin <ryabinin.a.a@...il.com>, Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>, Vincenzo Frascino <vincenzo.frascino@....com>,
Andrew Morton <akpm@...ux-foundation.org>, Marco Elver <elver@...gle.com>, jiayuan.chen@...ux.dev,
stable@...r.kernel.org,
Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>, kasan-dev@...glegroups.com,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 3/3] kasan: Unpoison vms[area] addresses with a common tag
On Thu, Dec 4, 2025 at 8:00 PM Maciej Wieczor-Retman
<m.wieczorretman@...me> wrote:
>
> From: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
>
> A KASAN tag mismatch, possibly causing a kernel panic, can be observed
> on systems with a tag-based KASAN enabled and with multiple NUMA nodes.
> It was reported on arm64 and reproduced on x86. It can be explained in
> the following points:
>
> 1. There can be more than one virtual memory chunk.
> 2. Chunk's base address has a tag.
> 3. The base address points at the first chunk and thus inherits
> the tag of the first chunk.
> 4. The subsequent chunks will be accessed with the tag from the
> first chunk.
> 5. Thus, the subsequent chunks need to have their tag set to
> match that of the first chunk.
>
> Use the new vmalloc flag that disables random tag assignment in
> __kasan_unpoison_vmalloc() - pass the same random tag to all the
> vm_structs by tagging the pointers before they go inside
> __kasan_unpoison_vmalloc(). Assigning a common tag resolves the pcpu
> chunk address mismatch.
>
> Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS")
> Cc: <stable@...r.kernel.org> # 6.1+
> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
> ---
> Changelog v3:
> - Redo the patch by using a flag instead of a new argument in
> __kasan_unpoison_vmalloc() (Andrey Konovalov)
>
> Changelog v2:
> - Revise the whole patch to match the fixed refactorization from the
> first patch.
>
> Changelog v1:
> - Rewrite the patch message to point at the user impact of the issue.
> - Move helper to common.c so it can be compiled in all KASAN modes.
>
> mm/kasan/common.c | 23 ++++++++++++++++++++---
> 1 file changed, 20 insertions(+), 3 deletions(-)
>
> diff --git a/mm/kasan/common.c b/mm/kasan/common.c
> index 1ed6289d471a..496bb2c56911 100644
> --- a/mm/kasan/common.c
> +++ b/mm/kasan/common.c
> @@ -591,11 +591,28 @@ void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
> unsigned long size;
> void *addr;
> int area;
> + u8 tag;
> +
> + /*
> + * If KASAN_VMALLOC_KEEP_TAG was set at this point, all vms[] pointers
> + * would be unpoisoned with the KASAN_TAG_KERNEL which would disable
> + * KASAN checks down the line.
> + */
> + if (flags & KASAN_VMALLOC_KEEP_TAG) {
I think we can do a WARN_ON() here: passing KASAN_VMALLOC_KEEP_TAG to
this function would be a bug in KASAN annotations and thus a kernel
bug. Therefore, printing a WARNING seems justified.
> + pr_warn("KASAN_VMALLOC_KEEP_TAG flag shouldn't be already set!\n");
> + return;
> + }
> +
> + size = vms[0]->size;
> + addr = vms[0]->addr;
> + vms[0]->addr = __kasan_unpoison_vmalloc(addr, size, flags);
> + tag = get_tag(vms[0]->addr);
>
> - for (area = 0 ; area < nr_vms ; area++) {
> + for (area = 1 ; area < nr_vms ; area++) {
> size = vms[area]->size;
> - addr = vms[area]->addr;
> - vms[area]->addr = __kasan_unpoison_vmalloc(addr, size, flags);
> + addr = set_tag(vms[area]->addr, tag);
> + vms[area]->addr =
> + __kasan_unpoison_vmalloc(addr, size, flags | KASAN_VMALLOC_KEEP_TAG);
> }
> }
> #endif
> --
> 2.52.0
>
With WARN_ON():
Reviewed-by: Andrey Konovalov <andreyknvl@...il.com>
Thank you!
Powered by blists - more mailing lists