lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aWkVn8iY27APFYy_@wieczorr-mobl1.localdomain>
Date: Thu, 15 Jan 2026 16:43:08 +0000
From: Maciej Wieczor-Retman <m.wieczorretman@...me>
To: Andrey Konovalov <andreyknvl@...il.com>
Cc: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>, Andrey Ryabinin <ryabinin.a.a@...il.com>, Alexander Potapenko <glider@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, Vincenzo Frascino <vincenzo.frascino@....com>, Thomas Gleixner <tglx@...nel.org>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, Andrew Morton <akpm@...ux-foundation.org>, kasan-dev@...glegroups.com, linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH v8 13/14] x86/kasan: Logical bit shift for kasan_mem_to_shadow

On 2026-01-15 at 04:57:15 +0100, Andrey Konovalov wrote:
>On Wed, Jan 14, 2026 at 5:52 PM Maciej Wieczor-Retman
><maciej.wieczor-retman@...el.com> wrote:
>>
>> I'm a fan of trying to keep as much arch code in the arch directories.
>>
>> How about before putting a call here instead like:
>>
>>         if (IS_ENABLED(CONFIG_KASAN_GENERIC)) {
>>                 if (addr < (unsigned long)kasan_mem_to_shadow((void *)(0ULL)) ||
>>                     addr > (unsigned long)kasan_mem_to_shadow((void *)(~0ULL)))
>>                         return;
>>         }
>>
>>         arch_kasan_non_canonical_hook()
>> There would be the generic non-arch part above (and anything shared that might
>> make sense here in the future) and all the arch related code would be hidden in
>> the per-arch helper.
>>
>> So then we could move the part below:
>>         if (IS_ENABLED(CONFIG_KASAN_SW_TAGS) && IS_ENABLED(CONFIG_ARM64)) {
>>                 if (addr < (unsigned long)kasan_mem_to_shadow((void *)(0xFFULL << 56)) ||
>>                     addr > (unsigned long)kasan_mem_to_shadow((void *)(~0ULL)))
>>                         return;
>>         }
>> to /arch/arm64.
>>
>> For x86 we'd need to duplicate the generic part into
>> arch_kasan_non_canonical_hook() call in /arch/x86. That seems quiet tidy to me,
>> granted the duplication isn't great but it would keep the non-arch part as
>> shared as possible. What do you think?
>
>Sounds good to me too, thanks!

x86 was easy to do because the kasan_mem_to_shadow() was already in the
asm/kasan.h. arm64 took a bit more changes since I had to write the
arch_kasan_non_canonical_hook in a separate file that would import the
linux/kasan.h header in order to use kasan_mem_to_shadow(). Anyway below are the
relevant bits from the patch - does that look okay? Or would you prefer some
different names/placements?

diff --git a/arch/arm64/include/asm/kasan.h b/arch/arm64/include/asm/kasan.h
index b167e9d3da91..16b1f2ca3ea8 100644
--- a/arch/arm64/include/asm/kasan.h
+++ b/arch/arm64/include/asm/kasan.h
@@ -17,6 +17,8 @@
 
 asmlinkage void kasan_early_init(void);
 void kasan_init(void);
+bool __arch_kasan_non_canonical_hook(unsigned long addr);
+#define arch_kasan_non_canonical_hook(addr) __arch_kasan_non_canonical_hook(addr)
 
 #else
 static inline void kasan_init(void) { }

diff --git a/arch/arm64/mm/Makefile b/arch/arm64/mm/Makefile
index c26489cf96cd..a122ea67eced 100644
--- a/arch/arm64/mm/Makefile
+++ b/arch/arm64/mm/Makefile
@@ -15,4 +15,6 @@ obj-$(CONFIG_ARM64_GCS)		+= gcs.o
 KASAN_SANITIZE_physaddr.o	+= n
 
 obj-$(CONFIG_KASAN)		+= kasan_init.o
+obj-$(CONFIG_KASAN)		+= kasan.o
 KASAN_SANITIZE_kasan_init.o	:= n
+KASAN_SANITIZE_kasan.o		:= n
diff --git a/arch/arm64/mm/kasan.c b/arch/arm64/mm/kasan.c
new file mode 100644
index 000000000000..b94d5fb480ca
--- /dev/null
+++ b/arch/arm64/mm/kasan.c
@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * This file contains ARM64 specific KASAN code.
+ */
+
+#include <linux/kasan.h>
+
+bool __arch_kasan_non_canonical_hook(unsigned long addr) {
+	/*
+	 * For Software Tag-Based KASAN, kasan_mem_to_shadow() uses the
+	 * arithmetic shift. Normally, this would make checking for a possible
+	 * shadow address complicated, as the shadow address computation
+	 * operation would overflow only for some memory addresses. However, due
+	 * to the chosen KASAN_SHADOW_OFFSET values and the fact the
+	 * kasan_mem_to_shadow() only operates on pointers with the tag reset,
+	 * the overflow always happens.
+	 *
+	 * For arm64, the top byte of the pointer gets reset to 0xFF. Thus, the
+	 * possible shadow addresses belong to a region that is the result of
+	 * kasan_mem_to_shadow() applied to the memory range
+	 * [0xFF000000000000, 0xFFFFFFFFFFFFFFFF]. Despite the overflow, the
+	 * resulting possible shadow region is contiguous, as the overflow
+	 * happens for both 0xFF000000000000 and 0xFFFFFFFFFFFFFFFF.
+	 */
+	if (IS_ENABLED(CONFIG_KASAN_SW_TAGS)) {
+		if (addr < (unsigned long)kasan_mem_to_shadow((void *)(0xFFULL << 56)) ||
+		    addr > (unsigned long)kasan_mem_to_shadow((void *)(~0ULL)))
+			return true;
+	}
+	return false;
+}
diff --git a/include/linux/kasan.h b/include/linux/kasan.h
index 9c6ac4b62eb9..146eecae4e9c 100644
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
...
@@ -403,6 +409,13 @@ static __always_inline bool kasan_check_byte(const void *addr)
 	return true;
 }
 
+#ifndef arch_kasan_non_canonical_hook
+static inline bool arch_kasan_non_canonical_hook(unsigned long addr)
+{
+	return false;
+}
+#endif
+
 #else /* CONFIG_KASAN */
 
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 62c01b4527eb..1c4893729ff6 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -642,10 +642,19 @@ void kasan_non_canonical_hook(unsigned long addr)
 	const char *bug_type;
 
 	/*
-	 * All addresses that came as a result of the memory-to-shadow mapping
-	 * (even for bogus pointers) must be >= KASAN_SHADOW_OFFSET.
+	 * For Generic KASAN, kasan_mem_to_shadow() uses the logical right shift
+	 * and never overflows with the chosen KASAN_SHADOW_OFFSET values. Thus,
+	 * the possible shadow addresses (even for bogus pointers) belong to a
+	 * single contiguous region that is the result of kasan_mem_to_shadow()
+	 * applied to the whole address space.
 	 */
-	if (addr < KASAN_SHADOW_OFFSET)
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC)) {
+		if (addr < (unsigned long)kasan_mem_to_shadow((void *)(0ULL)) ||
+		    addr > (unsigned long)kasan_mem_to_shadow((void *)(~0ULL)))
+			return;
+	}
+
+	if(arch_kasan_non_canonical_hook(addr))
 		return;

-- 
Kind regards
Maciej Wieczór-Retman

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ