[v2,0/2] arm64: kasan: log potential KASAN shadow aliases

Message ID	20211207183226.834557-1-mark.rutland@arm.com (mailing list archive)
Headers	show Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org> From: Mark Rutland <mark.rutland@arm.com> To: linux-arm-kernel@lists.infradead.org Cc: andreyknvl@gmail.com, catalin.marinas@arm.com, dvyukov@google.com, glider@google.com, mark.rutland@arm.com, ryabinin.a.a@gmail.com, will@kernel.org Subject: [PATCH v2 0/2] arm64: kasan: log potential KASAN shadow aliases Date: Tue, 7 Dec 2021 18:32:24 +0000 Message-Id: <20211207183226.834557-1-mark.rutland@arm.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
Series	arm64: kasan: log potential KASAN shadow aliases \| expand [v2,0/2] arm64: kasan: log potential KASAN shadow aliases [v2,1/2] arm64: mm: use die_kernel_fault() in do_mem_abort() [v2,2/2] arm64: mm: log potential KASAN shadow alias

Message ID

20211207183226.834557-1-mark.rutland@arm.com (mailing list archive)

Headers

From: Mark Rutland <mark.rutland@arm.com>
To: linux-arm-kernel@lists.infradead.org
Cc: andreyknvl@gmail.com, catalin.marinas@arm.com, dvyukov@google.com,
 glider@google.com, mark.rutland@arm.com, ryabinin.a.a@gmail.com,
 will@kernel.org
Subject: [PATCH v2 0/2] arm64: kasan: log potential KASAN shadow aliases
Date: Tue,  7 Dec 2021 18:32:24 +0000
Message-Id: <20211207183226.834557-1-mark.rutland@arm.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Series

arm64: kasan: log potential KASAN shadow aliases | expand

Message

Mark Rutland Dec. 7, 2021, 6:32 p.m. UTC

When using KASAN_GENERIC or KASAN_SW_TAGS, many representable pointer
values (e.g. NULL) don't have a legitimate shadow address. If KASAN
instrumentation attempts to access the shadow for such pointers, it will
fault on an unusual-looking address, e.g.

| Unable to handle kernel paging request at virtual address dfff800000000001

To make this easier to debug, this series makes the arm64 fault handling
code log the corresponding memory range for potential shadow acceses,
e.g.

| Unable to handle kernel paging request at virtual address dfff800000000017
| KASAN: null-ptr-deref in range [0x00000000000000b8-0x00000000000000bf]

Since v1 [1]:
* Use kasan_non_canonical_hook()
* Drop move of kasan_shadow_to_mem()
* Update commit messages

[1] https://lore.kernel.org/r/20211202112731.3346975-1-mark.rutland@arm.com

Thanks,
Mark.

Mark Rutland (2):
  arm64: mm: use die_kernel_fault() in do_mem_abort()
  arm64: mm: log potential KASAN shadow alias

 arch/arm64/mm/fault.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

Comments

Andrey Konovalov Dec. 10, 2021, 5:46 p.m. UTC | #1

On Tue, Dec 7, 2021 at 7:32 PM Mark Rutland <mark.rutland@arm.com> wrote:
>
> When using KASAN_GENERIC or KASAN_SW_TAGS, many representable pointer
> values (e.g. NULL) don't have a legitimate shadow address. If KASAN
> instrumentation attempts to access the shadow for such pointers, it will
> fault on an unusual-looking address, e.g.
>
> | Unable to handle kernel paging request at virtual address dfff800000000001
>
> To make this easier to debug, this series makes the arm64 fault handling
> code log the corresponding memory range for potential shadow acceses,
> e.g.
>
> | Unable to handle kernel paging request at virtual address dfff800000000017
> | KASAN: null-ptr-deref in range [0x00000000000000b8-0x00000000000000bf]
>
> Since v1 [1]:
> * Use kasan_non_canonical_hook()
> * Drop move of kasan_shadow_to_mem()
> * Update commit messages
>
> [1] https://lore.kernel.org/r/20211202112731.3346975-1-mark.rutland@arm.com
>
> Thanks,
> Mark.
>
> Mark Rutland (2):
>   arm64: mm: use die_kernel_fault() in do_mem_abort()
>   arm64: mm: log potential KASAN shadow alias
>
>  arch/arm64/mm/fault.c | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
>
> --
> 2.30.2
>

Tested-by: Andrey Konovalov <andreyknvl@gmail.com>

Thanks, Mark!

Will Deacon Dec. 13, 2021, 6:24 p.m. UTC | #2

On Tue, Dec 07, 2021 at 06:32:24PM +0000, Mark Rutland wrote:
> When using KASAN_GENERIC or KASAN_SW_TAGS, many representable pointer
> values (e.g. NULL) don't have a legitimate shadow address. If KASAN
> instrumentation attempts to access the shadow for such pointers, it will
> fault on an unusual-looking address, e.g.
> 
> | Unable to handle kernel paging request at virtual address dfff800000000001
> 
> To make this easier to debug, this series makes the arm64 fault handling
> code log the corresponding memory range for potential shadow acceses,
> e.g.
> 
> | Unable to handle kernel paging request at virtual address dfff800000000017
> | KASAN: null-ptr-deref in range [0x00000000000000b8-0x00000000000000bf]

Cheers, that should help with debugging!

Acked-by: Will Deacon <will@kernel.org>

Will

Catalin Marinas Dec. 13, 2021, 7:18 p.m. UTC | #3

On Tue, 7 Dec 2021 18:32:24 +0000, Mark Rutland wrote:
> When using KASAN_GENERIC or KASAN_SW_TAGS, many representable pointer
> values (e.g. NULL) don't have a legitimate shadow address. If KASAN
> instrumentation attempts to access the shadow for such pointers, it will
> fault on an unusual-looking address, e.g.
> 
> | Unable to handle kernel paging request at virtual address dfff800000000001
> 
> [...]

Applied to arm64 (for-next/kasan), thanks!

[1/2] arm64: mm: use die_kernel_fault() in do_mem_abort()
      https://git.kernel.org/arm64/c/6f6cfa586799
[2/2] arm64: mm: log potential KASAN shadow alias
      https://git.kernel.org/arm64/c/07b742a4d912