From: Johannes Berg <johannes@sipsolutions.net>
To: Patricia Alfonso <trishalfonso@google.com>,
Jeff Dike <jdike@addtoit.com>,
Richard Weinberger <richard@nod.at>,
anton.ivanov@cambridgegreys.com,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Dmitry Vyukov <dvyukov@google.com>,
Brendan Higgins <brendanhiggins@google.com>,
David Gow <davidgow@google.com>
Cc: linux-um@lists.infradead.org, LKML <linux-kernel@vger.kernel.org>,
kasan-dev <kasan-dev@googlegroups.com>
Subject: Re: [PATCH] UML: add support for KASAN under x86_64
Date: Wed, 11 Mar 2020 12:18:53 +0100 [thread overview]
Message-ID: <674ad16d7de34db7b562a08b971bdde179158902.camel@sipsolutions.net> (raw)
In-Reply-To: <4b8c1696f658b4c6c393956734d580593b55c4c0.camel@sipsolutions.net>
On Wed, 2020-03-11 at 11:32 +0100, Johannes Berg wrote:
>
> I do see issues with modules though, e.g.
> https://p.sipsolutions.net/1a2df5f65d885937.txt
>
> where we seem to get some real confusion when lockdep is storing the
> stack trace??
>
> And https://p.sipsolutions.net/9a97e8f68d8d24b7.txt, where something
> convinces ASAN that an address is a user address (it might even be
> right?) and it disallows kernel access to it?
I can work around both of these by not freeing the original module copy
in kernel/module.c:
/* Get rid of temporary copy. */
// free_copy(info);
but I really have no idea why we get this in the first place?
Another interesting data point is that it never happens on the first
module.
Also, I've managed to get a report like this:
Memory state around the buggy address:
000000007106cf00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
000000007106cf80: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
>000000007106d000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
^
000000007106d080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
000000007106d100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
which indicates that something's _really_ off with the KASAN shadow?
Ohhh ...
$ gdb -p ...
(gdb) p/x task_size
$1 = 0x7fc0000000
(gdb) p/x __end_of_fixed_addresses
$2 = 0x0
(gdb) p/x end_iomem
$3 = 0x70000000
(gdb) p/x __va_space
#define TASK_SIZE (task_size)
#define FIXADDR_TOP (TASK_SIZE - 2 * PAGE_SIZE)
#define FIXADDR_START (FIXADDR_TOP - FIXADDR_SIZE)
#define FIXADDR_SIZE (__end_of_fixed_addresses << PAGE_SHIFT)
#define VMALLOC_END (FIXADDR_START-2*PAGE_SIZE)
#define MODULES_VADDR VMALLOC_START
#define MODULES_END VMALLOC_END
#define VMALLOC_START ((end_iomem + VMALLOC_OFFSET) & ~(VMALLOC_OFFSET-1))
#define VMALLOC_OFFSET (__va_space)
#define __va_space (8*1024*1024)
So from that, it would look like the UML vmalloc area is from
0x 70800000 all the way to
0x7fbfffc000, which obviously clashes with the KASAN_SHADOW_OFFSET being
just 0x7fff8000.
I'm guessing that basically the module loading overwrote the kasan
shadow then?
I tried changing it
config KASAN_SHADOW_OFFSET
hex
depends on KASAN
- default 0x7fff8000
+ default 0x8000000000
and also put a check in like this:
+++ b/arch/um/kernel/um_arch.c
@@ -13,6 +13,7 @@
#include <linux/sched.h>
#include <linux/sched/task.h>
#include <linux/kmsg_dump.h>
+#include <linux/kasan.h>
#include <asm/pgtable.h>
#include <asm/processor.h>
@@ -267,9 +268,11 @@ int __init linux_main(int argc, char **argv)
/*
* TASK_SIZE needs to be PGDIR_SIZE aligned or else exit_mmap craps
* out
*/
task_size = host_task_size & PGDIR_MASK;
+ if (task_size > KASAN_SHADOW_OFFSET)
+ panic("KASAN shadow offset must be bigger than task size");
but now I just crash accessing the shadow even though it was mapped fine?
Pid: 504, comm: modprobe Tainted: G O 5.5.0-rc6-00009-g09462ab4014b-dirty
RIP:
RSP: 000000006d68fa90 EFLAGS: 00010202
RAX: 000000800e0210cd RBX: 000000007010866f RCX: 00000000601a9777
RDX: 000000800e0210ce RSI: 0000000000000004 RDI: 000000007010866c
RBP: 000000006d68faa0 R08: 000000800e0210cd R09: 0000000060041432
R10: 000000800e0210ce R11: 0000000000000001 R12: 000000800e0210cd
R13: 0000000000000000 R14: 0000000000000001 R15: 00000000601c2e82
Kernel panic - not syncing: Kernel mode fault at addr 0x800e0210cd, ip 0x601c332b
CPU: 0 PID: 504 Comm: modprobe Tainted: G O 5.5.0-rc6-00009-g09462ab4014b-dirty #24
Stack:
601c2f89 70108638 6d68fab0 601c1209
6d68fad0 601a9777 6cf2b240 7317f000
6d68fb40 601a2ae9 6f15b118 00000001
Call Trace:
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
__kasan_check_write (/home/tester/vlab/linux/mm/kasan/common.c:102)
__free_pages (/home/tester/vlab/linux/./arch/x86/include/asm/atomic.h:125 /home/tester/vlab/linux/./include/asm-generic/atomic-instrumented.h:748 /home/tester/vlab/linux/./include/linux/page_ref.h:139 /home/tester/vlab/linux/./include/linux/mm.h:593 /home/tester/vlab/linux/mm/page_alloc.c:4823)
__vunmap (/home/tester/vlab/linux/mm/vmalloc.c:2303 (discriminator 2))
? __asan_load4 (/home/tester/vlab/linux/mm/kasan/generic.c:251)
? sysfs_create_bin_file (/home/tester/vlab/linux/fs/sysfs/file.c:537)
__vfree (/home/tester/vlab/linux/mm/vmalloc.c:2356)
? delete_object_full (/home/tester/vlab/linux/mm/kmemleak.c:693)
vfree (/home/tester/vlab/linux/mm/vmalloc.c:2386)
? sysfs_create_bin_file (/home/tester/vlab/linux/fs/sysfs/file.c:537)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
load_module (/home/tester/vlab/linux/./include/linux/jump_label.h:254 /home/tester/vlab/linux/./include/linux/jump_label.h:264 /home/tester/vlab/linux/./include/trace/events/module.h:31 /home/tester/vlab/linux/kernel/module.c:3927)
? kernel_read_file_from_fd (/home/tester/vlab/linux/fs/exec.c:993)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
__do_sys_finit_module (/home/tester/vlab/linux/kernel/module.c:4019)
? sys_finit_module (/home/tester/vlab/linux/kernel/module.c:3995)
? __asan_store8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
sys_finit_module (/home/tester/vlab/linux/kernel/module.c:3995)
handle_syscall (/home/tester/vlab/linux/arch/um/kernel/skas/syscall.c:44)
userspace (/home/tester/vlab/linux/arch/um/os-Linux/skas/process.c:173 /home/tester/vlab/linux/arch/um/os-Linux/skas/process.c:416)
? save_registers (/home/tester/vlab/linux/arch/um/os-Linux/registers.c:18)
? arch_prctl (/home/tester/vlab/linux/arch/x86/um/syscalls_64.c:65)
? calculate_sigpending (/home/tester/vlab/linux/kernel/signal.c:200)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
fork_handler (/home/tester/vlab/linux/arch/um/kernel/process.c:154)
johannes
WARNING: multiple messages have this Message-ID (diff)
From: Johannes Berg <johannes@sipsolutions.net>
To: Patricia Alfonso <trishalfonso@google.com>,
Jeff Dike <jdike@addtoit.com>,
Richard Weinberger <richard@nod.at>,
anton.ivanov@cambridgegreys.com,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Dmitry Vyukov <dvyukov@google.com>,
Brendan Higgins <brendanhiggins@google.com>,
David Gow <davidgow@google.com>
Cc: linux-um@lists.infradead.org, LKML <linux-kernel@vger.kernel.org>,
kasan-dev <kasan-dev@googlegroups.com>
Subject: Re: [PATCH] UML: add support for KASAN under x86_64
Date: Wed, 11 Mar 2020 12:18:53 +0100 [thread overview]
Message-ID: <674ad16d7de34db7b562a08b971bdde179158902.camel@sipsolutions.net> (raw)
In-Reply-To: <4b8c1696f658b4c6c393956734d580593b55c4c0.camel@sipsolutions.net>
On Wed, 2020-03-11 at 11:32 +0100, Johannes Berg wrote:
>
> I do see issues with modules though, e.g.
> https://p.sipsolutions.net/1a2df5f65d885937.txt
>
> where we seem to get some real confusion when lockdep is storing the
> stack trace??
>
> And https://p.sipsolutions.net/9a97e8f68d8d24b7.txt, where something
> convinces ASAN that an address is a user address (it might even be
> right?) and it disallows kernel access to it?
I can work around both of these by not freeing the original module copy
in kernel/module.c:
/* Get rid of temporary copy. */
// free_copy(info);
but I really have no idea why we get this in the first place?
Another interesting data point is that it never happens on the first
module.
Also, I've managed to get a report like this:
Memory state around the buggy address:
000000007106cf00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
000000007106cf80: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
>000000007106d000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
^
000000007106d080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
000000007106d100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
which indicates that something's _really_ off with the KASAN shadow?
Ohhh ...
$ gdb -p ...
(gdb) p/x task_size
$1 = 0x7fc0000000
(gdb) p/x __end_of_fixed_addresses
$2 = 0x0
(gdb) p/x end_iomem
$3 = 0x70000000
(gdb) p/x __va_space
#define TASK_SIZE (task_size)
#define FIXADDR_TOP (TASK_SIZE - 2 * PAGE_SIZE)
#define FIXADDR_START (FIXADDR_TOP - FIXADDR_SIZE)
#define FIXADDR_SIZE (__end_of_fixed_addresses << PAGE_SHIFT)
#define VMALLOC_END (FIXADDR_START-2*PAGE_SIZE)
#define MODULES_VADDR VMALLOC_START
#define MODULES_END VMALLOC_END
#define VMALLOC_START ((end_iomem + VMALLOC_OFFSET) & ~(VMALLOC_OFFSET-1))
#define VMALLOC_OFFSET (__va_space)
#define __va_space (8*1024*1024)
So from that, it would look like the UML vmalloc area is from
0x 70800000 all the way to
0x7fbfffc000, which obviously clashes with the KASAN_SHADOW_OFFSET being
just 0x7fff8000.
I'm guessing that basically the module loading overwrote the kasan
shadow then?
I tried changing it
config KASAN_SHADOW_OFFSET
hex
depends on KASAN
- default 0x7fff8000
+ default 0x8000000000
and also put a check in like this:
+++ b/arch/um/kernel/um_arch.c
@@ -13,6 +13,7 @@
#include <linux/sched.h>
#include <linux/sched/task.h>
#include <linux/kmsg_dump.h>
+#include <linux/kasan.h>
#include <asm/pgtable.h>
#include <asm/processor.h>
@@ -267,9 +268,11 @@ int __init linux_main(int argc, char **argv)
/*
* TASK_SIZE needs to be PGDIR_SIZE aligned or else exit_mmap craps
* out
*/
task_size = host_task_size & PGDIR_MASK;
+ if (task_size > KASAN_SHADOW_OFFSET)
+ panic("KASAN shadow offset must be bigger than task size");
but now I just crash accessing the shadow even though it was mapped fine?
Pid: 504, comm: modprobe Tainted: G O 5.5.0-rc6-00009-g09462ab4014b-dirty
RIP:
RSP: 000000006d68fa90 EFLAGS: 00010202
RAX: 000000800e0210cd RBX: 000000007010866f RCX: 00000000601a9777
RDX: 000000800e0210ce RSI: 0000000000000004 RDI: 000000007010866c
RBP: 000000006d68faa0 R08: 000000800e0210cd R09: 0000000060041432
R10: 000000800e0210ce R11: 0000000000000001 R12: 000000800e0210cd
R13: 0000000000000000 R14: 0000000000000001 R15: 00000000601c2e82
Kernel panic - not syncing: Kernel mode fault at addr 0x800e0210cd, ip 0x601c332b
CPU: 0 PID: 504 Comm: modprobe Tainted: G O 5.5.0-rc6-00009-g09462ab4014b-dirty #24
Stack:
601c2f89 70108638 6d68fab0 601c1209
6d68fad0 601a9777 6cf2b240 7317f000
6d68fb40 601a2ae9 6f15b118 00000001
Call Trace:
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
__kasan_check_write (/home/tester/vlab/linux/mm/kasan/common.c:102)
__free_pages (/home/tester/vlab/linux/./arch/x86/include/asm/atomic.h:125 /home/tester/vlab/linux/./include/asm-generic/atomic-instrumented.h:748 /home/tester/vlab/linux/./include/linux/page_ref.h:139 /home/tester/vlab/linux/./include/linux/mm.h:593 /home/tester/vlab/linux/mm/page_alloc.c:4823)
__vunmap (/home/tester/vlab/linux/mm/vmalloc.c:2303 (discriminator 2))
? __asan_load4 (/home/tester/vlab/linux/mm/kasan/generic.c:251)
? sysfs_create_bin_file (/home/tester/vlab/linux/fs/sysfs/file.c:537)
__vfree (/home/tester/vlab/linux/mm/vmalloc.c:2356)
? delete_object_full (/home/tester/vlab/linux/mm/kmemleak.c:693)
vfree (/home/tester/vlab/linux/mm/vmalloc.c:2386)
? sysfs_create_bin_file (/home/tester/vlab/linux/fs/sysfs/file.c:537)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
load_module (/home/tester/vlab/linux/./include/linux/jump_label.h:254 /home/tester/vlab/linux/./include/linux/jump_label.h:264 /home/tester/vlab/linux/./include/trace/events/module.h:31 /home/tester/vlab/linux/kernel/module.c:3927)
? kernel_read_file_from_fd (/home/tester/vlab/linux/fs/exec.c:993)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
__do_sys_finit_module (/home/tester/vlab/linux/kernel/module.c:4019)
? sys_finit_module (/home/tester/vlab/linux/kernel/module.c:3995)
? __asan_store8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
sys_finit_module (/home/tester/vlab/linux/kernel/module.c:3995)
handle_syscall (/home/tester/vlab/linux/arch/um/kernel/skas/syscall.c:44)
userspace (/home/tester/vlab/linux/arch/um/os-Linux/skas/process.c:173 /home/tester/vlab/linux/arch/um/os-Linux/skas/process.c:416)
? save_registers (/home/tester/vlab/linux/arch/um/os-Linux/registers.c:18)
? arch_prctl (/home/tester/vlab/linux/arch/x86/um/syscalls_64.c:65)
? calculate_sigpending (/home/tester/vlab/linux/kernel/signal.c:200)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
? __asan_load8 (/home/tester/vlab/linux/mm/kasan/generic.c:252)
fork_handler (/home/tester/vlab/linux/arch/um/kernel/process.c:154)
johannes
_______________________________________________
linux-um mailing list
linux-um@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-um
next prev parent reply other threads:[~2020-03-11 11:19 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-26 0:46 [PATCH] UML: add support for KASAN under x86_64 Patricia Alfonso
2020-02-26 0:46 ` Patricia Alfonso
2020-02-26 1:19 ` Brendan Higgins
2020-02-26 1:19 ` Brendan Higgins
2020-02-26 15:24 ` Dmitry Vyukov
2020-02-26 15:24 ` Dmitry Vyukov
2020-03-06 0:03 ` Patricia Alfonso
2020-03-06 0:03 ` Patricia Alfonso
2020-03-11 10:32 ` Johannes Berg
2020-03-11 10:32 ` Johannes Berg
2020-03-11 10:46 ` Dmitry Vyukov
2020-03-11 10:46 ` Dmitry Vyukov
2020-03-11 11:18 ` Johannes Berg [this message]
2020-03-11 11:18 ` Johannes Berg
2020-03-11 11:40 ` Johannes Berg
2020-03-11 11:40 ` Johannes Berg
2020-03-11 17:34 ` Dmitry Vyukov
2020-03-11 17:34 ` Dmitry Vyukov
2020-03-20 13:39 ` Johannes Berg
2020-03-20 13:39 ` Johannes Berg
2020-03-20 15:18 ` Dmitry Vyukov
2020-03-20 15:18 ` Dmitry Vyukov
2020-03-30 7:43 ` Johannes Berg
2020-03-30 7:43 ` Johannes Berg
2020-03-30 8:38 ` Dmitry Vyukov
2020-03-30 8:38 ` Dmitry Vyukov
2020-03-30 8:41 ` Johannes Berg
2020-03-30 8:41 ` Johannes Berg
2020-03-31 6:14 ` David Gow
2020-03-31 6:14 ` David Gow
2020-03-31 7:43 ` Johannes Berg
2020-03-31 7:43 ` Johannes Berg
2020-03-31 16:39 ` Patricia Alfonso
2020-03-31 16:39 ` Patricia Alfonso
2020-03-31 16:54 ` Richard Weinberger
2020-03-11 22:32 ` Patricia Alfonso
2020-03-11 22:32 ` Patricia Alfonso
2020-03-11 22:44 ` Johannes Berg
2020-03-11 22:44 ` Johannes Berg
2022-05-24 10:34 ` Vincent Whitchurch
2022-05-24 10:34 ` Vincent Whitchurch
2022-05-24 10:45 ` Johannes Berg
2022-05-24 10:45 ` Johannes Berg
2022-05-24 19:35 ` David Gow
2022-05-24 19:35 ` David Gow
2022-05-25 11:17 ` Vincent Whitchurch
2022-05-25 11:17 ` Vincent Whitchurch
2022-05-26 1:01 ` [RFC PATCH v3] " David Gow
2022-05-26 1:01 ` David Gow
2022-05-26 9:29 ` Johannes Berg
2022-05-26 9:29 ` Johannes Berg
2022-05-27 5:31 ` Dmitry Vyukov
2022-05-27 5:31 ` Dmitry Vyukov
2022-05-27 7:32 ` Johannes Berg
2022-05-27 7:32 ` Johannes Berg
2022-05-27 10:36 ` Johannes Berg
2022-05-27 10:36 ` Johannes Berg
2022-05-27 13:05 ` Johannes Berg
2022-05-27 13:05 ` Johannes Berg
2022-05-27 13:09 ` Dmitry Vyukov
2022-05-27 13:09 ` Dmitry Vyukov
2022-05-27 13:15 ` Johannes Berg
2022-05-27 13:15 ` Johannes Berg
2022-05-27 13:18 ` Dmitry Vyukov
2022-05-27 13:18 ` Dmitry Vyukov
2022-05-27 13:27 ` Johannes Berg
2022-05-27 13:27 ` Johannes Berg
2022-05-27 13:52 ` Dmitry Vyukov
2022-05-27 13:52 ` Dmitry Vyukov
2022-05-27 14:27 ` Johannes Berg
2022-05-27 14:27 ` Johannes Berg
2022-05-27 15:46 ` Dmitry Vyukov
2022-05-27 15:46 ` Dmitry Vyukov
2020-03-29 19:06 ` [PATCH] " Richard Weinberger
2020-03-29 19:06 ` Richard Weinberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=674ad16d7de34db7b562a08b971bdde179158902.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=anton.ivanov@cambridgegreys.com \
--cc=aryabinin@virtuozzo.com \
--cc=brendanhiggins@google.com \
--cc=davidgow@google.com \
--cc=dvyukov@google.com \
--cc=jdike@addtoit.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-um@lists.infradead.org \
--cc=richard@nod.at \
--cc=trishalfonso@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.