[PATCH] arm64: Mitigate MTE issues with str{n}cmp()

[PATCH] arm64: Mitigate MTE issues with str{n}cmp()

[Robin Murphy]

As with strlen(), the patches importing the updated str{n}cmp()
implementations were originally developed and tested before the
advent of CONFIG_KASAN_HW_TAGS, and have subsequently revealed
not to be MTE-safe. Since in-kernel MTE is still a rather niche
case, let it temporarily fall back to the generic C versions for
correctness until we can figure out the best fix.

Reported-by: Branislav Rankov <branislav.rankov@arm.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
---
 arch/arm64/include/asm/assembler.h | 5 +++++
 arch/arm64/include/asm/string.h    | 2 ++
 arch/arm64/lib/strcmp.S            | 2 +-
 arch/arm64/lib/strncmp.S           | 2 +-
 4 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h
index 89faca0e740d..bfa58409a4d4 100644
--- a/arch/arm64/include/asm/assembler.h
+++ b/arch/arm64/include/asm/assembler.h
@@ -525,6 +525,11 @@ alternative_endif
 #define EXPORT_SYMBOL_NOKASAN(name)	EXPORT_SYMBOL(name)
 #endif
 
+#ifdef CONFIG_KASAN_HW_TAGS
+#define EXPORT_SYMBOL_NOHWKASAN(name)
+#else
+#define EXPORT_SYMBOL_NOHWKASAN(name)	EXPORT_SYMBOL_NOKASAN(name)
+#endif
 	/*
 	 * Emit a 64-bit absolute little endian symbol reference in a way that
 	 * ensures that it will be resolved at build time, even when building a
diff --git a/arch/arm64/include/asm/string.h b/arch/arm64/include/asm/string.h
index 3a3264ff47b9..95f7686b728d 100644
--- a/arch/arm64/include/asm/string.h
+++ b/arch/arm64/include/asm/string.h
@@ -12,11 +12,13 @@ extern char *strrchr(const char *, int c);
 #define __HAVE_ARCH_STRCHR
 extern char *strchr(const char *, int c);
 
+#ifndef CONFIG_KASAN_HW_TAGS
 #define __HAVE_ARCH_STRCMP
 extern int strcmp(const char *, const char *);
 
 #define __HAVE_ARCH_STRNCMP
 extern int strncmp(const char *, const char *, __kernel_size_t);
+#endif
 
 #define __HAVE_ARCH_STRLEN
 extern __kernel_size_t strlen(const char *);
diff --git a/arch/arm64/lib/strcmp.S b/arch/arm64/lib/strcmp.S
index d7bee210a798..83bcad72ec97 100644
--- a/arch/arm64/lib/strcmp.S
+++ b/arch/arm64/lib/strcmp.S
@@ -173,4 +173,4 @@ L(done):
 	ret
 
 SYM_FUNC_END_PI(strcmp)
-EXPORT_SYMBOL_NOKASAN(strcmp)
+EXPORT_SYMBOL_NOHWKASAN(strcmp)
diff --git a/arch/arm64/lib/strncmp.S b/arch/arm64/lib/strncmp.S
index 48d44f7fddb1..e42bcfcd37e6 100644
--- a/arch/arm64/lib/strncmp.S
+++ b/arch/arm64/lib/strncmp.S
@@ -258,4 +258,4 @@ L(ret0):
 	ret
 
 SYM_FUNC_END_PI(strncmp)
-EXPORT_SYMBOL_NOKASAN(strncmp)
+EXPORT_SYMBOL_NOHWKASAN(strncmp)
-- 
2.21.0.dirty


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] arm64: Mitigate MTE issues with str{n}cmp()

[Mark Rutland]

On Fri, Sep 17, 2021 at 03:59:30PM +0100, Robin Murphy wrote:
> As with strlen(), the patches importing the updated str{n}cmp()
> implementations were originally developed and tested before the
> advent of CONFIG_KASAN_HW_TAGS, and have subsequently revealed
> not to be MTE-safe. Since in-kernel MTE is still a rather niche
> case, let it temporarily fall back to the generic C versions for
> correctness until we can figure out the best fix.
> 
> Reported-by: Branislav Rankov <branislav.rankov@arm.com>
> Signed-off-by: Robin Murphy <robin.murphy@arm.com>
> ---
>  arch/arm64/include/asm/assembler.h | 5 +++++
>  arch/arm64/include/asm/string.h    | 2 ++
>  arch/arm64/lib/strcmp.S            | 2 +-
>  arch/arm64/lib/strncmp.S           | 2 +-
>  4 files changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h
> index 89faca0e740d..bfa58409a4d4 100644
> --- a/arch/arm64/include/asm/assembler.h
> +++ b/arch/arm64/include/asm/assembler.h
> @@ -525,6 +525,11 @@ alternative_endif
>  #define EXPORT_SYMBOL_NOKASAN(name)	EXPORT_SYMBOL(name)
>  #endif
>  
> +#ifdef CONFIG_KASAN_HW_TAGS
> +#define EXPORT_SYMBOL_NOHWKASAN(name)
> +#else
> +#define EXPORT_SYMBOL_NOHWKASAN(name)	EXPORT_SYMBOL_NOKASAN(name)
> +#endif

I think that depending on how we solve this in future, we might want to
have:

* EXPORT_SYMBOL_NOSWKASAN for generic/sw-tags
  (this would be a rename of the existing EXPORT_SYMBOL_NOKASAN)

* EXPORT_SYMBOL_NOHWKASAN for hw tags

* EXPORT_SYMBOL_NOKASAN for generic/sw-tags/hw-tags

... so then it's a bit clearer what's handled in each case.

Regardless, for now this is certainly good enough. FWIW:

Acked-by: Mark Rutland <mark.rutland@arm.com>

Thanks,
Mark.

>  	/*
>  	 * Emit a 64-bit absolute little endian symbol reference in a way that
>  	 * ensures that it will be resolved at build time, even when building a
> diff --git a/arch/arm64/include/asm/string.h b/arch/arm64/include/asm/string.h
> index 3a3264ff47b9..95f7686b728d 100644
> --- a/arch/arm64/include/asm/string.h
> +++ b/arch/arm64/include/asm/string.h
> @@ -12,11 +12,13 @@ extern char *strrchr(const char *, int c);
>  #define __HAVE_ARCH_STRCHR
>  extern char *strchr(const char *, int c);
>  
> +#ifndef CONFIG_KASAN_HW_TAGS
>  #define __HAVE_ARCH_STRCMP
>  extern int strcmp(const char *, const char *);
>  
>  #define __HAVE_ARCH_STRNCMP
>  extern int strncmp(const char *, const char *, __kernel_size_t);
> +#endif
>  
>  #define __HAVE_ARCH_STRLEN
>  extern __kernel_size_t strlen(const char *);
> diff --git a/arch/arm64/lib/strcmp.S b/arch/arm64/lib/strcmp.S
> index d7bee210a798..83bcad72ec97 100644
> --- a/arch/arm64/lib/strcmp.S
> +++ b/arch/arm64/lib/strcmp.S
> @@ -173,4 +173,4 @@ L(done):
>  	ret
>  
>  SYM_FUNC_END_PI(strcmp)
> -EXPORT_SYMBOL_NOKASAN(strcmp)
> +EXPORT_SYMBOL_NOHWKASAN(strcmp)
> diff --git a/arch/arm64/lib/strncmp.S b/arch/arm64/lib/strncmp.S
> index 48d44f7fddb1..e42bcfcd37e6 100644
> --- a/arch/arm64/lib/strncmp.S
> +++ b/arch/arm64/lib/strncmp.S
> @@ -258,4 +258,4 @@ L(ret0):
>  	ret
>  
>  SYM_FUNC_END_PI(strncmp)
> -EXPORT_SYMBOL_NOKASAN(strncmp)
> +EXPORT_SYMBOL_NOHWKASAN(strncmp)
> -- 
> 2.21.0.dirty
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] arm64: Mitigate MTE issues with str{n}cmp()

[Catalin Marinas]

On Fri, 17 Sep 2021 15:59:30 +0100, Robin Murphy wrote:
> As with strlen(), the patches importing the updated str{n}cmp()
> implementations were originally developed and tested before the
> advent of CONFIG_KASAN_HW_TAGS, and have subsequently revealed
> not to be MTE-safe. Since in-kernel MTE is still a rather niche
> case, let it temporarily fall back to the generic C versions for
> correctness until we can figure out the best fix.

Applied to arm64 (for-next/fixes), thanks!

[1/1] arm64: Mitigate MTE issues with str{n}cmp()
      https://git.kernel.org/arm64/c/59a68d413808

-- 
Catalin


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel