From: Jann Horn <jannh@google.com>
To: Andrey Konovalov <andreyknvl@gmail.com>,
Peter Collingbourne <pcc@google.com>
Cc: Alexander Potapenko <glider@google.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Evgenii Stepanov <eugenis@google.com>,
Linux Memory Management List <linux-mm@kvack.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH v3 3/3] kasan: allow freed user page poisoning to be disabled with HW tags
Date: Wed, 26 May 2021 12:45:21 +0200 [thread overview]
Message-ID: <CAG48ez2qkaZRzncvyAm+mx+qB-aLnN1riFwQq4+xg9yft69etw@mail.gmail.com> (raw)
In-Reply-To: <CA+fCnZdQgR=Nnua8Ht3fk2pkNWjbJFEvE_Y9iwbXGaxQWhubGQ@mail.gmail.com>
On Wed, May 26, 2021 at 12:07 AM Andrey Konovalov <andreyknvl@gmail.com> wrote:
> On Wed, May 12, 2021 at 11:09 PM Peter Collingbourne <pcc@google.com> wrote:
> > Poisoning freed pages protects against kernel use-after-free. The
> > likelihood of such a bug involving kernel pages is significantly higher
> > than that for user pages. At the same time, poisoning freed pages can
> > impose a significant performance cost, which cannot always be justified
> > for user pages given the lower probability of finding a bug. Therefore,
> > make it possible to configure the kernel to disable freed user page
> > poisoning when using HW tags via the new kasan.skip_user_poison_on_free
> > command line option.
>
> So the potential scenario that would be undetectable with
> kasan.skip_user_poison_on_free enabled is: 1) kernel allocates a user
> page and maps it for userspace, 2) the page gets freed in the kernel,
> 3) kernel accesses the page leading to a use-after-free. Is this
> correct?
>
> If bugs involving use-after-free accesses on user pages is something
> that is extremely rare, perhaps we could just change the default and
> avoid adding a command line switch.
>
> Jann, maybe you have an idea of how common something like this is or
> have other inputs?
GFP_USER is kind of a squishy concept, and if you grep around for it
in the kernel tree, you can see it being used for all kinds of things
- including SKBs in some weird ISDN driver, various types of BPF
allocations, and so on. It's probably the wrong flag to hook if you
want something that means "these pages will mostly be accessed from
userspace".
My guess is that what pcc@ is actually interested in are probably
mainly anonymous pages, and to a lesser degree also page cache pages?
Those use the more specific GFP_HIGHUSER_MOVABLE (which indicates that
the kernel will usually not be holding any direct pointers to the page
outside of rmap/pagecache logic, and that any kernel access to the
pages will be using the kmap API).
It's probably safe to assume that the majority of kernel bugs won't
directly involve GFP_HIGHUSER_MOVABLE memory - that's probably mostly
only going to happen if there are bugs in code that grabs pages with
get_user_pages* and then kmap()s them, or if there's something broken
in the pipe logic, or maybe an OOB issue in filesystem parsing code
(?), or something like that.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-05-26 13:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-12 20:09 [PATCH v3 0/3] arm64: improve efficiency of setting tags for user pages Peter Collingbourne
2021-05-12 20:09 ` [PATCH v3 1/3] kasan: use separate (un)poison implementation for integrated init Peter Collingbourne
2021-05-25 22:00 ` Andrey Konovalov
2021-05-28 1:04 ` Peter Collingbourne
2021-05-26 10:12 ` Marco Elver
2021-05-26 19:27 ` Peter Collingbourne
2021-05-26 19:54 ` Marco Elver
2021-05-12 20:09 ` [PATCH v3 2/3] arm64: mte: handle tags zeroing at page allocation time Peter Collingbourne
2021-05-25 22:00 ` Andrey Konovalov
2021-05-12 20:09 ` [PATCH v3 3/3] kasan: allow freed user page poisoning to be disabled with HW tags Peter Collingbourne
2021-05-25 22:06 ` Andrey Konovalov
2021-05-26 10:45 ` Jann Horn [this message]
2021-05-28 1:05 ` Peter Collingbourne
2021-05-25 19:03 ` [PATCH v3 0/3] arm64: improve efficiency of setting tags for user pages Peter Collingbourne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez2qkaZRzncvyAm+mx+qB-aLnN1riFwQq4+xg9yft69etw@mail.gmail.com \
--to=jannh@google.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=eugenis@google.com \
--cc=glider@google.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=pcc@google.com \
--cc=vincenzo.frascino@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).