From: Peter Zijlstra <peterz@infradead.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>,
Julien Thierry <julien.thierry@arm.com>,
Will Deacon <will.deacon@arm.com>,
Andy Lutomirski <luto@amacapital.net>,
Ingo Molnar <mingo@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
James Morse <james.morse@arm.com>,
valentin.schneider@arm.com, Brian Gerst <brgerst@gmail.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de>,
Denys Vlasenko <dvlasenk@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
Andrey Ryabinin <aryabinin@virtuozzo.com>
Subject: Re: [PATCH 1/8] kasan,x86: Frob kasan_report() in an exception
Date: Thu, 28 Feb 2019 18:46:05 +0100 [thread overview]
Message-ID: <20190228174605.GF32494@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <CACT4Y+ZJpDtHdF-NTy9RrhoOPMtko6VeXwkgR1yjFa5VFfGysQ@mail.gmail.com>
On Thu, Feb 28, 2019 at 05:03:09PM +0100, Dmitry Vyukov wrote:
> I am missing some knowledge about SMAP to answer this.
> In short, these tools insert lots of callbacks into runtime for memory
> accesses, function entry/exit, atomicops and some other. These
> callbacks can do things of different complexity.
> Humm... perhaps we could just disable SMAP for KMSAN/KTSAN. It's
> possible, right? If we have it enabled with KASAN, that should be
> enough.
SMAP detects access to _PAGE_USER pages; that is, such access is only
allowed when EFLAGS.AC=1, otherwise they'll fault.
I again don't know enough about KASAN to say if it does that; but I
suspect it only tracks kernel memory state.
> Also, what's the actual problem with KASAN+SMAP? Is it warnings from
> static analysis tool? Or there are also some runtime effects? What
> effects?
Both; so because of the above semantics, things like copy_to_user() will
have to do STAC (set EFLAGS.AC=1), then do the actual copies to the user
addresses, and then CLAC (clear the AC flag again).
The desire is to have AC=1 sections as small as possible, such that as
much code as possible is ran with AC=0 and will trap on unintended
accesses.
Also; the scheduler doesn't (but I have a patch for that, but I'd prefer
to not have to use it) context switch EFLAGS. This means that if we land
in the scheduler while AC=1, the next task will resume with AC=1.
Consequently, if that task returns to userspace before it gets scheduled
again, we'll continue our previous task (that left with AC=1) with AC=0
and it'll then fault where no fault were expected.
Anyway; the objtool annotation basically tracks the EFLAGS.AC state
(through STAC/CLAC instructions -- no PUSHF/POPF) and disallows any
CALL/RET while AC=1.
This is where the __asan_{load,store}*() stuff went *splat*. GCC inserts
those calls in the middle of STAC/CLAC (AC=1) and we then have to mark
the functions as AC-safe. objtool validates those on the same rules, no
further CALLs that are not also safe.
Things like __fentry__ are inherently unsafe because they use
preempt_disable/preempt_enable, where the latter has a CALL
__preempt_schedule (and is thus very unsafe). Similarly with
kasan_report(), it does all sorts of things that are not safe to do.
> Is it possible to disable the SMAP runtime checks once we enter
> kasan_report() past report_enabled() check? We could restrict it to
> "just finish printing this bug report whatever it takes and then
> whatever" if it makes things simpler.
> It would be nice if we could restrict it to something like:
>
> @@ -291,6 +303,7 @@ void kasan_report(unsigned long addr, size_t size,
> if (likely(!report_enabled()))
> return;
> + disable_smap();
>
> And then enforce panic at the end of report if smap is enabled.
That would be a CLAC, and the current rules disallow CLAC for AC-safe
functions.
Furthermore, kasan_report() isn't fatal, right? So it would have to
restore the state on exit. That makes the validation state much more
complicated.
Let me try and frob some of the report_enabled() stuff before the #UD.
next prev parent reply other threads:[~2019-02-28 17:46 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-28 14:54 [PATCH 0/8] objtool: UACCESS validation v2 Peter Zijlstra
2019-02-28 14:54 ` [PATCH 1/8] kasan,x86: Frob kasan_report() in an exception Peter Zijlstra
2019-02-28 15:22 ` Dmitry Vyukov
2019-02-28 15:45 ` Peter Zijlstra
2019-02-28 15:52 ` Dmitry Vyukov
2019-02-28 16:01 ` Andrey Ryabinin
2019-02-28 16:03 ` Dmitry Vyukov
2019-02-28 17:46 ` Peter Zijlstra [this message]
2019-02-28 18:18 ` Dmitry Vyukov
2019-03-01 14:45 ` Peter Zijlstra
2019-03-01 15:06 ` Dmitry Vyukov
2019-03-01 15:23 ` Peter Zijlstra
2019-03-06 13:13 ` Peter Zijlstra
2019-03-06 13:39 ` Dmitry Vyukov
2019-03-06 13:57 ` Peter Zijlstra
2019-03-06 14:01 ` Dmitry Vyukov
2019-03-06 14:12 ` Peter Zijlstra
2019-03-06 14:34 ` Peter Zijlstra
2019-03-06 14:40 ` Dmitry Vyukov
2019-03-06 14:41 ` Dmitry Vyukov
2019-03-06 14:55 ` Peter Zijlstra
2019-03-06 15:01 ` Dmitry Vyukov
2019-03-06 17:14 ` Peter Zijlstra
2019-03-06 17:27 ` Linus Torvalds
2019-03-06 17:37 ` Peter Zijlstra
2019-03-06 17:59 ` Linus Torvalds
2019-03-07 13:49 ` Peter Zijlstra
2019-02-28 14:54 ` [PATCH 2/8] x86/ia32: Fix ia32_restore_sigcontext AC leak Peter Zijlstra
2019-02-28 14:54 ` [PATCH 3/8] objtool: Set insn->func for alternatives Peter Zijlstra
2019-02-28 14:54 ` [PATCH 4/8] objtool: Hande function aliases Peter Zijlstra
2019-02-28 14:54 ` [PATCH 5/8] objtool: Rewrite add_ignores() Peter Zijlstra
2019-02-28 14:54 ` [PATCH 6/8] i915,uaccess: Fix redundant CLAC Peter Zijlstra
2019-02-28 15:10 ` Chris Wilson
2019-02-28 15:24 ` Peter Zijlstra
2019-02-28 16:49 ` Linus Torvalds
2019-02-28 17:51 ` Peter Zijlstra
2019-02-28 18:01 ` Peter Zijlstra
2019-02-28 18:29 ` Linus Torvalds
2019-02-28 19:01 ` Peter Zijlstra
2019-03-01 10:34 ` Peter Zijlstra
2019-03-01 12:27 ` Peter Zijlstra
2019-03-01 12:57 ` Peter Zijlstra
2019-03-01 14:38 ` Peter Zijlstra
2019-03-01 15:27 ` Andy Lutomirski
2019-03-01 16:15 ` Linus Torvalds
2019-03-01 16:17 ` Linus Torvalds
2019-02-28 14:54 ` [PATCH 7/8] objtool: Add UACCESS validation Peter Zijlstra
2019-02-28 14:54 ` [PATCH 8/8] objtool: Add Direction Flag validation Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190228174605.GF32494@hirez.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=aryabinin@virtuozzo.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=dvlasenk@redhat.com \
--cc=dvyukov@google.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=jpoimboe@redhat.com \
--cc=julien.thierry@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=valentin.schneider@arm.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).