qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Bug 1921948] [NEW] MTE tags not checked properly for unaligned accesses at EL1
@ 2021-03-30 19:34 Andrey Konovalov
  2021-03-30 23:22 ` [Bug 1921948] " Richard Henderson
                   ` (17 more replies)
  0 siblings, 18 replies; 63+ messages in thread
From: Andrey Konovalov @ 2021-03-30 19:34 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

For kernel memory accesses that span across two memory granules, QEMU's
MTE implementation only checks the tag of the first granule but not of
the second one.

To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS
enabled, apply the patch below, and boot the kernel:

diff --git a/sound/last.c b/sound/last.c
index f0bb98780e70..04745cb30b74 100644
--- a/sound/last.c
+++ b/sound/last.c
@@ -5,12 +5,18 @@
  */
 
 #include <linux/init.h>
+#include <linux/slab.h>
 #include <sound/core.h>
 
 static int __init alsa_sound_last_init(void)
 {
        struct snd_card *card;
        int idx, ok = 0;
+
+       char *ptr = kmalloc(128, GFP_KERNEL);
+       pr_err("KASAN report should follow:\n");
+       *(volatile unsigned long *)(ptr + 124);
+       kfree(ptr);
        
        printk(KERN_INFO "ALSA device list:\n");
        for (idx = 0; idx < SNDRV_CARDS; idx++) {

KASAN tags the 128 allocated bytes with the same tag as the returned
pointer. The memory granule that follows the 128 allocated bytes has a
different tag (with 1/15 probability).

Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130).
Observed result: no tag fault is detected and no KASAN report is printed.

Here are the flags that I use to run QEMU if they matter:

qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net
user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic
-kernel ./Image -append "console=ttyAMA0 root=/dev/vda
earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no-
shutdown -no-reboot

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1921948

Title:
  MTE tags not checked properly for unaligned accesses at EL1

Status in QEMU:
  New

Bug description:
  For kernel memory accesses that span across two memory granules,
  QEMU's MTE implementation only checks the tag of the first granule but
  not of the second one.

  To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS
  enabled, apply the patch below, and boot the kernel:

  diff --git a/sound/last.c b/sound/last.c
  index f0bb98780e70..04745cb30b74 100644
  --- a/sound/last.c
  +++ b/sound/last.c
  @@ -5,12 +5,18 @@
    */
   
   #include <linux/init.h>
  +#include <linux/slab.h>
   #include <sound/core.h>
   
   static int __init alsa_sound_last_init(void)
   {
          struct snd_card *card;
          int idx, ok = 0;
  +
  +       char *ptr = kmalloc(128, GFP_KERNEL);
  +       pr_err("KASAN report should follow:\n");
  +       *(volatile unsigned long *)(ptr + 124);
  +       kfree(ptr);
          
          printk(KERN_INFO "ALSA device list:\n");
          for (idx = 0; idx < SNDRV_CARDS; idx++) {

  KASAN tags the 128 allocated bytes with the same tag as the returned
  pointer. The memory granule that follows the 128 allocated bytes has a
  different tag (with 1/15 probability).

  Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130).
  Observed result: no tag fault is detected and no KASAN report is printed.

  Here are the flags that I use to run QEMU if they matter:

  qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net
  user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic
  -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda
  earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no-
  shutdown -no-reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions


^ permalink raw reply related	[flat|nested] 63+ messages in thread
* [PATCH v4 00/12] target/arm mte fixes
@ 2021-04-06 17:40 Richard Henderson
  2021-04-06 17:40 ` [PATCH v4 01/12] accel/tcg: Preserve PAGE_ANON when changing page permissions Richard Henderson
                   ` (13 more replies)
  0 siblings, 14 replies; 63+ messages in thread
From: Richard Henderson @ 2021-04-06 17:40 UTC (permalink / raw)
  To: qemu-devel; +Cc: qemu-arm

Changes for v4:
  * Fix tag count computation error in mte_checkN, which when used
    by mte_check1 in patch 5, caused all sorts of KASAN failures.
  * Fix PAGE_ANON / PAGE_TARGET_1 overlap.


r~


Richard Henderson (12):
  accel/tcg: Preserve PAGE_ANON when changing page permissions
  target/arm: Check PAGE_WRITE_ORG for MTE writeability
  target/arm: Fix mte_checkN
  target/arm: Split out mte_probe_int
  target/arm: Fix unaligned checks for mte_check1, mte_probe1
  test/tcg/aarch64: Add mte-5
  target/arm: Replace MTEDESC ESIZE+TSIZE with SIZEM1
  target/arm: Merge mte_check1, mte_checkN
  target/arm: Rename mte_probe1 to mte_probe
  target/arm: Simplify sve mte checking
  target/arm: Remove log2_esize parameter to gen_mte_checkN
  exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1

 include/exec/cpu-all.h            |   4 +-
 target/arm/helper-a64.h           |   3 +-
 target/arm/internals.h            |  11 +-
 target/arm/translate-a64.h        |   2 +-
 tests/tcg/aarch64/mte.h           |   3 +-
 accel/tcg/translate-all.c         |   9 +-
 target/arm/mte_helper.c           | 185 ++++++++++++------------------
 target/arm/sve_helper.c           | 100 ++++++----------
 target/arm/translate-a64.c        |  22 ++--
 target/arm/translate-sve.c        |   9 +-
 tests/tcg/aarch64/mte-5.c         |  44 +++++++
 tests/tcg/aarch64/mte-6.c         |  43 +++++++
 tests/tcg/aarch64/Makefile.target |   2 +-
 13 files changed, 227 insertions(+), 210 deletions(-)
 create mode 100644 tests/tcg/aarch64/mte-5.c
 create mode 100644 tests/tcg/aarch64/mte-6.c

-- 
2.25.1



^ permalink raw reply	[flat|nested] 63+ messages in thread

end of thread, other threads:[~2021-06-10  6:22 UTC | newest]

Thread overview: 63+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-30 19:34 [Bug 1921948] [NEW] MTE tags not checked properly for unaligned accesses at EL1 Andrey Konovalov
2021-03-30 23:22 ` [Bug 1921948] " Richard Henderson
2021-03-30 23:32 ` Peter Collingbourne
2021-03-31  6:44 ` Richard Henderson
2021-04-02 15:41 ` Richard Henderson
2021-04-02 16:17 ` Andrey Konovalov
2021-04-02 16:31 ` Richard Henderson
2021-04-03 14:34 ` Andrey Konovalov
2021-04-07 20:17 ` Andrey Konovalov
2021-04-07 20:46 ` Alex Bennée
2021-04-07 20:58 ` Andrey Konovalov
2021-04-07 21:29   ` Alex Bennée
2021-04-07 21:29     ` Alex Bennée
2021-04-07 21:45     ` Alex Bennée
2021-04-07 21:45       ` Alex Bennée
2021-04-07 21:19 ` Richard Henderson
2021-04-07 22:02 ` Andrey Konovalov
2021-05-06 18:39 ` Richard Henderson
2021-05-22  5:12 ` Peter Collingbourne
2021-05-22  5:17 ` Peter Collingbourne
2021-05-26 19:55 ` Vitaly Buka
2021-06-10  2:28 ` Peter Collingbourne
2021-06-10  6:06 ` Thomas Huth
2021-04-06 17:40 [PATCH v4 00/12] target/arm mte fixes Richard Henderson
2021-04-06 17:40 ` [PATCH v4 01/12] accel/tcg: Preserve PAGE_ANON when changing page permissions Richard Henderson
2021-04-07 13:55   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 02/12] target/arm: Check PAGE_WRITE_ORG for MTE writeability Richard Henderson
2021-04-07 15:34   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 03/12] target/arm: Fix mte_checkN Richard Henderson
2021-04-07 18:39   ` Alex Bennée
2021-04-07 18:39     ` [Bug 1921948] " Alex Bennée
2021-04-07 19:56     ` Richard Henderson
2021-04-08  8:36       ` Alex Bennée
2021-04-08  8:36         ` [Bug 1921948] " Alex Bennée
2021-04-08  8:50     ` Peter Maydell
2021-04-08  8:50       ` [Bug 1921948] " Peter Maydell
2021-04-08 10:02       ` Alex Bennée
2021-04-08 10:02         ` [Bug 1921948] " Alex Bennée
2021-04-06 17:40 ` [PATCH v4 04/12] target/arm: Split out mte_probe_int Richard Henderson
2021-04-08  9:01   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 05/12] target/arm: Fix unaligned checks for mte_check1, mte_probe1 Richard Henderson
2021-04-08  9:05   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 06/12] test/tcg/aarch64: Add mte-5 Richard Henderson
2021-04-08  9:07   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 07/12] target/arm: Replace MTEDESC ESIZE+TSIZE with SIZEM1 Richard Henderson
2021-04-08 11:08   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 08/12] target/arm: Merge mte_check1, mte_checkN Richard Henderson
2021-04-08 11:10   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 09/12] target/arm: Rename mte_probe1 to mte_probe Richard Henderson
2021-04-08 11:10   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 10/12] target/arm: Simplify sve mte checking Richard Henderson
2021-04-08 11:23   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 11/12] target/arm: Remove log2_esize parameter to gen_mte_checkN Richard Henderson
2021-04-08 11:35   ` Alex Bennée
2021-04-06 17:40 ` [PATCH v4 12/12] exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1 Richard Henderson
2021-04-06 18:21   ` Laurent Vivier
2021-04-06 19:36   ` Laurent Vivier
2021-04-07 17:16   ` Alex Bennée
2021-04-07 21:33   ` Nathan Chancellor
2021-04-06 17:57 ` [PATCH v4 00/12] target/arm mte fixes no-reply
2021-04-08 12:47 ` Peter Maydell
2021-04-08 14:25   ` Richard Henderson
2021-04-09  9:53     ` Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).