From patchwork Tue Jan 17 16:35:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 44731 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp1858025wrn; Tue, 17 Jan 2023 08:39:08 -0800 (PST) X-Google-Smtp-Source: AMrXdXuDz0KnKiZJZO435/IOWVgLF+PXl5PoWun2uADj0yXqBBhB7gPTa13e1xUzAuUnRm3kD7CL X-Received: by 2002:aa7:dc03:0:b0:49e:1d4f:a9f0 with SMTP id b3-20020aa7dc03000000b0049e1d4fa9f0mr4072608edu.42.1673973548746; Tue, 17 Jan 2023 08:39:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673973548; cv=none; d=google.com; s=arc-20160816; b=Vza41mgHjrzVtlyz1wN9sFbtGXjAn2n64TQfajOjJwZHq9CHLNAL4QJoPNVspY6LVN h7y6hJ+uxNkLrqDDfL+pqY4S4EUC2xdb9SfmezCGKI55ixCKNHCf8871Ae8iNJXdtKwy 8YE7AfnPz5zUPnPi/Q74yZ5OELfl4+6s3IlNHKGgUZmsvvhoTkYIn8WaoTbFeBbByrbk MscAA8XBt4RBIn34Ta3Q/8m1zULc/5yrNICJxfyfonP7HD8iSShhBqGSHQf5gDb4fnqV CktIUMgV6yPz90SLHRmmfnivSlE2btwjsvoDyDtoRpjyLAR4Ueqlh+X32U/+RvCmukSi 5JAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=ZnZx85Sf0ezER0rilQtZPHDwVHsmiiEfW3AZAr5ZtFc=; b=RpLMRPY0mATjCcfHMtjlPdhT5PB17b71ACC5caNWN3z3t9IQ/ep4+mIFloVy4HfVe9 K5LWtJ/DvBR0IgHQAWU+xdYiAGWPwu/QZcLmTXXMjfCkVgRgmzFvP2uTSBFBmluZY5Uq Pqo2pdQlmZ2fUHsXUGp0iQV995+MM1NVWeaF0K7XpO96welyfClXy7jb9t9REZhYoiRk 05w1fI3rW0KNstnMYFecKNpXQzWO+MZRYUVSOOtMdiiJocvYpvOBfZsT8/UFcXKn6lWw e7KqIuCgfQKaJrZQLTVPv/QaXyet+uaNEoVX1FPN9x3WUXfXnBQfL6Jlu2lMN/pdNmvB whYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=QeCeDVWg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q4-20020a056402040400b0049e1bc53bd3si5427792edv.486.2023.01.17.08.38.45; Tue, 17 Jan 2023 08:39:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=QeCeDVWg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232931AbjAQQgc (ORCPT + 99 others); Tue, 17 Jan 2023 11:36:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44632 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232592AbjAQQgC (ORCPT ); Tue, 17 Jan 2023 11:36:02 -0500 Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8787A42DD5 for ; Tue, 17 Jan 2023 08:35:56 -0800 (PST) Received: by mail-wm1-x334.google.com with SMTP id iv8-20020a05600c548800b003db04a0a46bso84069wmb.0 for ; Tue, 17 Jan 2023 08:35:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ZnZx85Sf0ezER0rilQtZPHDwVHsmiiEfW3AZAr5ZtFc=; b=QeCeDVWgByy16VG/MS4W5/YqPsrRtIYCfxrL4a6dZ+jZ6vmgpog/rXDT+QwoBwEzWa TRUNErkvo/oGfg/S/j+KWbMIOr9GiSqQngzTIWk7ya/FeORgOym/kAENGgZexeyu18HF yCRYWDe2hV+jEemvGLePPiYEwI381jYY3y/y9LZS5uAltHoWHi7ranAoS88vZqFoWym9 wLzh3dk9TQeSL9/t0u5QaQsBZGZ+3sI/nHXgFAdMhtOWE4hJwCEkI6j4hLp24hoEDchK uX93pmOD/0EkL+C75TSWbZrUBdq+LaGuOCUxJltawuwbrpRugoZ3Y0i5OZwf9lD0QSWx 2RUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZnZx85Sf0ezER0rilQtZPHDwVHsmiiEfW3AZAr5ZtFc=; b=OcKAB9wJAMoSknd/7wrHSfazmTwn+LTu6pt+hXEPDXLt9egNC8VH0mbgk0Vj+F/SNf ZSZT248vfYu0+yJcEpKKeltSZwHBrl955KxRzSIKwb5Jcg1F6S3esW+J8T8TefpkH5ZZ KsC16nbWxmApOy1U5deLTCDRwLFuxGCH7ZGlDl+2RhZa1SJcuvPsBfeXVYr5xwbgqf8b rz1ULxOeOTo3y0+bHxy4vTGOb7eG3Yf7xPhbQdqAKvAMTWBaf/LWvxrN7ZPd6zoseZ1S xOkahvxf2Ehj0SqwWA53ix15XzhTnfVWiRoLNfWGcXqBKnyzZoJ0f6Ek7ddCqHyGy8hy 3zIw== X-Gm-Message-State: AFqh2kosQTbqLdiuiS0f2EpadMZIZunYuU75OEmf8jSTH6LhkOj2lioJ TCY8P1teKCdTeSNfi1JbufY09g== X-Received: by 2002:a05:600c:1d92:b0:3d0:30c8:c47b with SMTP id p18-20020a05600c1d9200b003d030c8c47bmr2335336wms.2.1673973354962; Tue, 17 Jan 2023 08:35:54 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:9df1:9663:75e8:617c]) by smtp.gmail.com with ESMTPSA id l24-20020a05600c1d1800b003db09692364sm2302292wms.11.2023.01.17.08.35.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Jan 2023 08:35:53 -0800 (PST) From: Jann Horn To: Andrew Morton , linux-mm@kvack.org Cc: Uladzislau Rezki , Christoph Hellwig , Andy Lutomirski , linux-kernel@vger.kernel.org, Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , kasan-dev@googlegroups.com Subject: [PATCH] fork, vmalloc: KASAN-poison backing pages of vmapped stacks Date: Tue, 17 Jan 2023 17:35:43 +0100 Message-Id: <20230117163543.1049025-1-jannh@google.com> X-Mailer: git-send-email 2.39.0.314.g84b9a713c41-goog MIME-Version: 1.0 X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1755288487661241580?= X-GMAIL-MSGID: =?utf-8?q?1755288487661241580?= KASAN (except in HW_TAGS mode) tracks memory state based on virtual addresses. The mappings of kernel stack pages in the linear mapping are currently marked as fully accessible. Since stack corruption issues can cause some very gnarly errors, let's be extra careful and tell KASAN to forbid accesses to stack memory through the linear mapping. Signed-off-by: Jann Horn --- I wrote this after seeing https://lore.kernel.org/all/Y8W5rjKdZ9erIF14@casper.infradead.org/ and wondering about possible ways that this kind of stack corruption could be sneaking past KASAN. That's proooobably not the explanation, but still... include/linux/vmalloc.h | 6 ++++++ kernel/fork.c | 10 ++++++++++ mm/vmalloc.c | 24 ++++++++++++++++++++++++ 3 files changed, 40 insertions(+) base-commit: 5dc4c995db9eb45f6373a956eb1f69460e69e6d4 diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h index 096d48aa3437..bfb50178e5e3 100644 --- a/include/linux/vmalloc.h +++ b/include/linux/vmalloc.h @@ -297,4 +297,10 @@ bool vmalloc_dump_obj(void *object); static inline bool vmalloc_dump_obj(void *object) { return false; } #endif +#if defined(CONFIG_MMU) && (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) +void vmalloc_poison_backing_pages(const void *addr); +#else +static inline void vmalloc_poison_backing_pages(const void *addr) {} +#endif + #endif /* _LINUX_VMALLOC_H */ diff --git a/kernel/fork.c b/kernel/fork.c index 9f7fe3541897..5c8c103a3597 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -321,6 +321,16 @@ static int alloc_thread_stack_node(struct task_struct *tsk, int node) vfree(stack); return -ENOMEM; } + + /* + * A virtually-allocated stack's memory should only be accessed through + * the vmalloc area, not through the linear mapping. + * Inform KASAN that all accesses through the linear mapping should be + * reported (instead of permitting all accesses through the linear + * mapping). + */ + vmalloc_poison_backing_pages(stack); + /* * We can't call find_vm_area() in interrupt context, and * free_thread_stack() can be called in interrupt context, diff --git a/mm/vmalloc.c b/mm/vmalloc.c index ca71de7c9d77..10c79c53cf5c 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4042,6 +4042,30 @@ void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms) } #endif /* CONFIG_SMP */ +#if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) +/* + * Poison the KASAN shadow for the linear mapping of the pages used as stack + * memory. + * NOTE: This makes no sense in HW_TAGS mode because HW_TAGS marks physical + * memory, not virtual memory. + */ +void vmalloc_poison_backing_pages(const void *addr) +{ + struct vm_struct *area; + int i; + + if (WARN(!PAGE_ALIGNED(addr), "bad address (%p)\n", addr)) + return; + + area = find_vm_area(addr); + if (WARN(!area, "nonexistent vm area (%p)\n", addr)) + return; + + for (i = 0; i < area->nr_pages; i++) + kasan_poison_pages(area->pages[i], 0, false); +} +#endif + #ifdef CONFIG_PRINTK bool vmalloc_dump_obj(void *object) {