Re: kvm/arm64: use-after-free in kvm_vm_ioctl/vmacache_update

On Tue, Mar 14, 2017 at 1:26 PM, Marc Zyngier <marc.zyng...@arm.com> wrote: > On 14/03/17 11:03, Suzuki K Poulose wrote: >> On 13/03/17 09:58, Marc Zyngier wrote: >>> On 10/03/17 18:37, Suzuki K Poulose wrote: >>>> On 10/03/17 15:50, Andrey Konovalov wrote: &

Re: kvm/arm64: use-after-free in kvm_vm_ioctl/vmacache_update

On Tue, Apr 11, 2017 at 5:36 PM, Marc Zyngier <marc.zyng...@arm.com> wrote: > On 11/04/17 16:26, Andrey Konovalov wrote: >> On Tue, Mar 14, 2017 at 1:26 PM, Marc Zyngier <marc.zyng...@arm.com> wrote: >>> On 14/03/17 11:03, Suzuki K Poulose wrote: >>>

Re: kvm/arm64: use-after-free in kvm_unmap_hva_handler/unmap_stage2_pmds

On Tue, Mar 14, 2017 at 5:57 PM, Paolo Bonzini <pbonz...@redhat.com> wrote: > > > On 14/03/2017 12:07, Suzuki K Poulose wrote: >> On 10/03/17 13:34, Andrey Konovalov wrote: >>> Hi, >>> >>> I've got the following error report while fuzzing the kernel

Re: kvm/arm64: use-after-free in kvm_unmap_hva_handler/unmap_stage2_pmds

On Wed, Apr 12, 2017 at 8:43 PM, Marc Zyngier <marc.zyng...@arm.com> wrote: > On 12/04/17 17:19, Andrey Konovalov wrote: > > Hi Andrey, > >> Apparently this wasn't fixed, I've got this report again on >> linux-next-c4e7b35a3 (Apr 11), which includes 8b3405e34 &

Re: kvm/arm64: use-after-free in kvm_unmap_hva_handler/unmap_stage2_pmds

On Thu, Apr 13, 2017 at 11:34 AM, Mark Rutland <mark.rutl...@arm.com> wrote: > On Wed, Apr 12, 2017 at 08:51:31PM +0200, Andrey Konovalov wrote: >> On Wed, Apr 12, 2017 at 8:43 PM, Marc Zyngier <marc.zyng...@arm.com> wrote: >> > On 12/04/17 17:19, Andrey Konovalov w

Re: kvm/arm64: use-after-free in kvm_unmap_hva_handler/unmap_stage2_pmds

On Thu, Apr 13, 2017 at 5:50 PM, Suzuki K. Poulose <suzuki.poul...@arm.com> wrote: > On Thu, Apr 13, 2017 at 10:17:54AM +0100, Suzuki K Poulose wrote: >> On 12/04/17 19:43, Marc Zyngier wrote: >> > On 12/04/17 17:19, Andrey Konovalov wrote: >> > >> > Hi

Re: kvm/arm64: use-after-free in kvm_vm_ioctl/vmacache_update

On Fri, Mar 10, 2017 at 2:38 PM, Andrey Konovalov <andreyk...@google.com> wrote: > Hi, > > I've got the following error report while fuzzing the kernel with syzkaller. > > On linux-next commit 56b8bad5e066c23e8fa273ef5fba50bd3da2ace8 (Mar 8). > > Unfo

kvm/arm64: use-after-free in kvm_unmap_hva_handler/unmap_stage2_pmds

Hi, I've got the following error report while fuzzing the kernel with syzkaller. On linux-next commit 56b8bad5e066c23e8fa273ef5fba50bd3da2ace8 (Mar 8). Unfortunately I can't reproduce it. == BUG: KASAN: use-after-free in put_page

kvm/arm64: use-after-free in kvm_vm_ioctl/vmacache_update

Hi, I've got the following error report while fuzzing the kernel with syzkaller. On linux-next commit 56b8bad5e066c23e8fa273ef5fba50bd3da2ace8 (Mar 8). Unfortunately I can't reproduce it. == BUG: KASAN: use-after-free in

Re: Clang arm64 build is broken

On Mon, May 14, 2018 at 6:24 PM, Nick Desaulniers <ndesaulni...@google.com> wrote: > On Fri, Apr 20, 2018 at 7:59 AM Andrey Konovalov <andreyk...@google.com> > wrote: >> On Fri, Apr 20, 2018 at 10:13 AM, Marc Zyngier <marc.zyng...@arm.com> > wrote: >> >&g

Re: [PATCH] arm64: kvm: use -fno-jump-tables with clang

On Tue, May 22, 2018 at 8:28 PM, Nick Desaulniers <ndesaulni...@google.com> wrote: > On Fri, May 18, 2018 at 11:13 AM Marc Zyngier <marc.zyng...@arm.com> wrote: >> > - you have checked that with a released version of the compiler, you > > On Tue, May 22, 2018 at 10:5

Re: [PATCH] arm64: kvm: use -fno-jump-tables with clang

timer (8 tests) Tested-by: Andrey Konovalov <andreyk...@google.com> Thanks! [1] https://www.linux-kvm.org/page/KVM-unit-tests ___ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm

Re: [PATCH] arm64: kvm: use -fno-jump-tables with clang

On Wed, May 23, 2018 at 7:47 PM, Nick Desaulniers <ndesaulni...@google.com> wrote: > On Wed, May 23, 2018 at 4:54 AM Andrey Konovalov <andreyk...@google.com> > wrote: >> On Tue, May 22, 2018 at 8:28 PM, Nick Desaulniers >> <ndesaulni...@google.com> wrote: >&g

Re: [RFC PATCH v2 13/15] khwasan: add hooks implementation

On Thu, Apr 5, 2018 at 3:02 PM, Andrey Ryabinin <aryabi...@virtuozzo.com> wrote: > On 04/04/2018 08:00 PM, Andrey Konovalov wrote: >> On Wed, Apr 4, 2018 at 2:39 PM, Andrey Ryabinin <aryabi...@virtuozzo.com> >> wrote: >>>>> >>>>> You ca

Re: [RFC PATCH v2 13/15] khwasan: add hooks implementation

On Wed, Apr 4, 2018 at 2:39 PM, Andrey Ryabinin wrote: >>> >>> You can save tag somewhere in page struct and make page_address() return >>> tagged address. >>> >>> I'm not sure it might be even possible to squeeze the tag into page->flags >>> on some configurations, >>>

Re: [RFC PATCH v2 13/15] khwasan: add hooks implementation

On Thu, Apr 12, 2018 at 7:20 PM, Andrey Ryabinin wrote: >> 1. Tag memory with a random tag in kasan_alloc_pages() and returned a >> tagged pointer from pagealloc. > > Tag memory with a random tag in kasan_alloc_pages() and store that tag in > page struct (that part is

Re: [RFC PATCH v2 13/15] khwasan: add hooks implementation

On Tue, Apr 10, 2018 at 6:31 PM, Andrey Ryabinin <aryabi...@virtuozzo.com> wrote: > > > On 04/10/2018 07:07 PM, Andrey Konovalov wrote: >> On Fri, Apr 6, 2018 at 2:27 PM, Andrey Ryabinin <aryabi...@virtuozzo.com> >> wrote: >>> On 04/06/2018 03:14 PM,

Re: arm64 kvm built with clang doesn't boot

On Fri, Mar 16, 2018 at 3:31 PM, Mark Rutland <mark.rutl...@arm.com> wrote: > On Fri, Mar 16, 2018 at 02:13:14PM +, Mark Rutland wrote: >> On Fri, Mar 16, 2018 at 02:49:00PM +0100, Andrey Konovalov wrote: >> > Hi! >> >> Hi, >> >> > I'v

[RFC PATCH v3 10/15] khwasan: split out kasan_report.c from report.c

This patch moves KASAN specific error reporting routines to kasan_report.c without any functional changes, leaving common error reporting code in report.c to be later reused by KHWASAN. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- mm/kasan/Makefile | 4 +- mm

[RFC PATCH v3 12/15] khwasan: add hooks implementation

is very much similar to the one provided by KASAN. KHWASAN saves allocation and free stack metadata to the slab object the same was KASAN does this. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- mm/kasan/common.c | 73 -- mm/kasan/k

[RFC PATCH v3 11/15] khwasan: add bug reporting routines

bugs with the "KASAN: invalid-access" header. This is done, so various external tools that already parse the kernel logs looking for KASAN reports wouldn't need to be changed. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- include/linux/kasan.h | 3 +++

[RFC PATCH v3 09/15] khwasan, mm: perform untagged pointers comparison in krealloc

(with tags reset) pointers to check whether it's the same memory region or not. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- mm/slab_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index 0582004351c4..451b09

[RFC PATCH v3 14/15] khwasan, mm, arm64: tag non slab memory allocated via pagealloc

the whole page was marked with the same tag. This patch adds tagging to non slab memory allocated with pagealloc. To set the tag of the pointer returned from page_address, the tag gets stored to page->flags when the memory gets allocated. Signed-off-by: Andrey Konovalov <andreyk...@google.com>

[RFC PATCH v3 15/15] khwasan: update kasan documentation

This patch updates KASAN documentation to reflect the addition of KHWASAN. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- Documentation/dev-tools/kasan.rst | 212 +- 1 file changed, 122 insertions(+), 90 deletions(-) diff --git a/Documentation/dev

[RFC PATCH v3 05/15] khwasan, arm64: untag virt address in __kimg_to_phys

implementation. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/include/asm/memory.h | 11 +++ 1 file changed, 11 insertions(+) diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h index 6d084431b7f7..f206273469b5 100644 --- a/arch/arm64/inclu

[RFC PATCH v3 07/15] khwasan: add tag related helper functions

This commit adds a few helper functions, that are meant to be used to work with tags embedded in the top byte of kernel pointers: to set, to get or to reset (set to 0xff) the top byte. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/mm/kasan_init.c | 2 ++ include

[RFC PATCH v3 04/15] khwasan: initialize shadow to 0xff

-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/mm/kasan_init.c | 16 ++-- include/linux/kasan.h | 8 mm/kasan/common.c | 3 ++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/arch/arm64/mm/kasan_init.c b/arch/arm64/mm/kasan_init.c

[RFC PATCH v3 06/15] khwasan, arm64: fix up fault handling logic

show_pte in arm64 fault handling relies on the fact that the top byte of a kernel pointer is 0xff, which isn't always the case with KHWASAN enabled. Reset the top byte. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/mm/fault.c | 3 +++ 1 file changed, 3 inse

[RFC PATCH v3 08/15] khwasan, arm64: enable top byte ignore for the kernel

KHWASAN uses the Top Byte Ignore feature of arm64 CPUs to store a pointer tag in the top byte of each pointer. This commit enables the TCR_TBI1 bit, which enables Top Byte Ignore for the kernel, when KHWASAN is used. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/i

[RFC PATCH v3 01/15] khwasan: move common kasan and khwasan code to common.c

KHWASAN will reuse a significant part of KASAN code, so move the common parts to common.c without any functional changes. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- mm/kasan/Makefile | 5 +- mm/kasan/common.c | 524 ++ mm

[RFC PATCH v3 00/15] khwasan: kernel hardware assisted address sanitizer

dded mnemonics for esr manipulation in KHWASAN brk handler. - Added a comment about the -recover flag. - Some minor cleanups and fixes. - Rebased onto 3215b9d5 (4.16-rc6+). - Tested on real hardware (Odroid C2 board). - Added better benchmarks. Andrey Konovalov (15): khwasan: move common kasan and khw

[RFC PATCH v3 02/15] khwasan: add CONFIG_KASAN_GENERIC and CONFIG_KASAN_HW

specific hooks inserted by the compiler and adjusts common hooks implementation to compile correctly with each of the config options. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/Kconfig | 1 + include/linux/compiler-clang.h | 5 ++- include/linux/compiler

[RFC PATCH v3 03/15] khwasan, arm64: adjust shadow size for CONFIG_KASAN_HW

KWHASAN uses 1 shadow byte for 16 bytes of kernel memory, so it requires 1/16th of the kernel virtual address space for the shadow memory. This commit sets KASAN_SHADOW_SCALE_SHIFT to 4 when KHWASAN is enabled. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/Ma

[RFC PATCH v3 13/15] khwasan, arm64: add brk handler for inline instrumentation

(to extract information about the memory access that triggered the mismatch), reads the register values (x0 contains the guilty address) and reports the bug. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/include/asm/brk-imm.h | 2 + arch/arm64/kernel/traps.c

Clang arm64 build is broken

Hi Marc! Your recent commit [1] broke clang build on arm64. The issue is that clang doesn't know about the "S" asm constraint. I reported this to clang [2], and hopefully this will get fixed. In the meantime, would it possible to work around using the "S" constraint in the kernel? While we're

Re: Clang arm64 build is broken

On Fri, Apr 20, 2018 at 10:13 AM, Marc Zyngier wrote: >> The issue is that >> clang doesn't know about the "S" asm constraint. I reported this to >> clang [2], and hopefully this will get fixed. In the meantime, would >> it possible to work around using the "S" constraint in

Re: [RFC PATCH v2 11/15] khwasan, mm: perform untagged pointers comparison in krealloc

On Sat, Mar 24, 2018 at 9:29 AM, Ingo Molnar <mi...@kernel.org> wrote: > > * Andrey Konovalov <andreyk...@google.com> wrote: > >> The krealloc function checks where the same buffer was reused or a new one >> allocated by comparing kernel pointers. KHWASAN changes

Re: [RFC PATCH v2 03/15] khwasan: add CONFIG_KASAN_CLASSIC and CONFIG_KASAN_TAGS

On Sat, Mar 24, 2018 at 9:43 AM, Ingo Molnar <mi...@kernel.org> wrote: > > * Andrey Konovalov <andreyk...@google.com> wrote: > >> This commit splits the current CONFIG_KASAN config option into two: >> 1. CONFIG_KASAN_CLASSIC, that enables the classic KASAN versi

Re: [RFC PATCH v2 08/15] khwasan: add tag related helper functions

On Fri, Mar 30, 2018 at 6:13 PM, Andrey Ryabinin <aryabi...@virtuozzo.com> wrote: > > > On 03/23/2018 09:05 PM, Andrey Konovalov wrote: > >> diff --git a/mm/kasan/khwasan.c b/mm/kasan/khwasan.c >> index 24d75245e9d0..da4b17997c71 100644 >> --- a/mm/kasan/k

Re: [RFC PATCH v2 13/15] khwasan: add hooks implementation

On Fri, Mar 30, 2018 at 7:47 PM, Andrey Ryabinin <aryabi...@virtuozzo.com> wrote: > On 03/23/2018 09:05 PM, Andrey Konovalov wrote: >> This commit adds KHWASAN hooks implementation. >> >> 1. When a new slab cache is created, KHWASAN rounds up the size of the

Re: [RFC PATCH v2 05/15] khwasan: initialize shadow to 0xff

On Fri, Mar 30, 2018 at 6:07 PM, Andrey Ryabinin <aryabi...@virtuozzo.com> wrote: > On 03/23/2018 09:05 PM, Andrey Konovalov wrote: >> A KHWASAN shadow memory cell contains a memory tag, that corresponds to >> the tag in the top byte of the pointer, that points to that memo

Re: arm64 kvm built with clang doesn't boot

On Fri, Mar 16, 2018 at 3:13 PM, Marc Zyngier wrote: > I wasn't aware of that discussion, but this is indeed quite annoying. > Note that you should be able to restrict this to arch/arm64/kvm/hyp/* > and virt/kvm/arm/hyp/*. That works as well (tried it, the kernel boots).

Re: arm64 kvm built with clang doesn't boot

On Fri, Mar 16, 2018 at 3:13 PM, Mark Rutland wrote: > I think that patch is our best bet currently, but to save ourselves pain > in future it would be *really* nice if GCC and clang could provide an > option line -fno-absolute-addressing that would implicitly disable any >

arm64 kvm built with clang doesn't boot

Hi! I've recently tried to boot clang built kernel on real hardware (Odroid C2 board) instead of using a VM. The issue that I stumbled upon is that arm64 kvm built with clang doesn't boot. Adding -fno-jump-tables compiler flag to arch/arm64/kvm/* helps. There was a patch some time ago that did

Re: arm64 kvm built with clang doesn't boot

On Fri, Mar 16, 2018 at 3:31 PM, Mark Rutland wrote: > > FWIW, with that same compiler and patch applied atop of v4.16-rc4, and > some bodges around clang not liking the rX register naming in the SMCCC > code, I get a kernel that boots on my Juno, though I immediately hit a

[RFC PATCH v2 00/15] khwasan: kernel hardware assisted address sanitizer

tion in KHWASAN brk handler. - Added a comment about the -recover flag. - Some minor cleanups and fixes. - Rebased onto 3215b9d5 (4.16-rc6+). - Tested on real hardware (Odroid C2 board). - Added better benchmarks. Andrey Konovalov (15): khwasan, mm: change kasan hooks signatures khwasan: move common k

[RFC PATCH v2 01/15] khwasan, mm: change kasan hooks signatures

KHWASAN will change the value of the top byte of pointers returned from the kernel allocation functions (such as kmalloc). This patch updates KASAN hooks signatures and their usage in SLAB and SLUB code to reflect that. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- include

[RFC PATCH v2 02/15] khwasan: move common kasan and khwasan code to common.c

KHWASAN will reuse a significant part of KASAN code, so move the common parts to common.c without any functional changes. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- mm/kasan/Makefile | 5 +- mm/kasan/common.c | 318 ++ mm

[RFC PATCH v2 09/15] khwasan, kvm: untag pointers in kern_hyp_va

-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/include/asm/kvm_mmu.h | 8 virt/kvm/arm/mmu.c | 20 +++- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h index 7faed6

[RFC PATCH v2 08/15] khwasan: add tag related helper functions

This commit adds a few helper functions, that are meant to be used to work with tags embedded in the top byte of kernel pointers: to set, to get or to reset (set to 0xff) the top byte. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/mm/kasan_init.c | 2 ++ include

[RFC PATCH v2 10/15] khwasan, arm64: enable top byte ignore for the kernel

KHWASAN uses the Top Byte Ignore feature of arm64 CPUs to store a pointer tag in the top byte of each pointer. This commit enables the TCR_TBI1 bit, which enables Top Byte Ignore for the kernel, when KHWASAN is used. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/i

[RFC PATCH v2 12/15] khwasan: add bug reporting routines

bugs with the "KASAN: invalid-access" header. This is done, so various external tools that already parse the kernel logs looking for KASAN reports wouldn't need to be changed. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- include/linux/kasan.h | 3 ++ mm/kasan/r

[RFC PATCH v2 13/15] khwasan: add hooks implementation

. KHWASAN saves allocation and free stack metadata to the slab object the same was KASAN does this. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- mm/kasan/khwasan.c | 200 - 1 file changed, 197 insertions(+), 3 deletions(-) diff --git a/mm

[RFC PATCH v2 14/15] khwasan, arm64: add brk handler for inline instrumentation

(to extract information about the memory access that triggered the mismatch), reads the register values (x0 contains the guilty address) and reports the bug. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/include/asm/brk-imm.h | 2 ++ arch/arm64/kernel/traps.c

[RFC PATCH v2 15/15] khwasan: update kasan documentation

This patch updates KASAN documentation to reflect the addition of KHWASAN. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- Documentation/dev-tools/kasan.rst | 212 +- 1 file changed, 122 insertions(+), 90 deletions(-) diff --git a/Documentation/dev

[RFC PATCH v2 11/15] khwasan, mm: perform untagged pointers comparison in krealloc

(with tags reset) pointers to check whether it's the same memory region or not. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- mm/slab_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index a33e61315ca6..5911f2

[RFC PATCH v2 03/15] khwasan: add CONFIG_KASAN_CLASSIC and CONFIG_KASAN_TAGS

(which KHWASAN reuses) and placeholder implementation of KHWASAN specific hooks inserted by the compiler. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/Kconfig | 1 + include/linux/compiler-clang.h | 9 ++- include/linux/compiler-gcc.h | 4 ++ i

[RFC PATCH v2 05/15] khwasan: initialize shadow to 0xff

-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/mm/kasan_init.c | 11 ++- include/linux/kasan.h | 8 mm/kasan/common.c | 7 +++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/arch/arm64/mm/kasan_init.c b/arch/arm64/mm/kasan_init.c

[RFC PATCH v2 06/15] khwasan, arm64: untag virt address in __kimg_to_phys

implementation. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/include/asm/memory.h | 9 + 1 file changed, 9 insertions(+) diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h index febd54ff3354..c13b89257352 100644 --- a/arch/arm64/inclu

[RFC PATCH v2 07/15] khwasan, arm64: fix up fault handling logic

show_pte in arm64 fault handling relies on the fact that the top byte of a kernel pointer is 0xff, which isn't always the case with KHWASAN enabled. Reset the top byte. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- arch/arm64/mm/fault.c | 3 +++ 1 file changed, 3 inse