Andrew Morton
unread,Jun 28, 2024, 10:30:55 PM (4 days ago) Jun 28Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to mm-co...@vger.kernel.org, vba...@suse.cz, sv...@linux.ibm.com, ros...@goodmis.org, roman.g...@linux.dev, rien...@google.com, pen...@kernel.org, mhir...@kernel.org, mark.r...@arm.com, kasa...@googlegroups.com, iamjoon...@lge.com, h...@linux.ibm.com, g...@linux.ibm.com, gli...@google.com, el...@google.com, dvy...@google.com, c...@linux.com, bornt...@linux.ibm.com, agor...@linux.ibm.com, 42.h...@gmail.com, i...@linux.ibm.com, ak...@linux-foundation.org
The quilt patch titled
Subject: kmsan: support SLAB_POISON
has been removed from the -mm tree. Its filename was
kmsan-support-slab_poison.patch
This patch was dropped because it was merged into the mm-stable branch
of git://
git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
------------------------------------------------------
From: Ilya Leoshkevich <
i...@linux.ibm.com>
Subject: kmsan: support SLAB_POISON
Date: Fri, 21 Jun 2024 13:34:57 +0200
Avoid false KMSAN negatives with SLUB_DEBUG by allowing kmsan_slab_free()
to poison the freed memory, and by preventing init_object() from
unpoisoning new allocations by using __memset().
There are two alternatives to this approach. First, init_object() can be
marked with __no_sanitize_memory. This annotation should be used with
great care, because it drops all instrumentation from the function, and
any shadow writes will be lost. Even though this is not a concern with
the current init_object() implementation, this may change in the future.
Second, kmsan_poison_memory() calls may be added after memset() calls.
The downside is that init_object() is called from free_debug_processing(),
in which case poisoning will erase the distinction between simply
uninitialized memory and UAF.
Link:
https://lkml.kernel.org/r/20240621113706...@linux.ibm.com
Signed-off-by: Ilya Leoshkevich <
i...@linux.ibm.com>
Reviewed-by: Alexander Potapenko <
gli...@google.com>
Cc: Alexander Gordeev <
agor...@linux.ibm.com>
Cc: Christian Borntraeger <
bornt...@linux.ibm.com>
Cc: Christoph Lameter <
c...@linux.com>
Cc: David Rientjes <
rien...@google.com>
Cc: Dmitry Vyukov <
dvy...@google.com>
Cc: Heiko Carstens <
h...@linux.ibm.com>
Cc: Hyeonggon Yoo <
42.h...@gmail.com>
Cc: Joonsoo Kim <
iamjoon...@lge.com>
Cc: <
kasa...@googlegroups.com>
Cc: Marco Elver <
el...@google.com>
Cc: Mark Rutland <
mark.r...@arm.com>
Cc: Masami Hiramatsu (Google) <
mhir...@kernel.org>
Cc: Pekka Enberg <
pen...@kernel.org>
Cc: Roman Gushchin <
roman.g...@linux.dev>
Cc: Steven Rostedt (Google) <
ros...@goodmis.org>
Cc: Sven Schnelle <
sv...@linux.ibm.com>
Cc: Vasily Gorbik <
g...@linux.ibm.com>
Cc: Vlastimil Babka <
vba...@suse.cz>
Signed-off-by: Andrew Morton <
ak...@linux-foundation.org>
---
mm/kmsan/hooks.c | 2 +-
mm/slub.c | 15 +++++++++++----
2 files changed, 12 insertions(+), 5 deletions(-)
--- a/mm/kmsan/hooks.c~kmsan-support-slab_poison
+++ a/mm/kmsan/hooks.c
@@ -74,7 +74,7 @@ void kmsan_slab_free(struct kmem_cache *
return;
/* RCU slabs could be legally used after free within the RCU period */
- if (unlikely(s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)))
+ if (unlikely(s->flags & SLAB_TYPESAFE_BY_RCU))
return;
/*
* If there's a constructor, freed memory must remain in the same state
--- a/mm/slub.c~kmsan-support-slab_poison
+++ a/mm/slub.c
@@ -1139,7 +1139,13 @@ static void init_object(struct kmem_cach
unsigned int poison_size = s->object_size;
if (s->flags & SLAB_RED_ZONE) {
- memset(p - s->red_left_pad, val, s->red_left_pad);
+ /*
+ * Here and below, avoid overwriting the KMSAN shadow. Keeping
+ * the shadow makes it possible to distinguish uninit-value
+ * from use-after-free.
+ */
+ memset_no_sanitize_memory(p - s->red_left_pad, val,
+ s->red_left_pad);
if (slub_debug_orig_size(s) && val == SLUB_RED_ACTIVE) {
/*
@@ -1152,12 +1158,13 @@ static void init_object(struct kmem_cach
}
if (s->flags & __OBJECT_POISON) {
- memset(p, POISON_FREE, poison_size - 1);
- p[poison_size - 1] = POISON_END;
+ memset_no_sanitize_memory(p, POISON_FREE, poison_size - 1);
+ memset_no_sanitize_memory(p + poison_size - 1, POISON_END, 1);
}
if (s->flags & SLAB_RED_ZONE)
- memset(p + poison_size, val, s->inuse - poison_size);
+ memset_no_sanitize_memory(p + poison_size, val,
+ s->inuse - poison_size);
}
static void restore_bytes(struct kmem_cache *s, char *message, u8 data,
_
Patches currently in -mm which might be from
i...@linux.ibm.com are