From: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
To: Alexander Potapenko <glider@google.com>
Cc: elver@google.com, dvyukov@google.com, akpm@linux-foundation.org,
linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
linux-mm@kvack.org
Subject: Re: [PATCH 1/2] kmsan: do not wipe out origin when doing partial unpoisoning
Date: Tue, 28 May 2024 19:01:25 +0200 [thread overview]
Message-ID: <ZlYN5Wh4zDgRIrAx@rex> (raw)
In-Reply-To: <20240528104807.738758-1-glider@google.com>
On Tue, May 28, 2024 at 12:48:06PM +0200, Alexander Potapenko wrote:
> As noticed by Brian, KMSAN should not be zeroing the origin when
> unpoisoning parts of a four-byte uninitialized value, e.g.:
>
> char a[4];
> kmsan_unpoison_memory(a, 1);
>
> This led to false negatives, as certain poisoned values could receive zero
> origins, preventing those values from being reported.
>
> To fix the problem, check that kmsan_internal_set_shadow_origin() writes
> zero origins only to slots which have zero shadow.
>
> Reported-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
> Link: https://lore.kernel.org/lkml/20240524232804.1984355-1-bjohannesmeyer@gmail.com/T/
> Fixes: f80be4571b19 ("kmsan: add KMSAN runtime core")
> Signed-off-by: Alexander Potapenko <glider@google.com>
> ---
> mm/kmsan/core.c | 15 +++++++++++----
> 1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/mm/kmsan/core.c b/mm/kmsan/core.c
> index cf2d70e9c9a5f..95f859e38c533 100644
> --- a/mm/kmsan/core.c
> +++ b/mm/kmsan/core.c
> @@ -196,8 +196,7 @@ void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b,
> u32 origin, bool checked)
> {
> u64 address = (u64)addr;
> - void *shadow_start;
> - u32 *origin_start;
> + u32 *shadow_start, *origin_start;
> size_t pad = 0;
>
> KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size));
> @@ -225,8 +224,16 @@ void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b,
> origin_start =
> (u32 *)kmsan_get_metadata((void *)address, KMSAN_META_ORIGIN);
>
> - for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++)
> - origin_start[i] = origin;
> + /*
> + * If the new origin is non-zero, assume that the shadow byte is also non-zero,
> + * and unconditionally overwrite the old origin slot.
> + * If the new origin is zero, overwrite the old origin slot iff the
> + * corresponding shadow slot is zero.
> + */
> + for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) {
> + if (origin || !shadow_start[i])
> + origin_start[i] = origin;
> + }
> }
>
> struct page *kmsan_vmalloc_to_page_or_null(void *vaddr)
> --
> 2.45.1.288.g0e0cd299f1-goog
>
Tested-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
prev parent reply other threads:[~2024-05-28 17:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-28 10:48 [PATCH 1/2] kmsan: do not wipe out origin when doing partial unpoisoning Alexander Potapenko
2024-05-28 10:48 ` [PATCH 2/2] kmsan: introduce test_unpoison_memory() Alexander Potapenko
2024-05-28 12:38 ` [PATCH 1/2] kmsan: do not wipe out origin when doing partial unpoisoning Marco Elver
2024-05-28 17:01 ` Brian Johannesmeyer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZlYN5Wh4zDgRIrAx@rex \
--to=bjohannesmeyer@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.