[PATCH] kasan: Disable Software Tag-Based KASAN with GCC

[PATCH] kasan: Disable Software Tag-Based KASAN with GCC

[Will Deacon]

Syzbot reports a KASAN failure early during boot on arm64 when building
with GCC 12.2.0 and using the Software Tag-Based KASAN mode:

  | BUG: KASAN: invalid-access in smp_build_mpidr_hash arch/arm64/kernel/setup.c:133 [inline]
  | BUG: KASAN: invalid-access in setup_arch+0x984/0xd60 arch/arm64/kernel/setup.c:356
  | Write of size 4 at addr 03ff800086867e00 by task swapper/0
  | Pointer tag: [03], memory tag: [fe]

Initial triage indicates that the report is a false positive and a
thorough investigation of the crash by Mark Rutland revealed the root
cause to be a bug in GCC:

  > When GCC is passed `-fsanitize=hwaddress` or
  > `-fsanitize=kernel-hwaddress` it ignores
  > `__attribute__((no_sanitize_address))`, and instruments functions
  > we require are not instrumented.
  >
  > [...]
  >
  > All versions [of GCC] I tried were broken, from 11.3.0 to 14.2.0
  > inclusive.
  >
  > I think we have to disable KASAN_SW_TAGS with GCC until this is
  > fixed

Disable Software Tag-Based KASAN when building with GCC by making
CC_HAS_KASAN_SW_TAGS depend on !CC_IS_GCC.

Cc: Andrey Konovalov <andreyknvl@gmail.com>
Suggested-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/000000000000f362e80620e27859@google.com
Link: https://lore.kernel.org/r/ZvFGwKfoC4yVjN_X@J2N7QTR9R3
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218854
Signed-off-by: Will Deacon <will@kernel.org>
---
 lib/Kconfig.kasan | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

While sweeping up pending fixes and open bug reports, I noticed this one
had slipped through the cracks...

diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
index 98016e137b7f..233ab2096924 100644
--- a/lib/Kconfig.kasan
+++ b/lib/Kconfig.kasan
@@ -22,8 +22,11 @@ config ARCH_DISABLE_KASAN_INLINE
 config CC_HAS_KASAN_GENERIC
 	def_bool $(cc-option, -fsanitize=kernel-address)
 
+# GCC appears to ignore no_sanitize_address when -fsanitize=kernel-hwaddress
+# is passed. See https://bugzilla.kernel.org/show_bug.cgi?id=218854 (and
+# the linked LKML thread) for more details.
 config CC_HAS_KASAN_SW_TAGS
-	def_bool $(cc-option, -fsanitize=kernel-hwaddress)
+	def_bool !CC_IS_GCC && $(cc-option, -fsanitize=kernel-hwaddress)
 
 # This option is only required for software KASAN modes.
 # Old GCC versions do not have proper support for no_sanitize_address.
@@ -98,7 +101,7 @@ config KASAN_SW_TAGS
 	help
 	  Enables Software Tag-Based KASAN.
 
-	  Requires GCC 11+ or Clang.
+	  Requires Clang.
 
 	  Supported only on arm64 CPUs and relies on Top Byte Ignore.
 
-- 
2.47.0.rc1.288.g06298d1525-goog

Re: [PATCH] kasan: Disable Software Tag-Based KASAN with GCC

[Mark Rutland]

On Mon, Oct 14, 2024 at 05:11:00PM +0100, Will Deacon wrote:
> Syzbot reports a KASAN failure early during boot on arm64 when building
> with GCC 12.2.0 and using the Software Tag-Based KASAN mode:
> 
>   | BUG: KASAN: invalid-access in smp_build_mpidr_hash arch/arm64/kernel/setup.c:133 [inline]
>   | BUG: KASAN: invalid-access in setup_arch+0x984/0xd60 arch/arm64/kernel/setup.c:356
>   | Write of size 4 at addr 03ff800086867e00 by task swapper/0
>   | Pointer tag: [03], memory tag: [fe]
> 
> Initial triage indicates that the report is a false positive and a
> thorough investigation of the crash by Mark Rutland revealed the root
> cause to be a bug in GCC:
> 
>   > When GCC is passed `-fsanitize=hwaddress` or
>   > `-fsanitize=kernel-hwaddress` it ignores
>   > `__attribute__((no_sanitize_address))`, and instruments functions
>   > we require are not instrumented.
>   >
>   > [...]
>   >
>   > All versions [of GCC] I tried were broken, from 11.3.0 to 14.2.0
>   > inclusive.
>   >
>   > I think we have to disable KASAN_SW_TAGS with GCC until this is
>   > fixed
> 
> Disable Software Tag-Based KASAN when building with GCC by making
> CC_HAS_KASAN_SW_TAGS depend on !CC_IS_GCC.
> 
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Suggested-by: Mark Rutland <mark.rutland@arm.com>
> Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/r/000000000000f362e80620e27859@google.com
> Link: https://lore.kernel.org/r/ZvFGwKfoC4yVjN_X@J2N7QTR9R3
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218854
> Signed-off-by: Will Deacon <will@kernel.org>

Acked-by: Mark Rutland <mark.rutland@arm.com>

Thanks for putting a patch together!

Mark.

> ---
>  lib/Kconfig.kasan | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> While sweeping up pending fixes and open bug reports, I noticed this one
> had slipped through the cracks...
> 
> diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
> index 98016e137b7f..233ab2096924 100644
> --- a/lib/Kconfig.kasan
> +++ b/lib/Kconfig.kasan
> @@ -22,8 +22,11 @@ config ARCH_DISABLE_KASAN_INLINE
>  config CC_HAS_KASAN_GENERIC
>  	def_bool $(cc-option, -fsanitize=kernel-address)
>  
> +# GCC appears to ignore no_sanitize_address when -fsanitize=kernel-hwaddress
> +# is passed. See https://bugzilla.kernel.org/show_bug.cgi?id=218854 (and
> +# the linked LKML thread) for more details.
>  config CC_HAS_KASAN_SW_TAGS
> -	def_bool $(cc-option, -fsanitize=kernel-hwaddress)
> +	def_bool !CC_IS_GCC && $(cc-option, -fsanitize=kernel-hwaddress)
>  
>  # This option is only required for software KASAN modes.
>  # Old GCC versions do not have proper support for no_sanitize_address.
> @@ -98,7 +101,7 @@ config KASAN_SW_TAGS
>  	help
>  	  Enables Software Tag-Based KASAN.
>  
> -	  Requires GCC 11+ or Clang.
> +	  Requires Clang.
>  
>  	  Supported only on arm64 CPUs and relies on Top Byte Ignore.
>  
> -- 
> 2.47.0.rc1.288.g06298d1525-goog
> 

Re: [PATCH] kasan: Disable Software Tag-Based KASAN with GCC

[Andrey Konovalov]

On Mon, Oct 14, 2024 at 6:11 PM Will Deacon <will@kernel.org> wrote:
>
> Syzbot reports a KASAN failure early during boot on arm64 when building
> with GCC 12.2.0 and using the Software Tag-Based KASAN mode:
>
>   | BUG: KASAN: invalid-access in smp_build_mpidr_hash arch/arm64/kernel/setup.c:133 [inline]
>   | BUG: KASAN: invalid-access in setup_arch+0x984/0xd60 arch/arm64/kernel/setup.c:356
>   | Write of size 4 at addr 03ff800086867e00 by task swapper/0
>   | Pointer tag: [03], memory tag: [fe]
>
> Initial triage indicates that the report is a false positive and a
> thorough investigation of the crash by Mark Rutland revealed the root
> cause to be a bug in GCC:
>
>   > When GCC is passed `-fsanitize=hwaddress` or
>   > `-fsanitize=kernel-hwaddress` it ignores
>   > `__attribute__((no_sanitize_address))`, and instruments functions
>   > we require are not instrumented.
>   >
>   > [...]
>   >
>   > All versions [of GCC] I tried were broken, from 11.3.0 to 14.2.0
>   > inclusive.
>   >
>   > I think we have to disable KASAN_SW_TAGS with GCC until this is
>   > fixed
>
> Disable Software Tag-Based KASAN when building with GCC by making
> CC_HAS_KASAN_SW_TAGS depend on !CC_IS_GCC.
>
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Suggested-by: Mark Rutland <mark.rutland@arm.com>
> Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/r/000000000000f362e80620e27859@google.com
> Link: https://lore.kernel.org/r/ZvFGwKfoC4yVjN_X@J2N7QTR9R3
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218854
> Signed-off-by: Will Deacon <will@kernel.org>
> ---
>  lib/Kconfig.kasan | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> While sweeping up pending fixes and open bug reports, I noticed this one
> had slipped through the cracks...
>
> diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
> index 98016e137b7f..233ab2096924 100644
> --- a/lib/Kconfig.kasan
> +++ b/lib/Kconfig.kasan
> @@ -22,8 +22,11 @@ config ARCH_DISABLE_KASAN_INLINE
>  config CC_HAS_KASAN_GENERIC
>         def_bool $(cc-option, -fsanitize=kernel-address)
>
> +# GCC appears to ignore no_sanitize_address when -fsanitize=kernel-hwaddress
> +# is passed. See https://bugzilla.kernel.org/show_bug.cgi?id=218854 (and
> +# the linked LKML thread) for more details.
>  config CC_HAS_KASAN_SW_TAGS
> -       def_bool $(cc-option, -fsanitize=kernel-hwaddress)
> +       def_bool !CC_IS_GCC && $(cc-option, -fsanitize=kernel-hwaddress)
>
>  # This option is only required for software KASAN modes.
>  # Old GCC versions do not have proper support for no_sanitize_address.
> @@ -98,7 +101,7 @@ config KASAN_SW_TAGS
>         help
>           Enables Software Tag-Based KASAN.
>
> -         Requires GCC 11+ or Clang.
> +         Requires Clang.
>
>           Supported only on arm64 CPUs and relies on Top Byte Ignore.
>
> --
> 2.47.0.rc1.288.g06298d1525-goog
>

Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>

Thank you!

Re: [PATCH] kasan: Disable Software Tag-Based KASAN with GCC

[Will Deacon]

On Mon, 14 Oct 2024 17:11:00 +0100, Will Deacon wrote:
> Syzbot reports a KASAN failure early during boot on arm64 when building
> with GCC 12.2.0 and using the Software Tag-Based KASAN mode:
> 
>   | BUG: KASAN: invalid-access in smp_build_mpidr_hash arch/arm64/kernel/setup.c:133 [inline]
>   | BUG: KASAN: invalid-access in setup_arch+0x984/0xd60 arch/arm64/kernel/setup.c:356
>   | Write of size 4 at addr 03ff800086867e00 by task swapper/0
>   | Pointer tag: [03], memory tag: [fe]
> 
> [...]

Applied to arm64 (for-next/fixes), thanks!

[1/1] kasan: Disable Software Tag-Based KASAN with GCC
      https://git.kernel.org/arm64/c/7aed6a2c51ff

Cheers,
-- 
Will

https://fixes.arm64.dev
https://next.arm64.dev
https://will.arm64.dev

Re: [PATCH] kasan: Disable Software Tag-Based KASAN with GCC

[Marco Elver]

On Tue, Oct 15, 2024 at 01:39PM +0100, 'Will Deacon' via kasan-dev wrote:
> On Mon, 14 Oct 2024 17:11:00 +0100, Will Deacon wrote:
> > Syzbot reports a KASAN failure early during boot on arm64 when building
> > with GCC 12.2.0 and using the Software Tag-Based KASAN mode:
> > 
> >   | BUG: KASAN: invalid-access in smp_build_mpidr_hash arch/arm64/kernel/setup.c:133 [inline]
> >   | BUG: KASAN: invalid-access in setup_arch+0x984/0xd60 arch/arm64/kernel/setup.c:356
> >   | Write of size 4 at addr 03ff800086867e00 by task swapper/0
> >   | Pointer tag: [03], memory tag: [fe]
> > 
> > [...]
> 
> Applied to arm64 (for-next/fixes), thanks!
> 
> [1/1] kasan: Disable Software Tag-Based KASAN with GCC
>       https://git.kernel.org/arm64/c/7aed6a2c51ff

I do not think this is the right fix. Please see alternative below.
Please do double-check that the observed splat above is fixed with that.

Thanks,
-- Marco

------ >8 ------

From 23bd83dbff5a9778f34831ed292d5e52b4b0ee18 Mon Sep 17 00:00:00 2001
From: Marco Elver <elver@google.com>
Date: Fri, 18 Oct 2024 10:18:24 +0200
Subject: [PATCH] kasan: Fix Software Tag-Based KASAN with GCC

Per [1], -fsanitize=kernel-hwaddress with GCC currently does not disable
instrumentation in functions with __attribute__((no_sanitize_address)).

However, __attribute__((no_sanitize("hwaddress"))) does correctly
disable instrumentation. Use it instead.

Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117196 [1]
Link: https://lore.kernel.org/r/000000000000f362e80620e27859@google.com
Link: https://lore.kernel.org/r/ZvFGwKfoC4yVjN_X@J2N7QTR9R3
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218854
Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com
Cc: Andrew Pinski <pinskia@gmail.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Marco Elver <elver@google.com>
---
 include/linux/compiler-gcc.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index f805adaa316e..cd6f9aae311f 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -80,7 +80,11 @@
 #define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
 #endif
 
+#ifdef __SANITIZE_HWADDRESS__
+#define __no_sanitize_address __attribute__((__no_sanitize__("hwaddress")))
+#else
 #define __no_sanitize_address __attribute__((__no_sanitize_address__))
+#endif
 
 #if defined(__SANITIZE_THREAD__)
 #define __no_sanitize_thread __attribute__((__no_sanitize_thread__))
-- 
2.47.0.rc1.288.g06298d1525-goog

Re: [PATCH] kasan: Disable Software Tag-Based KASAN with GCC

[Andrey Konovalov]

On Fri, Oct 18, 2024 at 10:37 AM Marco Elver <elver@google.com> wrote:
>
> > Applied to arm64 (for-next/fixes), thanks!
> >
> > [1/1] kasan: Disable Software Tag-Based KASAN with GCC
> >       https://git.kernel.org/arm64/c/7aed6a2c51ff
>
> I do not think this is the right fix. Please see alternative below.
> Please do double-check that the observed splat above is fixed with that.
>
> Thanks,
> -- Marco
>
> ------ >8 ------
>
> From 23bd83dbff5a9778f34831ed292d5e52b4b0ee18 Mon Sep 17 00:00:00 2001
> From: Marco Elver <elver@google.com>
> Date: Fri, 18 Oct 2024 10:18:24 +0200
> Subject: [PATCH] kasan: Fix Software Tag-Based KASAN with GCC
>
> Per [1], -fsanitize=kernel-hwaddress with GCC currently does not disable
> instrumentation in functions with __attribute__((no_sanitize_address)).
>
> However, __attribute__((no_sanitize("hwaddress"))) does correctly
> disable instrumentation. Use it instead.
>
> Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117196 [1]
> Link: https://lore.kernel.org/r/000000000000f362e80620e27859@google.com
> Link: https://lore.kernel.org/r/ZvFGwKfoC4yVjN_X@J2N7QTR9R3
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218854
> Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com
> Cc: Andrew Pinski <pinskia@gmail.com>
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Cc: Mark Rutland <mark.rutland@arm.com>
> Cc: Will Deacon <will@kernel.org>
> Signed-off-by: Marco Elver <elver@google.com>
> ---
>  include/linux/compiler-gcc.h | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
> index f805adaa316e..cd6f9aae311f 100644
> --- a/include/linux/compiler-gcc.h
> +++ b/include/linux/compiler-gcc.h
> @@ -80,7 +80,11 @@
>  #define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
>  #endif
>
> +#ifdef __SANITIZE_HWADDRESS__
> +#define __no_sanitize_address __attribute__((__no_sanitize__("hwaddress")))
> +#else
>  #define __no_sanitize_address __attribute__((__no_sanitize_address__))
> +#endif
>
>  #if defined(__SANITIZE_THREAD__)
>  #define __no_sanitize_thread __attribute__((__no_sanitize_thread__))
> --
> 2.47.0.rc1.288.g06298d1525-goog

Tested the change, it does fix the boot-time issue #1 from [1], but #2
and #3 still exist.

However, perhaps, just fixing #1 is already good enough to do a revert
of the Will's patch - at least the kernel will boot without
false-positive reports.

But I would keep a note that SW_TAGS doesn't work well with GCC until
[1] is fully resolved.

Thanks!

[1] https://bugzilla.kernel.org/show_bug.cgi?id=218854

Re: [PATCH] kasan: Disable Software Tag-Based KASAN with GCC

[Marco Elver]

On Fri, 18 Oct 2024 at 22:25, Andrey Konovalov <andreyknvl@gmail.com> wrote:
>
> On Fri, Oct 18, 2024 at 10:37 AM Marco Elver <elver@google.com> wrote:
> >
> > > Applied to arm64 (for-next/fixes), thanks!
> > >
> > > [1/1] kasan: Disable Software Tag-Based KASAN with GCC
> > >       https://git.kernel.org/arm64/c/7aed6a2c51ff
> >
> > I do not think this is the right fix. Please see alternative below.
> > Please do double-check that the observed splat above is fixed with that.
> >
> > Thanks,
> > -- Marco
> >
> > ------ >8 ------
> >
> > From 23bd83dbff5a9778f34831ed292d5e52b4b0ee18 Mon Sep 17 00:00:00 2001
> > From: Marco Elver <elver@google.com>
> > Date: Fri, 18 Oct 2024 10:18:24 +0200
> > Subject: [PATCH] kasan: Fix Software Tag-Based KASAN with GCC
> >
> > Per [1], -fsanitize=kernel-hwaddress with GCC currently does not disable
> > instrumentation in functions with __attribute__((no_sanitize_address)).
> >
> > However, __attribute__((no_sanitize("hwaddress"))) does correctly
> > disable instrumentation. Use it instead.
> >
> > Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117196 [1]
> > Link: https://lore.kernel.org/r/000000000000f362e80620e27859@google.com
> > Link: https://lore.kernel.org/r/ZvFGwKfoC4yVjN_X@J2N7QTR9R3
> > Link: https://bugzilla.kernel.org/show_bug.cgi?id=218854
> > Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com
> > Cc: Andrew Pinski <pinskia@gmail.com>
> > Cc: Andrey Konovalov <andreyknvl@gmail.com>
> > Cc: Mark Rutland <mark.rutland@arm.com>
> > Cc: Will Deacon <will@kernel.org>
> > Signed-off-by: Marco Elver <elver@google.com>
> > ---
> >  include/linux/compiler-gcc.h | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
> > index f805adaa316e..cd6f9aae311f 100644
> > --- a/include/linux/compiler-gcc.h
> > +++ b/include/linux/compiler-gcc.h
> > @@ -80,7 +80,11 @@
> >  #define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
> >  #endif
> >
> > +#ifdef __SANITIZE_HWADDRESS__
> > +#define __no_sanitize_address __attribute__((__no_sanitize__("hwaddress")))
> > +#else
> >  #define __no_sanitize_address __attribute__((__no_sanitize_address__))
> > +#endif
> >
> >  #if defined(__SANITIZE_THREAD__)
> >  #define __no_sanitize_thread __attribute__((__no_sanitize_thread__))
> > --
> > 2.47.0.rc1.288.g06298d1525-goog
>
> Tested the change, it does fix the boot-time issue #1 from [1], but #2
> and #3 still exist.

Thanks for testing.
AFAIK #2 and #3 look like false negatives, which are tolerable (not
great, but it does not cause serious issues).

> However, perhaps, just fixing #1 is already good enough to do a revert
> of the Will's patch - at least the kernel will boot without
> false-positive reports.
>
> But I would keep a note that SW_TAGS doesn't work well with GCC until
> [1] is fully resolved.
>
> Thanks!
>
> [1] https://bugzilla.kernel.org/show_bug.cgi?id=218854