[PATCH] arm64: Fix KASAN random tag seed initialization

linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] arm64: Fix KASAN random tag seed initialization
@ 2024-08-14  9:09 Samuel Holland
  2024-08-14 16:04 ` Andrey Konovalov
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Samuel Holland @ 2024-08-14  9:09 UTC (permalink / raw)
  To: linux-arm-kernel
  Cc: Samuel Holland, Andrew Morton, Andrey Konovalov, Ard Biesheuvel,
	Catalin Marinas, Douglas Anderson, Frederic Weisbecker,
	James Morse, Jonathan Cameron, Mark Rutland, Puranjay Mohan,
	Russell King (Oracle), Ryo Takakura, Shaoqin Huang, Stephen Boyd,
	Thomas Gleixner, Will Deacon, linux-kernel

Currently, kasan_init_sw_tags() is called before setup_per_cpu_areas(),
so per_cpu(prng_state, cpu) accesses the same address regardless of the
value of "cpu", and the same seed value gets copied to the percpu area
for every CPU. Fix this by moving the call to smp_prepare_boot_cpu(),
which is the first architecture hook after setup_per_cpu_areas().

Fixes: 3c9e3aa11094 ("kasan: add tag related helper functions")
Fixes: 3f41b6093823 ("kasan: fix random seed generation for tag-based mode")
Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
---

 arch/arm64/kernel/setup.c | 3 ---
 arch/arm64/kernel/smp.c   | 2 ++
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
index a096e2451044..b22d28ec8028 100644
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -355,9 +355,6 @@ void __init __no_sanitize_address setup_arch(char **cmdline_p)
 	smp_init_cpus();
 	smp_build_mpidr_hash();
 
-	/* Init percpu seeds for random tags after cpus are set up. */
-	kasan_init_sw_tags();
-
 #ifdef CONFIG_ARM64_SW_TTBR0_PAN
 	/*
 	 * Make sure init_thread_info.ttbr0 always generates translation
diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
index 5e18fbcee9a2..f01f0fd7b7fe 100644
--- a/arch/arm64/kernel/smp.c
+++ b/arch/arm64/kernel/smp.c
@@ -467,6 +467,8 @@ void __init smp_prepare_boot_cpu(void)
 		init_gic_priority_masking();
 
 	kasan_init_hw_tags();
+	/* Init percpu seeds for random tags after cpus are set up. */
+	kasan_init_sw_tags();
 }
 
 /*
-- 
2.45.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] arm64: Fix KASAN random tag seed initialization
  2024-08-14  9:09 [PATCH] arm64: Fix KASAN random tag seed initialization Samuel Holland
@ 2024-08-14 16:04 ` Andrey Konovalov
  2024-08-14 16:18 ` Catalin Marinas
  2024-08-15 10:07 ` Catalin Marinas
  2 siblings, 0 replies; 5+ messages in thread
From: Andrey Konovalov @ 2024-08-14 16:04 UTC (permalink / raw)
  To: Samuel Holland
  Cc: linux-arm-kernel, Andrew Morton, Ard Biesheuvel, Catalin Marinas,
	Douglas Anderson, Frederic Weisbecker, James Morse,
	Jonathan Cameron, Mark Rutland, Puranjay Mohan,
	Russell King (Oracle), Ryo Takakura, Shaoqin Huang, Stephen Boyd,
	Thomas Gleixner, Will Deacon, linux-kernel

On Wed, Aug 14, 2024 at 11:10 AM Samuel Holland
<samuel.holland@sifive.com> wrote:
>
> Currently, kasan_init_sw_tags() is called before setup_per_cpu_areas(),
> so per_cpu(prng_state, cpu) accesses the same address regardless of the
> value of "cpu", and the same seed value gets copied to the percpu area
> for every CPU. Fix this by moving the call to smp_prepare_boot_cpu(),
> which is the first architecture hook after setup_per_cpu_areas().
>
> Fixes: 3c9e3aa11094 ("kasan: add tag related helper functions")
> Fixes: 3f41b6093823 ("kasan: fix random seed generation for tag-based mode")
> Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
> ---
>
>  arch/arm64/kernel/setup.c | 3 ---
>  arch/arm64/kernel/smp.c   | 2 ++
>  2 files changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
> index a096e2451044..b22d28ec8028 100644
> --- a/arch/arm64/kernel/setup.c
> +++ b/arch/arm64/kernel/setup.c
> @@ -355,9 +355,6 @@ void __init __no_sanitize_address setup_arch(char **cmdline_p)
>         smp_init_cpus();
>         smp_build_mpidr_hash();
>
> -       /* Init percpu seeds for random tags after cpus are set up. */
> -       kasan_init_sw_tags();
> -
>  #ifdef CONFIG_ARM64_SW_TTBR0_PAN
>         /*
>          * Make sure init_thread_info.ttbr0 always generates translation
> diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
> index 5e18fbcee9a2..f01f0fd7b7fe 100644
> --- a/arch/arm64/kernel/smp.c
> +++ b/arch/arm64/kernel/smp.c
> @@ -467,6 +467,8 @@ void __init smp_prepare_boot_cpu(void)
>                 init_gic_priority_masking();
>
>         kasan_init_hw_tags();
> +       /* Init percpu seeds for random tags after cpus are set up. */
> +       kasan_init_sw_tags();
>  }
>
>  /*
> --
> 2.45.1
>

Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>

Thank you!


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] arm64: Fix KASAN random tag seed initialization
  2024-08-14  9:09 [PATCH] arm64: Fix KASAN random tag seed initialization Samuel Holland
  2024-08-14 16:04 ` Andrey Konovalov
@ 2024-08-14 16:18 ` Catalin Marinas
  2024-08-14 17:25   ` Andrey Konovalov
  2024-08-15 10:07 ` Catalin Marinas
  2 siblings, 1 reply; 5+ messages in thread
From: Catalin Marinas @ 2024-08-14 16:18 UTC (permalink / raw)
  To: Samuel Holland
  Cc: linux-arm-kernel, Andrew Morton, Andrey Konovalov, Ard Biesheuvel,
	Douglas Anderson, Frederic Weisbecker, James Morse,
	Jonathan Cameron, Mark Rutland, Puranjay Mohan,
	Russell King (Oracle), Ryo Takakura, Shaoqin Huang, Stephen Boyd,
	Thomas Gleixner, Will Deacon, linux-kernel

On Wed, Aug 14, 2024 at 02:09:53AM -0700, Samuel Holland wrote:
> Currently, kasan_init_sw_tags() is called before setup_per_cpu_areas(),
> so per_cpu(prng_state, cpu) accesses the same address regardless of the
> value of "cpu", and the same seed value gets copied to the percpu area
> for every CPU. Fix this by moving the call to smp_prepare_boot_cpu(),
> which is the first architecture hook after setup_per_cpu_areas().

Even with the fix, given the lower resolution of get_cycles(), there's a
good chance that we still have the same seed on all CPUs. If we want
separate seeds, a better bet would be to initialise each CPU separately
via the secondary_start_kernel() path. I'll let the KASAN people comment
on whether that's important.

-- 
Catalin


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] arm64: Fix KASAN random tag seed initialization
  2024-08-14 16:18 ` Catalin Marinas
@ 2024-08-14 17:25   ` Andrey Konovalov
  0 siblings, 0 replies; 5+ messages in thread
From: Andrey Konovalov @ 2024-08-14 17:25 UTC (permalink / raw)
  To: Catalin Marinas
  Cc: Samuel Holland, linux-arm-kernel, Andrew Morton, Ard Biesheuvel,
	Douglas Anderson, Frederic Weisbecker, James Morse,
	Jonathan Cameron, Mark Rutland, Puranjay Mohan,
	Russell King (Oracle), Ryo Takakura, Shaoqin Huang, Stephen Boyd,
	Thomas Gleixner, Will Deacon, linux-kernel

On Wed, Aug 14, 2024 at 6:19 PM Catalin Marinas <catalin.marinas@arm.com> wrote:
>
> On Wed, Aug 14, 2024 at 02:09:53AM -0700, Samuel Holland wrote:
> > Currently, kasan_init_sw_tags() is called before setup_per_cpu_areas(),
> > so per_cpu(prng_state, cpu) accesses the same address regardless of the
> > value of "cpu", and the same seed value gets copied to the percpu area
> > for every CPU. Fix this by moving the call to smp_prepare_boot_cpu(),
> > which is the first architecture hook after setup_per_cpu_areas().
>
> Even with the fix, given the lower resolution of get_cycles(), there's a
> good chance that we still have the same seed on all CPUs. If we want
> separate seeds, a better bet would be to initialise each CPU separately
> via the secondary_start_kernel() path. I'll let the KASAN people comment
> on whether that's important.

I think it's fine if we end up with the same seed: SW_TAGS KASAN is
just a debugging feature, not a mitigation. We just want some kind of
randomness.

Calling kasan_init_sw_tags() after setup_per_cpu_areas() seems
reasonable though.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] arm64: Fix KASAN random tag seed initialization
  2024-08-14  9:09 [PATCH] arm64: Fix KASAN random tag seed initialization Samuel Holland
  2024-08-14 16:04 ` Andrey Konovalov
  2024-08-14 16:18 ` Catalin Marinas
@ 2024-08-15 10:07 ` Catalin Marinas
  2 siblings, 0 replies; 5+ messages in thread
From: Catalin Marinas @ 2024-08-15 10:07 UTC (permalink / raw)
  To: linux-arm-kernel, Samuel Holland
  Cc: Andrew Morton, Andrey Konovalov, Ard Biesheuvel, Douglas Anderson,
	Frederic Weisbecker, James Morse, Jonathan Cameron, Mark Rutland,
	Puranjay Mohan, Russell King (Oracle), Ryo Takakura,
	Shaoqin Huang, Stephen Boyd, Thomas Gleixner, Will Deacon,
	linux-kernel

On Wed, 14 Aug 2024 02:09:53 -0700, Samuel Holland wrote:
> Currently, kasan_init_sw_tags() is called before setup_per_cpu_areas(),
> so per_cpu(prng_state, cpu) accesses the same address regardless of the
> value of "cpu", and the same seed value gets copied to the percpu area
> for every CPU. Fix this by moving the call to smp_prepare_boot_cpu(),
> which is the first architecture hook after setup_per_cpu_areas().
> 
> 
> [...]

Applied to arm64 (for-next/fixes), thanks!

[1/1] arm64: Fix KASAN random tag seed initialization
      https://git.kernel.org/arm64/c/f75c235565f9

-- 
Catalin



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-08-15 10:08 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-14  9:09 [PATCH] arm64: Fix KASAN random tag seed initialization Samuel Holland
2024-08-14 16:04 ` Andrey Konovalov
2024-08-14 16:18 ` Catalin Marinas
2024-08-14 17:25   ` Andrey Konovalov
2024-08-15 10:07 ` Catalin Marinas

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).