Dmitry Vyukov <dvyu...@google.com> writes: > On Fri, Feb 15, 2019 at 1:05 AM Daniel Axtens <d...@axtens.net> wrote: >> >> Wire up KASAN. Only outline instrumentation is supported. >> >> The KASAN shadow area is mapped into vmemmap space: >> 0x8000 0400 0000 0000 to 0x8000 0600 0000 0000. >> To do this we require that vmemmap be disabled. (This is the default >> in the kernel config that QorIQ provides for the machine in their >> SDK anyway - they use flat memory.) >> >> Only the kernel linear mapping (0xc000...) is checked. The vmalloc and >> ioremap areas (also in 0x800...) are all mapped to a zero page. As >> with the Book3S hash series, this requires overriding the memory <-> >> shadow mapping. >> >> Also, as with both previous 64-bit series, early instrumentation is not >> supported. It would allow us to drop the check_return_arch_not_ready() >> hook in the KASAN core, but it's tricky to get it set up early enough: >> we need it setup before the first call to instrumented code like printk(). >> Perhaps in the future. >> >> Only KASAN_MINIMAL works. >> >> Lightly tested on e6500. KVM, kexec and xmon have not been tested. > > Hi Daniel, > > This is great! > > Not related to the patch, but if you booted a real devices and used it > to some degree, I wonder if you hit any KASAN reports?
Not yet, but the hope is that I will be able to extend this to book3s and then it will be more useful in combination with syzkaller. Regards, Daniel > > Thanks > >> The test_kasan module fires warnings as expected, except for the >> following tests: >> >> - Expected/by design: >> kasan test: memcg_accounted_kmem_cache allocate memcg accounted object >> >> - Due to only supporting KASAN_MINIMAL: >> kasan test: kasan_stack_oob out-of-bounds on stack >> kasan test: kasan_global_oob out-of-bounds global variable >> kasan test: kasan_alloca_oob_left out-of-bounds to left on alloca >> kasan test: kasan_alloca_oob_right out-of-bounds to right on alloca >> kasan test: use_after_scope_test use-after-scope on int >> kasan test: use_after_scope_test use-after-scope on array >> >> Thanks to those who have done the heavy lifting over the past several years: >> - Christophe's 32 bit series: >> https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-February/185379.html >> - Aneesh's Book3S hash series: https://lwn.net/Articles/655642/ >> - Balbir's Book3S radix series: https://patchwork.ozlabs.org/patch/795211/ >> >> Cc: Christophe Leroy <christophe.le...@c-s.fr> >> Cc: Aneesh Kumar K.V <aneesh.ku...@linux.vnet.ibm.com> >> Cc: Balbir Singh <bsinghar...@gmail.com> >> Signed-off-by: Daniel Axtens <d...@axtens.net> >> >> --- >> >> While useful if you have a book3e device, this is mostly intended >> as a warm-up exercise for reviving Aneesh's series for book3s hash. >> In particular, changes to the kasan core are going to be required >> for hash and radix as well. >> --- >> arch/powerpc/Kconfig | 1 + >> arch/powerpc/Makefile | 2 + >> arch/powerpc/include/asm/kasan.h | 77 ++++++++++++++++++-- >> arch/powerpc/include/asm/ppc_asm.h | 7 ++ >> arch/powerpc/include/asm/string.h | 7 +- >> arch/powerpc/lib/mem_64.S | 6 +- >> arch/powerpc/lib/memcmp_64.S | 5 +- >> arch/powerpc/lib/memcpy_64.S | 3 +- >> arch/powerpc/lib/string.S | 15 ++-- >> arch/powerpc/mm/Makefile | 2 + >> arch/powerpc/mm/kasan/Makefile | 1 + >> arch/powerpc/mm/kasan/kasan_init_book3e_64.c | 53 ++++++++++++++ >> arch/powerpc/purgatory/Makefile | 3 + >> arch/powerpc/xmon/Makefile | 1 + >> 14 files changed, 164 insertions(+), 19 deletions(-) >> create mode 100644 arch/powerpc/mm/kasan/kasan_init_book3e_64.c >> >> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig >> index 850b06def84f..2c7c20d52778 100644 >> --- a/arch/powerpc/Kconfig >> +++ b/arch/powerpc/Kconfig >> @@ -176,6 +176,7 @@ config PPC >> select HAVE_ARCH_AUDITSYSCALL >> select HAVE_ARCH_JUMP_LABEL >> select HAVE_ARCH_KASAN if PPC32 >> + select HAVE_ARCH_KASAN if PPC_BOOK3E_64 && >> !SPARSEMEM_VMEMMAP >> select HAVE_ARCH_KGDB >> select HAVE_ARCH_MMAP_RND_BITS >> select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT >> diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile >> index f0738099e31e..21c2dadf0315 100644 >> --- a/arch/powerpc/Makefile >> +++ b/arch/powerpc/Makefile >> @@ -428,11 +428,13 @@ endif >> endif >> >> ifdef CONFIG_KASAN >> +ifdef CONFIG_PPC32 >> prepare: kasan_prepare >> >> kasan_prepare: prepare0 >> $(eval KASAN_SHADOW_OFFSET = $(shell awk '{if ($$2 == >> "KASAN_SHADOW_OFFSET") print $$3;}' include/generated/asm-offsets.h)) >> endif >> +endif >> >> # Check toolchain versions: >> # - gcc-4.6 is the minimum kernel-wide version so nothing required. >> diff --git a/arch/powerpc/include/asm/kasan.h >> b/arch/powerpc/include/asm/kasan.h >> index 5d0088429b62..c2f6f05dfaa3 100644 >> --- a/arch/powerpc/include/asm/kasan.h >> +++ b/arch/powerpc/include/asm/kasan.h >> @@ -5,20 +5,85 @@ >> #ifndef __ASSEMBLY__ >> >> #include <asm/page.h> >> +#include <asm/pgtable.h> >> #include <asm/pgtable-types.h> >> -#include <asm/fixmap.h> >> >> #define KASAN_SHADOW_SCALE_SHIFT 3 >> -#define KASAN_SHADOW_SIZE ((~0UL - PAGE_OFFSET + 1) >> >> KASAN_SHADOW_SCALE_SHIFT) >> >> -#define KASAN_SHADOW_START (ALIGN_DOWN(FIXADDR_START - >> KASAN_SHADOW_SIZE, \ >> - PGDIR_SIZE)) >> -#define KASAN_SHADOW_END (KASAN_SHADOW_START + KASAN_SHADOW_SIZE) >> #define KASAN_SHADOW_OFFSET (KASAN_SHADOW_START - \ >> (PAGE_OFFSET >> KASAN_SHADOW_SCALE_SHIFT)) >> +#define KASAN_SHADOW_END (KASAN_SHADOW_START + KASAN_SHADOW_SIZE) >> + >> + >> +#ifdef CONFIG_PPC32 >> +#include <asm/fixmap.h> >> +#define KASAN_SHADOW_START (ALIGN_DOWN(FIXADDR_START - >> KASAN_SHADOW_SIZE, \ >> + PGDIR_SIZE)) >> +#define KASAN_SHADOW_SIZE ((~0UL - PAGE_OFFSET + 1) >> >> KASAN_SHADOW_SCALE_SHIFT) >> >> void kasan_early_init(void); >> + >> +#endif /* CONFIG_PPC32 */ >> + >> +#ifdef CONFIG_PPC_BOOK3E_64 >> +#define KASAN_SHADOW_START VMEMMAP_BASE >> +#define KASAN_SHADOW_SIZE (KERN_VIRT_SIZE >> KASAN_SHADOW_SCALE_SHIFT) >> + >> +extern struct static_key_false powerpc_kasan_enabled_key; >> +#define check_return_arch_not_ready() \ >> + do { \ >> + if (!static_branch_likely(&powerpc_kasan_enabled_key)) \ >> + return; \ >> + } while (0) >> + >> +extern unsigned char kasan_zero_page[PAGE_SIZE]; >> +static inline void *kasan_mem_to_shadow_book3e(const void *addr) >> +{ >> + if ((unsigned long)addr >= KERN_VIRT_START && >> + (unsigned long)addr < (KERN_VIRT_START + KERN_VIRT_SIZE)) { >> + return (void *)kasan_zero_page; >> + } >> + >> + return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT) >> + + KASAN_SHADOW_OFFSET; >> +} >> +#define kasan_mem_to_shadow kasan_mem_to_shadow_book3e >> + >> +static inline void *kasan_shadow_to_mem_book3e(const void *shadow_addr) >> +{ >> + /* >> + * We map the entire non-linear virtual mapping onto the zero page >> so if >> + * we are asked to map the zero page back just pick the beginning of >> that >> + * area. >> + */ >> + if (shadow_addr >= (void *)kasan_zero_page && >> + shadow_addr < (void *)(kasan_zero_page + PAGE_SIZE)) { >> + return (void *)KERN_VIRT_START; >> + } >> + >> + return (void *)(((unsigned long)shadow_addr - KASAN_SHADOW_OFFSET) >> + << KASAN_SHADOW_SCALE_SHIFT); >> +} >> +#define kasan_shadow_to_mem kasan_shadow_to_mem_book3e >> + >> +static inline bool kasan_addr_has_shadow_book3e(const void *addr) >> +{ >> + /* >> + * We want to specifically assert that the addresses in the 0x8000... >> + * region have a shadow, otherwise they are considered by the kasan >> + * core to be wild pointers >> + */ >> + if ((unsigned long)addr >= KERN_VIRT_START && >> + (unsigned long)addr < (KERN_VIRT_START + KERN_VIRT_SIZE)) { >> + return true; >> + } >> + return (addr >= kasan_shadow_to_mem((void *)KASAN_SHADOW_START)); >> +} >> +#define kasan_addr_has_shadow kasan_addr_has_shadow_book3e >> + >> +#endif /* CONFIG_PPC_BOOK3E_64 */ >> + >> void kasan_init(void); >> >> -#endif >> +#endif /* CONFIG_KASAN */ >> #endif >> diff --git a/arch/powerpc/include/asm/ppc_asm.h >> b/arch/powerpc/include/asm/ppc_asm.h >> index dba2c1038363..fd7c9fa9d307 100644 >> --- a/arch/powerpc/include/asm/ppc_asm.h >> +++ b/arch/powerpc/include/asm/ppc_asm.h >> @@ -251,10 +251,17 @@ GLUE(.,name): >> >> #define _GLOBAL_TOC(name) _GLOBAL(name) >> >> +#endif /* 32-bit */ >> + >> +/* KASAN helpers */ >> #define KASAN_OVERRIDE(x, y) \ >> .weak x; \ >> .set x, y >> >> +#ifdef CONFIG_KASAN >> +#define EXPORT_SYMBOL_NOKASAN(x) >> +#else >> +#define EXPORT_SYMBOL_NOKASAN(x) EXPORT_SYMBOL(x) >> #endif >> >> /* >> diff --git a/arch/powerpc/include/asm/string.h >> b/arch/powerpc/include/asm/string.h >> index 64d44d4836b4..e2801d517d57 100644 >> --- a/arch/powerpc/include/asm/string.h >> +++ b/arch/powerpc/include/asm/string.h >> @@ -4,13 +4,16 @@ >> >> #ifdef __KERNEL__ >> >> +#ifndef CONFIG_KASAN >> #define __HAVE_ARCH_STRNCPY >> #define __HAVE_ARCH_STRNCMP >> +#define __HAVE_ARCH_MEMCHR >> +#define __HAVE_ARCH_MEMCMP >> +#endif >> + >> #define __HAVE_ARCH_MEMSET >> #define __HAVE_ARCH_MEMCPY >> #define __HAVE_ARCH_MEMMOVE >> -#define __HAVE_ARCH_MEMCMP >> -#define __HAVE_ARCH_MEMCHR >> #define __HAVE_ARCH_MEMSET16 >> #define __HAVE_ARCH_MEMCPY_FLUSHCACHE >> >> diff --git a/arch/powerpc/lib/mem_64.S b/arch/powerpc/lib/mem_64.S >> index 3c3be02f33b7..3ff4c6b45505 100644 >> --- a/arch/powerpc/lib/mem_64.S >> +++ b/arch/powerpc/lib/mem_64.S >> @@ -30,7 +30,8 @@ EXPORT_SYMBOL(__memset16) >> EXPORT_SYMBOL(__memset32) >> EXPORT_SYMBOL(__memset64) >> >> -_GLOBAL(memset) >> +_GLOBAL(__memset) >> +KASAN_OVERRIDE(memset, __memset) >> neg r0,r3 >> rlwimi r4,r4,8,16,23 >> andi. r0,r0,7 /* # bytes to be 8-byte aligned */ >> @@ -97,7 +98,8 @@ _GLOBAL(memset) >> blr >> EXPORT_SYMBOL(memset) >> >> -_GLOBAL_TOC(memmove) >> +_GLOBAL_TOC(__memmove) >> +KASAN_OVERRIDE(memmove, __memmove) >> cmplw 0,r3,r4 >> bgt backwards_memcpy >> b memcpy >> diff --git a/arch/powerpc/lib/memcmp_64.S b/arch/powerpc/lib/memcmp_64.S >> index 844d8e774492..21aee60de2cd 100644 >> --- a/arch/powerpc/lib/memcmp_64.S >> +++ b/arch/powerpc/lib/memcmp_64.S >> @@ -102,7 +102,8 @@ >> * 2) src/dst has different offset to the 8 bytes boundary. The handlers >> * are named like .Ldiffoffset_xxxx >> */ >> -_GLOBAL_TOC(memcmp) >> +_GLOBAL_TOC(__memcmp) >> +KASAN_OVERRIDE(memcmp, __memcmp) >> cmpdi cr1,r5,0 >> >> /* Use the short loop if the src/dst addresses are not >> @@ -630,4 +631,4 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) >> b .Lcmp_lt32bytes >> >> #endif >> -EXPORT_SYMBOL(memcmp) >> +EXPORT_SYMBOL_NOKASAN(memcmp) >> diff --git a/arch/powerpc/lib/memcpy_64.S b/arch/powerpc/lib/memcpy_64.S >> index 273ea67e60a1..e9092a0e531a 100644 >> --- a/arch/powerpc/lib/memcpy_64.S >> +++ b/arch/powerpc/lib/memcpy_64.S >> @@ -18,7 +18,8 @@ >> #endif >> >> .align 7 >> -_GLOBAL_TOC(memcpy) >> +_GLOBAL_TOC(__memcpy) >> +KASAN_OVERRIDE(memcpy, __memcpy) >> BEGIN_FTR_SECTION >> #ifdef __LITTLE_ENDIAN__ >> cmpdi cr7,r5,0 >> diff --git a/arch/powerpc/lib/string.S b/arch/powerpc/lib/string.S >> index 4b41970e9ed8..09deaac6e5f1 100644 >> --- a/arch/powerpc/lib/string.S >> +++ b/arch/powerpc/lib/string.S >> @@ -16,7 +16,8 @@ >> >> /* This clears out any unused part of the destination buffer, >> just as the libc version does. -- paulus */ >> -_GLOBAL(strncpy) >> +_GLOBAL(__strncpy) >> +KASAN_OVERRIDE(strncpy, __strncpy) >> PPC_LCMPI 0,r5,0 >> beqlr >> mtctr r5 >> @@ -34,9 +35,10 @@ _GLOBAL(strncpy) >> 2: stbu r0,1(r6) /* clear it out if so */ >> bdnz 2b >> blr >> -EXPORT_SYMBOL(strncpy) >> +EXPORT_SYMBOL_NOKASAN(strncpy) >> >> -_GLOBAL(strncmp) >> +_GLOBAL(__strncmp) >> +KASAN_OVERRIDE(strncmp, __strncmp) >> PPC_LCMPI 0,r5,0 >> beq- 2f >> mtctr r5 >> @@ -52,9 +54,10 @@ _GLOBAL(strncmp) >> blr >> 2: li r3,0 >> blr >> -EXPORT_SYMBOL(strncmp) >> +EXPORT_SYMBOL_NOKASAN(strncmp) >> >> -_GLOBAL(memchr) >> +_GLOBAL(__memchr) >> +KASAN_OVERRIDE(memchr, __memchr) >> PPC_LCMPI 0,r5,0 >> beq- 2f >> mtctr r5 >> @@ -66,4 +69,4 @@ _GLOBAL(memchr) >> beqlr >> 2: li r3,0 >> blr >> -EXPORT_SYMBOL(memchr) >> +EXPORT_SYMBOL_NOKASAN(memchr) >> diff --git a/arch/powerpc/mm/Makefile b/arch/powerpc/mm/Makefile >> index 457c0ea2b5e7..d974f7bcb177 100644 >> --- a/arch/powerpc/mm/Makefile >> +++ b/arch/powerpc/mm/Makefile >> @@ -7,6 +7,8 @@ ccflags-$(CONFIG_PPC64) := $(NO_MINIMAL_TOC) >> >> CFLAGS_REMOVE_slb.o = $(CC_FLAGS_FTRACE) >> >> +KASAN_SANITIZE_fsl_booke_mmu.o := n >> + >> obj-y := fault.o mem.o pgtable.o mmap.o \ >> init_$(BITS).o pgtable_$(BITS).o \ >> init-common.o mmu_context.o drmem.o >> diff --git a/arch/powerpc/mm/kasan/Makefile b/arch/powerpc/mm/kasan/Makefile >> index 6577897673dd..f8f164ad8ade 100644 >> --- a/arch/powerpc/mm/kasan/Makefile >> +++ b/arch/powerpc/mm/kasan/Makefile >> @@ -3,3 +3,4 @@ >> KASAN_SANITIZE := n >> >> obj-$(CONFIG_PPC32) += kasan_init_32.o >> +obj-$(CONFIG_PPC_BOOK3E_64) += kasan_init_book3e_64.o >> diff --git a/arch/powerpc/mm/kasan/kasan_init_book3e_64.c >> b/arch/powerpc/mm/kasan/kasan_init_book3e_64.c >> new file mode 100644 >> index 000000000000..93b9afcf1020 >> --- /dev/null >> +++ b/arch/powerpc/mm/kasan/kasan_init_book3e_64.c >> @@ -0,0 +1,53 @@ >> +// SPDX-License-Identifier: GPL-2.0 >> + >> +#define DISABLE_BRANCH_PROFILING >> + >> +#include <linux/kasan.h> >> +#include <linux/printk.h> >> +#include <linux/memblock.h> >> +#include <linux/sched/task.h> >> +#include <asm/pgalloc.h> >> + >> +DEFINE_STATIC_KEY_FALSE(powerpc_kasan_enabled_key); >> +EXPORT_SYMBOL(powerpc_kasan_enabled_key); >> +unsigned char kasan_zero_page[PAGE_SIZE] __page_aligned_bss; >> + >> +static void __init kasan_init_region(struct memblock_region *reg) >> +{ >> + void *start = __va(reg->base); >> + void *end = __va(reg->base + reg->size); >> + unsigned long k_start, k_end, k_cur; >> + >> + if (start >= end) >> + return; >> + >> + k_start = (unsigned long)kasan_mem_to_shadow(start); >> + k_end = (unsigned long)kasan_mem_to_shadow(end); >> + >> + for (k_cur = k_start; k_cur < k_end; k_cur += PAGE_SIZE) { >> + void *va = memblock_alloc(PAGE_SIZE, PAGE_SIZE); >> + map_kernel_page(k_cur, __pa(va), PAGE_KERNEL); >> + } >> + flush_tlb_kernel_range(k_start, k_end); >> +} >> + >> +void __init kasan_init(void) >> +{ >> + struct memblock_region *reg; >> + >> + for_each_memblock(memory, reg) >> + kasan_init_region(reg); >> + >> + /* map the zero page RO */ >> + map_kernel_page((unsigned long)kasan_zero_page, >> + __pa(kasan_zero_page), >> PAGE_KERNEL_RO); >> + >> + kasan_init_tags(); >> + >> + /* Turn on checking */ >> + static_branch_inc(&powerpc_kasan_enabled_key); >> + >> + /* Enable error messages */ >> + init_task.kasan_depth = 0; >> + pr_info("KASAN init done (64-bit Book3E)\n"); >> +} >> diff --git a/arch/powerpc/purgatory/Makefile >> b/arch/powerpc/purgatory/Makefile >> index 4314ba5baf43..7c6d8b14f440 100644 >> --- a/arch/powerpc/purgatory/Makefile >> +++ b/arch/powerpc/purgatory/Makefile >> @@ -1,4 +1,7 @@ >> # SPDX-License-Identifier: GPL-2.0 >> + >> +KASAN_SANITIZE := n >> + >> targets += trampoline.o purgatory.ro kexec-purgatory.c >> >> LDFLAGS_purgatory.ro := -e purgatory_start -r --no-undefined >> diff --git a/arch/powerpc/xmon/Makefile b/arch/powerpc/xmon/Makefile >> index 878f9c1d3615..064f7062c0a3 100644 >> --- a/arch/powerpc/xmon/Makefile >> +++ b/arch/powerpc/xmon/Makefile >> @@ -6,6 +6,7 @@ subdir-ccflags-y := $(call cc-disable-warning, >> builtin-requires-header) >> >> GCOV_PROFILE := n >> UBSAN_SANITIZE := n >> +KASAN_SANITIZE := n >> >> # Disable ftrace for the entire directory >> ORIG_CFLAGS := $(KBUILD_CFLAGS) >> -- >> 2.19.1 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "kasan-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to kasan-dev+unsubscr...@googlegroups.com. >> To post to this group, send email to kasan-...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/kasan-dev/20190215000441.14323-6-dja%40axtens.net. >> For more options, visit https://groups.google.com/d/optout.