kasan: Create a shadow for the bootstack prior to hammer_time()
ClosedPublic
Actions

Authored by markj on Jun 10 2022, 6:39 PM.

Details

Reviewers

mhorne
kib

Commits

rG756bc3adc578: kasan: Create a shadow for the bootstack prior to hammer_time()

Summary

When the kernel is compiled with -asan-stack=true, the address sanitizer
will emit inline accesses to the shadow map. In other words, some
shadow map accesses are not intercepted by the KASAN runtime, so they
cannot be disabled even if the runtime is not yet initialized by
kasan_init() at the end of hammer_time().

This went unnoticed because the loader will initialize all PML4 entries
of the bootstrap page table to point to the same PDP page, so early
shadow map accesses do not raise a page fault, though they are silently
corrupting memory. In fact, when the loader does not copy the staging
area, we do get a page fault since in that case only the first and last
PML4Es are populated by the loader. But due to another bug, the loader
always treated KASAN kernels as non-relocatable and thus always copied
the staging area.

It is not really practical to annotate hammer_time() and all callees
with __nosanitizeaddress, so instead add some early initialization which
creates a shadow for the boot stack used by hammer_time(). This is only
needed by KASAN, not by KMSAN, but the shared pmap code handles both.

Reported by: mhorne

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Jun 10 2022, 6:39 PM

Herald added a subscriber: imp. · View Herald TranscriptJun 10 2022, 6:39 PM

markj requested review of this revision.Jun 10 2022, 6:39 PM

Harbormaster completed remote builds in B45935: Diff 106825.Jun 10 2022, 6:39 PM

markj added a parent revision: D35448: loader: Relax the check in is_kernphys_relocatable().Jun 10 2022, 6:39 PM

kib added inline comments.Jun 11 2022, 9:50 AM

sys/amd64/amd64/locore.S
85	I think, if you move these two lines right before `call hammer_time`, you can avoid saving/restoring %rdi and %rsi in KASAN block. IMO this makes the asm less convoluted.
sys/amd64/amd64/pmap.c
11437	I think a short comment explaining formulas would be helpful there.
11471	I do not believe that the masking is needed there. PCID is only turned on later. Am I wrong?
11479	May be make a helper function for use both there and at the beginning of hammer_time(), where kernphys is calculated? It would be marked with __nosanitize* of course.