From nobody Thu Jul 27 20:12:58 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RBhll1J2Sz4pdVm; Thu, 27 Jul 2023 20:12:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RBhlb0vD3z3MyZ; Thu, 27 Jul 2023 20:12:59 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690488779; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cm8J6Nokqon347A5332kO5D4V4MYseFZ11z7FwPmNSU=; b=yM3NIKc8jiCSNCz5cJY615b67m5NU3A/id5i/sVK1uWwdQjwTMCQCtDD3Xg+epqbsRd4v7 035xU9hO+WefNGC3FUjTHX9WtYFdPNOa/Rz1ePzgJ8iGNu2hrEcZjt+4xxmbyHp8XauxRx VMtLcwjKDp1tbaU2FP4sLM7cZCnHWPsvn+Q2H76P5Z/G0K/sKeRm42Ln0/BSxDhOdy+en5 JdnHrwptZsXT/7/y/7TycevJd3VEw9lO0w2JsYOfU0CU/EUmujgApq3QATd7DbmF0JetYc bTmO+yc3U3PC1pPxd3SEdrvnorrBdRe5xZTPZ+I9O2/2wY4IDEU/iHscyxzUXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690488779; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cm8J6Nokqon347A5332kO5D4V4MYseFZ11z7FwPmNSU=; b=t9r3EIFM24cRapfH3AyY/SWcphXKXhYKktSjaiq7pNBxrApC5vZGemdKjabaiT/tBRCMNM 2yKFcAD/09SUtMf/w9ODkcZ/S+9huC6IeA6w0TVRyzHn9Tb3UlIl3ADrC5pIZ2hHA6IOsj INU/Rlk0ewAB/DOdk99X8yQs888iZgy1KsooHY9xD6NUceP8BgsotHgyRvlRn4eQ/dfgCE UEcAJ04OxPFezSD3CsBpdHzgREMrZ4yIS91tzGHYj0IvHmql6TVgxjV8tdmbA92y3Bd+vG eaXxlcPRGwLzxYmoJHiVcAU2B4aN1NcbBrDTA0pfK0w/vSwyM0bxiOjQluAXXA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690488779; a=rsa-sha256; cv=none; b=ZqWlOPzQ+ZXHTECTAZkayu9y2YpOnYBhS1rxA45OzuDndm3Si33DJwJCCwI8U6Abm002fv wDVD9MM6ZnpUTF5FYMQ6XGueSHjuHZI/jtBMfGyFoy9xJB4LEiWh+fP5aGnPihRw87nHM0 EvYSK92m4ZbNErHq5UuNDjpwxr2VKb/HU7qgTNO7gHU9hZ8L63ONSoppG+UCTe4h6DoWZa bBsPh/P13vaB+lHWQvw9+iJNr5OS2cfRXzmP0PTeaL/rHz+m4k5s1xxtKl+uCBtZq8MKU2 kplWpHhXNSB6vyXIImZ+dO2az4Cae5kZ8/Uh2RDxi/sjg23BPOo/SOWfzxZrcA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RBhlZ6tz9zNv0; Thu, 27 Jul 2023 20:12:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 36RKCwsP087696; Thu, 27 Jul 2023 20:12:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 36RKCwA6087695; Thu, 27 Jul 2023 20:12:58 GMT (envelope-from git) Date: Thu, 27 Jul 2023 20:12:58 GMT Message-Id: <202307272012.36RKCwA6087695@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: ca6cd604c8fc - main - kmsan: Use the correct origin bytes in kmsan_check_arg() List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ca6cd604c8fcfc27c6468c620a7bee518ca02cde Auto-Submitted: auto-generated The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=ca6cd604c8fcfc27c6468c620a7bee518ca02cde commit ca6cd604c8fcfc27c6468c620a7bee518ca02cde Author: Mark Johnston AuthorDate: 2023-07-17 13:34:57 +0000 Commit: Mark Johnston CommitDate: 2023-07-27 20:02:03 +0000 kmsan: Use the correct origin bytes in kmsan_check_arg() Upon discovering a violation kmsan_check_arg() passes a pointer to function parameter shadow state to kmsan_report_hook(). kmsan_report_hook() uses that address to find the origin cells, assuming that the passed address belongs to the kernel map. This has two problems: 1) Function parameter origin state is also located in TLS, not in the origin map, but kmsan_report_hook() doesn't know this. 2) KMSAN TLS for thread0 is statically allocated and thus isn't shadowed (because the kernel itself is not shadowed). These bugs could result in inaccuracies in KMSAN reports, or a page fault when trying to report a KMSAN violation (which by default panics the kernel anyway). Fix the problem by making callers of kmsan_report_hook() provide a pointer to origin cells. Sponsored by: The FreeBSD Foundation --- sys/kern/subr_msan.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/sys/kern/subr_msan.c b/sys/kern/subr_msan.c index ba625a5405c5..debbcb56af2a 100644 --- a/sys/kern/subr_msan.c +++ b/sys/kern/subr_msan.c @@ -165,9 +165,9 @@ kmsan_orig_name(int type) } static void -kmsan_report_hook(const void *addr, size_t size, size_t off, const char *hook) +kmsan_report_hook(const void *addr, msan_orig_t *orig, size_t size, size_t off, + const char *hook) { - msan_orig_t *orig; const char *typename; char *var, *fn; uintptr_t ptr; @@ -181,9 +181,6 @@ kmsan_report_hook(const void *addr, size_t size, size_t off, const char *hook) kmsan_reporting = true; __compiler_membar(); - orig = (msan_orig_t *)kmsan_md_addr_to_orig((vm_offset_t)addr); - orig = (msan_orig_t *)((uintptr_t)orig & MSAN_ORIG_MASK); - if (*orig == 0) { REPORT("MSan: Uninitialized memory in %s, offset %zu", hook, off); @@ -363,6 +360,7 @@ kmsan_meta_copy(void *dst, const void *src, size_t size) static inline void kmsan_shadow_check(uintptr_t addr, size_t size, const char *hook) { + msan_orig_t *orig; uint8_t *shad; size_t i; @@ -375,7 +373,9 @@ kmsan_shadow_check(uintptr_t addr, size_t size, const char *hook) for (i = 0; i < size; i++) { if (__predict_true(shad[i] == 0)) continue; - kmsan_report_hook((const char *)addr + i, size, i, hook); + orig = (msan_orig_t *)kmsan_md_addr_to_orig((vm_offset_t)&shad[i]); + orig = (msan_orig_t *)((uintptr_t)orig & MSAN_ORIG_MASK); + kmsan_report_hook((const char *)addr + i, orig, size, i, hook); break; } } @@ -413,21 +413,24 @@ kmsan_init_ret(size_t n) static void kmsan_check_arg(size_t size, const char *hook) { + msan_orig_t *orig; msan_td_t *mtd; uint8_t *arg; - size_t i; + size_t ctx, i; if (__predict_false(!kmsan_enabled)) return; if (__predict_false(curthread == NULL)) return; mtd = curthread->td_kmsan; - arg = mtd->tls[mtd->ctx].param_shadow; + ctx = mtd->ctx; + arg = mtd->tls[ctx].param_shadow; for (i = 0; i < size; i++) { if (__predict_true(arg[i] == 0)) continue; - kmsan_report_hook((const char *)arg + i, size, i, hook); + orig = &mtd->tls[ctx].param_origin[i / sizeof(msan_orig_t)]; + kmsan_report_hook((const char *)arg + i, orig, size, i, hook); break; } }