Pager with address sanitizer #1856
Conversation
There was a problem hiding this comment.
Commit "core: arm: kern.ld.S: put constructors in init":
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Commit " core: generic boot: tag paging access"
request changes. see comments.
Others: Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
despite few minor comments.
Also commit "core; add MEM_AREA_TEE_ASAN": s/;/:/ + some comment on asan/emul_rsam.
Comment
core/arch/arm/mm/tee_pager.c
Outdated
|
|
||
| if (!size) | ||
| return NULL; | ||
|
|
||
| mm = tee_mm_alloc(&tee_mm_vcore, ROUNDUP(size, SMALL_PAGE_SIZE)); | ||
| if (!mm) | ||
| return NULL; | ||
| bytes = tee_mm_get_bytes(mm); | ||
|
|
||
| tee_pager_add_core_area(tee_mm_get_smem(mm), bytes, f, NULL, NULL); |
There was a problem hiding this comment.
minor :
smem = tee_mm_get_smem(mm);
bytes = tee_mm_get_bytes(mm);
tee_pager_add_core_area(smem, bytes, f, NULL, NULL);
asan_tag_access(smem, smem + bytes);
return smem;
core/arch/arm/kernel/generic_boot.c
Outdated
| static void init_vcore(tee_mm_pool_t *mm_vcore) | ||
| { | ||
| vaddr_t begin = TEE_RAM_VA_START; | ||
| vaddr_t end = TEE_RAM_VA_START + CFG_TEE_RAM_VA_SIZE; |
core/arch/arm/kernel/generic_boot.c
Outdated
| vaddr_t end = TEE_RAM_VA_START + CFG_TEE_RAM_VA_SIZE; | ||
|
|
||
| #ifdef CFG_CORE_SANITIZE_KADDRESS | ||
| if (end > ASAN_SHADOW_PA) |
There was a problem hiding this comment.
comment: /* carveout asan memory, flat maped after core memory */
core/arch/arm/kernel/generic_boot.c
Outdated
| asan_tag_access((void *)VCORE_INIT_RO_PA, | ||
| (void *)(VCORE_INIT_RO_PA + VCORE_INIT_RO_SZ)); | ||
| asan_tag_access(__rodata_pageable_start, __rodata_pageable_end); | ||
| #else |
There was a problem hiding this comment.
tagging INIT_RX and text_pageable is unconditional
There was a problem hiding this comment.
Hmm, it seems everything could be reduced to
asan_tag_access(__pageable_start, __pageable_end);
There was a problem hiding this comment.
ok when no RONOEXE. Else there are holes in due to rx/ro split.
core/arch/arm/kernel/generic_boot.c
Outdated
| #else | ||
| asan_tag_access((void *)VCORE_INIT_RX_PA, | ||
| (void *)(VCORE_INIT_RX_PA + VCORE_INIT_RX_SZ)); | ||
| asan_tag_access(__rodata_pageable_start, __text_pageable_end); |
core/arch/arm/kernel/generic_boot.c
Outdated
| #ifdef CFG_CORE_SANITIZE_KADDRESS | ||
| static void carve_out_asan_mem(tee_mm_pool_t *pool) | ||
| { | ||
| size_t s = pool->hi - pool->lo; |
core/arch/arm/kernel/generic_boot.c
Outdated
|
|
||
| /* | ||
| * Need tee_mm_sec_ddr initialized to be able to allocate secure | ||
| * DDR below. | ||
| */ | ||
| teecore_init_ta_ram(); | ||
|
|
||
| #ifdef CFG_CORE_SANITIZE_KADDRESS | ||
| carve_out_asan_mem(&tee_mm_sec_ddr); | ||
| #endif |
There was a problem hiding this comment.
minor: suggest to remove the #ifdef and use a empty definition.
|
Comments addressed, some discovered problems addressed. |
core/arch/arm/kernel/generic_boot.c
Outdated
| #ifdef CFG_WITH_PAGER | ||
| asan_tag_access(__pageable_start, __pageable_end); | ||
| #endif /*CFG_WITH_PAGER*/ | ||
| asan_tag_access(__nozi_start, __nozi_end); |
There was a problem hiding this comment.
note: this change discards the asan_tag_access() on exidx and extab sections. Seems unwinding related. These do not need a manual access tagging ?
There was a problem hiding this comment.
Thanks, I'll fix
core/arch/arm/kernel/generic_boot.c
Outdated
| * ASAN buffer is overlapping with the end of the | ||
| * pool. | ||
| */ | ||
| asz = apa - pool->hi; |
core/arch/arm/kernel/generic_boot.c
Outdated
| */ | ||
| asz = apa - pool->hi; | ||
| } | ||
| } |
There was a problem hiding this comment.
do we need to assert asan map is not fully overlapping the target pool ?
assert(apa >= pool.lo || (apa + asz) <= pool->hi);
(unlikely to happen)
There was a problem hiding this comment.
That's taking it a bit too far in my opinion.
core/arch/arm/kernel/generic_boot.c
Outdated
| static void init_vcore(tee_mm_pool_t *mm_vcore) | ||
| { | ||
| vaddr_t begin = TEE_RAM_VA_START; | ||
| vaddr_t end = TEE_RAM_VA_START + CFG_TEE_RAM_VA_SIZE; |
There was a problem hiding this comment.
minor: trailing space. add const to begin definition.
|
Comments addressed |
core/arch/arm/mm/core_mmu.c
Outdated
| #endif /*CFG_WITH_PAGER*/ | ||
| #else /*!CFG_CORE_RWDATA_NOEXEC*/ | ||
| register_phys_mem(MEM_AREA_TEE_RAM, CFG_TEE_RAM_START, CFG_TEE_RAM_PH_SIZE); | ||
| #endif /*!CFG_CORE_RWDATA_NOEXEC*/ | ||
|
|
||
| #if defined(CFG_CORE_SANITIZE_KADDRESS) && defined(CFG_WITH_PAGER) | ||
| register_phys_mem(MEM_AREA_TEE_ASAN, ASAN_MAP_PA, ASAN_MAP_SZ); |
There was a problem hiding this comment.
A comment to state /* Asan ram is part of MEM_AREA_TEE_RAM_RW when pager is disable */
| { | ||
| panic(); |
There was a problem hiding this comment.
no kind of panicking ?
There was a problem hiding this comment.
No, it's not entirely clear to me what we're supposed to do here. The Linux kernel does nothing though.
core/arch/arm/mm/core_mmu.c
Outdated
| #endif /*!CFG_CORE_RWDATA_NOEXEC*/ | ||
|
|
||
| #if defined(CFG_CORE_SANITIZE_KADDRESS) && defined(CFG_WITH_PAGER) | ||
| register_phys_mem(MEM_AREA_TEE_ASAN, ASAN_MAP_PA, ASAN_MAP_SZ); |
There was a problem hiding this comment.
A comment to state /* Asan ram is part of MEM_AREA_TEE_RAM_RW when pager is disable */ ?
|
Update |
|
Ping? |
|
Typo in generic_boot.c. |
core/arch/arm/kernel/generic_boot.c
Outdated
| return; | ||
|
|
||
| /* Reserve the shadow area */ | ||
| if (!core_is_buffer_inside(asz, asz, pool->lo, s)) { |
There was a problem hiding this comment.
typo on 1st arg: s/asz/apa.
Fixes set_alias_area() to only take the supplied area, prior to this the final page would have been included too. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Adds MEM_AREA_TEE_ASAN which is used when pager is enabled to map the memory used by the address sanitizer if enabled. Currently this only works in configurations with the pager where emulated SRAM is used. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Provides asan_memcpy_unchecked() which does a memcpy() that isn't checked against the tagging in the ASAN shadow area. If ASAN isn't enabled it's replaced by a direct call to memcpy(). Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Makes sure that constructor functions are in the init section to be available during initialization of OP-TEE. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tag temporary or allocated memory ranges to allow new accesses. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Makes sure that __asan_register_globals is available during init. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Carves out address sanitizer range used for bookkeeping. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tags paged stacks as accessible. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Moves the section covered by #ifdef CFG_CORE_SANITIZE_KADDRESS to above the #ifdef CFG_WITH_PAGER section to be able to later initialize address sanitizer with pager enabled. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
When pager is enabled tag needed ranges accordingly. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Enables address sanitizer when pager is enabled. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
jenswi-linaro
force-pushed
the
pager_asan
branch
from
ce7eed5
to
1b0d5a9
Compare
|
Rebased, tags applied |
|
There is one long line in the commit description of "qemu_virt: fix memory configuration". Can you fix it please? |
Fixes memory configuration inconsistency introduced with the coherent memory area for QEMU virt with pager enabled. Fixes: 5402a9f ("qemu_virt: enable smp boot") Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Fixes version-o-cflags by adding $(cflagscore) to make sure that the address sanitizer flags are used for this object file too. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
asan_tag_access() should ignore null ranges to make tagging of areas easier. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
It seems __asan_handle_no_return() isn't called when a __noreturn function returns, instead it's called before the function is called. So empty the __asan_handle_no_return() function to let __noreturn function be called. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
jenswi-linaro
force-pushed
the
pager_asan
branch
from
1b0d5a9
to
b8fb11c
Compare
|
Updated |
|
Thanks |
No description provided.