Re: Sources of initialized memory in virtio?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 2018年09月13日 21:00, Alexander Potapenko wrote:
Hi mighty virtio maintainers,

I'm working on KMSAN, a new runtime detector of uninitialized memory
based on compiler instrumentation (https://github.com/google/kmsan)
KMSAN is mostly being tested on QEMU with KVM enabled, so my kernel
interacts a lot with various virtio drivers, that's why I'm seeking
your help.

By default KMSAN treats kernel memory allocated by kmalloc() and
alloc_page() as uninitialized. Writing a constant to memory or using
it in copy_from_user() makes that memory initialized.
Unfortunately a lot of writes to memory from KVM (mostly in the disk
and network drivers) remain unnoticed by the tool, therefore we're
seeing a lot of false positive reports (along with actual bugs, like
CVE-2018-1118).

KMSAN has an API function `kmsan_unpoison_shadow(void *buf, int len)`,
which means "from now on, till this memory is freed or written to,
mark it as initialized".
I've tried playing Whack-a-Mole adding it to various places where the
data comes from KVM, but failed to find them all. In fact, some of my
annotations were wrong, so I ended up with the following two patches:

https://github.com/google/kmsan/commit/76c671199a4de5bbe73cd13210a5e28848211bd1
https://github.com/google/kmsan/commit/40ba1c8e2a3c6bbe8f34037413e253894251a405

But I'm far from being sure this is the complete list of places where
the memory is initialized by virtio drivers.
May I ask you to help me find the places where we actually need to
annotate the memory in virtio?

It looks to me another one is the used ring which device writes back the completed descriptor id and length. It (vr->used) was a part of a page which was allocated in vring_alloc_queue() through alloc_pages_exact() with __GFP_ZERO. So I'm not we need care about it.

Thanks


Thanks in advance,




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux