On Thu, Jun 28, 2018 at 12:51 PM, Dave Martin <Dave.Martin@xxxxxxx> wrote: > On Tue, Jun 26, 2018 at 03:15:10PM +0200, Andrey Konovalov wrote: >> 1. By using the Top Byte Ignore arm64 CPU feature, we can store pointer >> tags in the top byte of each kernel pointer. > > [...] > > This is a change from the current situation, so the kernel may be > making implicit assumptions about the top byte of kernel addresses. > > Randomising the top bits may cause things like address conversions and > pointer arithmetic to break. > > For example, (q - p) will not produce the expected result if q and p > have different tags. If q and p have different tags, that means they come from different allocations. I don't think it would make sense to calculate pointer difference in this case. > > Conversions, such as between pointer and pfn, may also go wrong if not > appropriately masked. > > There are also potential pointer comparison and aliasing issues if > the tag bits are ever stripped or modified. > > > What was your approach to tracking down all the points in the code > where we have a potential issue? I've been fuzzing the kernel built with KWHASAN with syzkaller. This gives a decent coverage and I was able to find some places where fixups were required this way. Right now the fuzzer is running without issues. It doesn't prove that all such places are fixed, but I don't know a better way to test this.
