On Tue, Feb 25, 2025 at 9:13 PM Maciej Wieczor-Retman <maciej.wieczor-retman@xxxxxxxxx> wrote: > > >>Thanks for letting me know about the tag resets, that should make changing the > >>check in kasan_non_canonical_hook() easier. > > > >Ah, but the [0xff00000000000000, 0xffffffffffffffff] won't be true for x86 > >right? Here the tag reset function only resets bits 60:57. So I presume > >[0x3e00000000000000, 0xffffffffffffffff] would be the range? > > Sorry, brain freeze, I meant [0x1e00000000000000, 0xffffffffffffffff] +Vitaly, who implemented [1] Ah, so when the compiler calculates the shadow memory address on x86, it does | 0x7E (== 0x3F << 1) [2] for when CompileKernel == true, because LAM uses bits [62:57], I see. What value can bit 63 and take for _valid kernel_ pointers (on which KASAN is intended to operate)? If it is always 1, we could arguably change the compiler to do | 0xFE for CompileKernel. Which would leave us with only one region to check: [0xfe00000000000000, 0xffffffffffffffff]. But I don't know whether changing the compiler makes sense: it technically does as instructed by the LAM spec. (Vitaly, any thoughts? For context: we are discussing how to check whether a pointer can be a result of a memory-to-shadow mapping applied to a potentially invalid pointer in kernel HWASAN.) With the way the compiler works right now, for the perfectly precise check, I think we need to check 2 ranges: [0xfe00000000000000, 0xffffffffffffffff] for when bit 63 is set (of a potentially-invalid pointer to which memory-to-shadow mapping is to be applied) and [0x7e00000000000000, 0x7fffffffffffffff] for when bit 63 is reset. Bit 56 ranges through [0, 1] in both cases. However, in these patches, you use only bits [60:57]. The compiler is not aware of this, so it still sets bits [62:57], and we end up with the same two ranges. But in the KASAN code, you only set bits [60:57], and thus we can end up with 8 potential ranges (2 possible values for each of the top 3 bits), which gets complicated. So checking only one range that covers all of them seems to be reasonable for simplicity even though not entirely precise. And yes, [0x1e00000000000000, 0xffffffffffffffff] looks like the what we need. [1] https://github.com/llvm/llvm-project/commit/cb6099ba43b9262a317083858a29fd31af7efa5c [2] https://github.com/llvm/llvm-project/blob/llvmorg-20-init/llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp#L1259
