Bug 218295

Summary: KASAN (hw-tags): fix false-positive with shared userspace/kernel mapping
Product: Memory Management Reporter: Andrey Konovalov (andreyknvl)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: NEW ---    
Severity: normal CC: kasan-dev
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:
Attachments: Reproducer

Description Andrey Konovalov 2023-12-20 22:47:21 UTC 
Created attachment 305636 [details]
Reproducer

syzbot reported a false-positive in HW_TAGS KASAN:

https://syzkaller.appspot.com/bug?extid=64b0f633159fde08e1f1

If a userspace application attempts to create a non-anonymous mapping (by calling mmap on an fd) with PROT_MTE, tags on the kernel memory that should be mapped to userspace get incorrectly reset. And even though the mapping is rejected (as non-anonymous mappings with PROT_MTE are not allowed), the kernel can still trigger tag mismatches if it accesses the memory after the failed mapping attempt.

See more details and a potential solution approach here:

https://lore.kernel.org/linux-arm-kernel/CA+fCnZdeMfx4Y-+tNcnDzNYj6fJ9pFMApLQD93csftCFV7zSow@mail.gmail.com/t/#u

The problem only happens if a userspace application attempts to create a non-anonymous mapping with PROT_MTE, which normal userspace applications should not normally do.

A slightly cleaned-up reproducer for the issue is attached.