Bug 218295 - KASAN (hw-tags): fix false-positive with shared userspace/kernel mapping
Summary: KASAN (hw-tags): fix false-positive with shared userspace/kernel mapping
Status: NEW
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Sanitizers (show other bugs)
Hardware: All Linux
: P3 normal
Assignee: MM/Sanitizers virtual assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-20 22:47 UTC by Andrey Konovalov
Modified: 2023-12-20 22:47 UTC (History)
1 user (show)

See Also:
Kernel Version:
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Reproducer (1.64 KB, text/x-csrc)
2023-12-20 22:47 UTC, Andrey Konovalov 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Andrey Konovalov 2023-12-20 22:47:21 UTC 
Created attachment 305636 [details]
Reproducer

syzbot reported a false-positive in HW_TAGS KASAN:

https://syzkaller.appspot.com/bug?extid=64b0f633159fde08e1f1

If a userspace application attempts to create a non-anonymous mapping (by calling mmap on an fd) with PROT_MTE, tags on the kernel memory that should be mapped to userspace get incorrectly reset. And even though the mapping is rejected (as non-anonymous mappings with PROT_MTE are not allowed), the kernel can still trigger tag mismatches if it accesses the memory after the failed mapping attempt.

See more details and a potential solution approach here:

https://lore.kernel.org/linux-arm-kernel/CA+fCnZdeMfx4Y-+tNcnDzNYj6fJ9pFMApLQD93csftCFV7zSow@mail.gmail.com/t/#u

The problem only happens if a userspace application attempts to create a non-anonymous mapping with PROT_MTE, which normal userspace applications should not normally do.

A slightly cleaned-up reproducer for the issue is attached.
Note You need to log in before you can comment on or make changes to this bug.