patches/old/security-kmsan-fix-interoperability-with-auto-initialization.patch - pub/scm/linux/kernel/git/akpm/25-new - Git at Google

 From: Alexander Potapenko <glider@google.com>
 Subject: security: kmsan: fix interoperability with auto-initialization
 Date: Thu, 15 Sep 2022 17:04:04 +0200

 Heap and stack initialization is great, but not when we are trying uses of
 uninitialized memory.  When the kernel is built with KMSAN, having kernel
 memory initialization enabled may introduce false negatives.

 We disable CONFIG_INIT_STACK_ALL_PATTERN and CONFIG_INIT_STACK_ALL_ZERO
 under CONFIG_KMSAN, making it impossible to auto-initialize stack
 variables in KMSAN builds.  We also disable
 CONFIG_INIT_ON_ALLOC_DEFAULT_ON and CONFIG_INIT_ON_FREE_DEFAULT_ON to
 prevent accidental use of heap auto-initialization.

 We however still let the users enable heap auto-initialization at
 boot-time (by setting init_on_alloc=1 or init_on_free=1), in which case a
 warning is printed.

 Link: https://lkml.kernel.org/r/20220915150417.722975-31-glider@google.com
 Signed-off-by: Alexander Potapenko <glider@google.com>
 Cc: Alexander Viro <viro@zeniv.linux.org.uk>
 Cc: Alexei Starovoitov <ast@kernel.org>
 Cc: Andrey Konovalov <andreyknvl@gmail.com>
 Cc: Andrey Konovalov <andreyknvl@google.com>
 Cc: Andy Lutomirski <luto@kernel.org>
 Cc: Arnd Bergmann <arnd@arndb.de>
 Cc: Borislav Petkov <bp@alien8.de>
 Cc: Christoph Hellwig <hch@lst.de>
 Cc: Christoph Lameter <cl@linux.com>
 Cc: David Rientjes <rientjes@google.com>
 Cc: Dmitry Vyukov <dvyukov@google.com>
 Cc: Eric Biggers <ebiggers@google.com>
 Cc: Eric Biggers <ebiggers@kernel.org>
 Cc: Eric Dumazet <edumazet@google.com>
 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Cc: Herbert Xu <herbert@gondor.apana.org.au>
 Cc: Ilya Leoshkevich <iii@linux.ibm.com>
 Cc: Ingo Molnar <mingo@redhat.com>
 Cc: Jens Axboe <axboe@kernel.dk>
 Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
 Cc: Kees Cook <keescook@chromium.org>
 Cc: Marco Elver <elver@google.com>
 Cc: Mark Rutland <mark.rutland@arm.com>
 Cc: Matthew Wilcox <willy@infradead.org>
 Cc: Michael S. Tsirkin <mst@redhat.com>
 Cc: Pekka Enberg <penberg@kernel.org>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Cc: Petr Mladek <pmladek@suse.com>
 Cc: Stephen Rothwell <sfr@canb.auug.org.au>
 Cc: Steven Rostedt <rostedt@goodmis.org>
 Cc: Thomas Gleixner <tglx@linutronix.de>
 Cc: Vasily Gorbik <gor@linux.ibm.com>
 Cc: Vegard Nossum <vegard.nossum@oracle.com>
 Cc: Vlastimil Babka <vbabka@suse.cz>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 ---

  mm/page_alloc.c            |    4 ++++
  security/Kconfig.hardening |    4 ++++
  2 files changed, 8 insertions(+)

 --- a/mm/page_alloc.c~security-kmsan-fix-interoperability-with-auto-initialization
 +++ a/mm/page_alloc.c
 @@ -938,6 +938,10 @@ void init_mem_debugging_and_hardening(vo
  	else
  		static_branch_disable(&init_on_free);

 +	if (IS_ENABLED(CONFIG_KMSAN) &&
 +	    (_init_on_alloc_enabled_early || _init_on_free_enabled_early))
 +		pr_info("mem auto-init: please make sure init_on_alloc and init_on_free are disabled when running KMSAN\n");
 +
  #ifdef CONFIG_DEBUG_PAGEALLOC
  	if (!debug_pagealloc_enabled())
  		return;
 --- a/security/Kconfig.hardening~security-kmsan-fix-interoperability-with-auto-initialization
 +++ a/security/Kconfig.hardening
 @@ -106,6 +106,7 @@ choice
  	config INIT_STACK_ALL_PATTERN
  		bool "pattern-init everything (strongest)"
  		depends on CC_HAS_AUTO_VAR_INIT_PATTERN
 +		depends on !KMSAN
  		help
  		  Initializes everything on the stack (including padding)
  		  with a specific debug value. This is intended to eliminate
 @@ -124,6 +125,7 @@ choice
  	config INIT_STACK_ALL_ZERO
  		bool "zero-init everything (strongest and safest)"
  		depends on CC_HAS_AUTO_VAR_INIT_ZERO
 +		depends on !KMSAN
  		help
  		  Initializes everything on the stack (including padding)
  		  with a zero value. This is intended to eliminate all
 @@ -218,6 +220,7 @@ config STACKLEAK_RUNTIME_DISABLE

  config INIT_ON_ALLOC_DEFAULT_ON
  	bool "Enable heap memory zeroing on allocation by default"
 +	depends on !KMSAN
  	help
  	  This has the effect of setting "init_on_alloc=1" on the kernel
  	  command line. This can be disabled with "init_on_alloc=0".
 @@ -230,6 +233,7 @@ config INIT_ON_ALLOC_DEFAULT_ON

  config INIT_ON_FREE_DEFAULT_ON
  	bool "Enable heap memory zeroing on free by default"
 +	depends on !KMSAN
  	help
  	  This has the effect of setting "init_on_free=1" on the kernel
  	  command line. This can be disabled with "init_on_free=0".
 _
	From: Alexander Potapenko <glider@google.com>
	Subject: security: kmsan: fix interoperability with auto-initialization
	Date: Thu, 15 Sep 2022 17:04:04 +0200

	Heap and stack initialization is great, but not when we are trying uses of
	uninitialized memory. When the kernel is built with KMSAN, having kernel
	memory initialization enabled may introduce false negatives.

	We disable CONFIG_INIT_STACK_ALL_PATTERN and CONFIG_INIT_STACK_ALL_ZERO
	under CONFIG_KMSAN, making it impossible to auto-initialize stack
	variables in KMSAN builds. We also disable
	CONFIG_INIT_ON_ALLOC_DEFAULT_ON and CONFIG_INIT_ON_FREE_DEFAULT_ON to
	prevent accidental use of heap auto-initialization.

	We however still let the users enable heap auto-initialization at
	boot-time (by setting init_on_alloc=1 or init_on_free=1), in which case a
	warning is printed.

	Link: https://lkml.kernel.org/r/20220915150417.722975-31-glider@google.com
	Signed-off-by: Alexander Potapenko <glider@google.com>
	Cc: Alexander Viro <viro@zeniv.linux.org.uk>
	Cc: Alexei Starovoitov <ast@kernel.org>
	Cc: Andrey Konovalov <andreyknvl@gmail.com>
	Cc: Andrey Konovalov <andreyknvl@google.com>
	Cc: Andy Lutomirski <luto@kernel.org>
	Cc: Arnd Bergmann <arnd@arndb.de>
	Cc: Borislav Petkov <bp@alien8.de>
	Cc: Christoph Hellwig <hch@lst.de>
	Cc: Christoph Lameter <cl@linux.com>
	Cc: David Rientjes <rientjes@google.com>
	Cc: Dmitry Vyukov <dvyukov@google.com>
	Cc: Eric Biggers <ebiggers@google.com>
	Cc: Eric Biggers <ebiggers@kernel.org>
	Cc: Eric Dumazet <edumazet@google.com>
	Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Cc: Herbert Xu <herbert@gondor.apana.org.au>
	Cc: Ilya Leoshkevich <iii@linux.ibm.com>
	Cc: Ingo Molnar <mingo@redhat.com>
	Cc: Jens Axboe <axboe@kernel.dk>
	Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
	Cc: Kees Cook <keescook@chromium.org>
	Cc: Marco Elver <elver@google.com>
	Cc: Mark Rutland <mark.rutland@arm.com>
	Cc: Matthew Wilcox <willy@infradead.org>
	Cc: Michael S. Tsirkin <mst@redhat.com>
	Cc: Pekka Enberg <penberg@kernel.org>
	Cc: Peter Zijlstra <peterz@infradead.org>
	Cc: Petr Mladek <pmladek@suse.com>
	Cc: Stephen Rothwell <sfr@canb.auug.org.au>
	Cc: Steven Rostedt <rostedt@goodmis.org>
	Cc: Thomas Gleixner <tglx@linutronix.de>
	Cc: Vasily Gorbik <gor@linux.ibm.com>
	Cc: Vegard Nossum <vegard.nossum@oracle.com>
	Cc: Vlastimil Babka <vbabka@suse.cz>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	---

	mm/page_alloc.c \| 4 ++++
	security/Kconfig.hardening \| 4 ++++
	2 files changed, 8 insertions(+)

	--- a/mm/page_alloc.c~security-kmsan-fix-interoperability-with-auto-initialization
	+++ a/mm/page_alloc.c
	@@ -938,6 +938,10 @@ void init_mem_debugging_and_hardening(vo
	else
	static_branch_disable(&init_on_free);

	+ if (IS_ENABLED(CONFIG_KMSAN) &&
	+ (_init_on_alloc_enabled_early \|\| _init_on_free_enabled_early))
	+ pr_info("mem auto-init: please make sure init_on_alloc and init_on_free are disabled when running KMSAN\n");
	+
	#ifdef CONFIG_DEBUG_PAGEALLOC
	if (!debug_pagealloc_enabled())
	return;
	--- a/security/Kconfig.hardening~security-kmsan-fix-interoperability-with-auto-initialization
	+++ a/security/Kconfig.hardening
	@@ -106,6 +106,7 @@ choice
	config INIT_STACK_ALL_PATTERN
	bool "pattern-init everything (strongest)"
	depends on CC_HAS_AUTO_VAR_INIT_PATTERN
	+ depends on !KMSAN
	help
	Initializes everything on the stack (including padding)
	with a specific debug value. This is intended to eliminate
	@@ -124,6 +125,7 @@ choice
	config INIT_STACK_ALL_ZERO
	bool "zero-init everything (strongest and safest)"
	depends on CC_HAS_AUTO_VAR_INIT_ZERO
	+ depends on !KMSAN
	help
	Initializes everything on the stack (including padding)
	with a zero value. This is intended to eliminate all
	@@ -218,6 +220,7 @@ config STACKLEAK_RUNTIME_DISABLE

	config INIT_ON_ALLOC_DEFAULT_ON
	bool "Enable heap memory zeroing on allocation by default"
	+ depends on !KMSAN
	help
	This has the effect of setting "init_on_alloc=1" on the kernel
	command line. This can be disabled with "init_on_alloc=0".
	@@ -230,6 +233,7 @@ config INIT_ON_ALLOC_DEFAULT_ON

	config INIT_ON_FREE_DEFAULT_ON
	bool "Enable heap memory zeroing on free by default"
	+ depends on !KMSAN
	help
	This has the effect of setting "init_on_free=1" on the kernel
	command line. This can be disabled with "init_on_free=0".
	_