mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH 0/4] dma: debug: track DMA buffer ownership with KASAN
@ 2024-09-10 11:48 Ahmad Fatoum
  2024-09-10 11:48 ` [PATCH 1/4] Revert "dma: debug: detect repeated DMA sync" Ahmad Fatoum
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: Ahmad Fatoum @ 2024-09-10 11:48 UTC (permalink / raw)
  To: barebox; +Cc: lst

There is litte we can do in software if a DMA master decides to corrupt
memory that is owned by the CPU. What we could do, however, is to ensure
that code doesn't access memory while not owned by the CPU.

This is done by recording ownership information into the KASAN shadow memory.
That way accessing a device mapped buffer before sync'ing it to the CPU is
detected like KASAN would detect a use-after-free. Below is the output
after adding a (void)readl(packet) into the network device send routing just
after mapping it to the device:

  BUG: KASAN: dma-mapped-to-device in eqos_send+0xdc/0x1a8
  Read of size 4 at addr 0000000040419f00

  Call trace:
  [<7fbd4980>] (unwind_backtrace+0x0/0xb0) from [<7fbd4a40>] (dump_stack+0x10/0x18)
  [<7fbd4a40>] (dump_stack+0x10/0x18) from [<7fba2360>] (kasan_report+0x11c/0x290)
  [<7fba2360>] (kasan_report+0x11c/0x290) from [<7fba1f44>] (__asan_load4+0x54/0xb8)
  [<7fba1f44>] (__asan_load4+0x54/0xb8) from [<7fb2e52c>] (eqos_send+0xdc/0x1a8)
  [<7fb2e52c>] (eqos_send+0xdc/0x1a8) from [<7fbb6544>] (eth_send+0x154/0x16c)
  [<7fbb6544>] (eth_send+0x154/0x16c) from [<7fbb7114>] (net_ip_send+0xe8/0xf8)
  [<7fbb7114>] (net_ip_send+0xe8/0xf8) from [<7fbb7d10>] (net_udp_send+0x68/0x78)
  [<7fbb7d10>] (net_udp_send+0x68/0x78) from [<7fbb9b50>] (bootp_request+0x174/0x188)
  [<7fbb9b50>] (bootp_request+0x174/0x188) from [<7fbb9ce8>] (dhcp_request+0x184/0x274)
  [<7fbb9ce8>] (dhcp_request+0x184/0x274) from [<7fbb9fd0>] (dhcp+0x34/0x80)
  [<7fbb9fd0>] (dhcp+0x34/0x80) from [<7fb9df64>] (do_dhcp+0x1cc/0x1d0)
  [<7fb9df64>] (do_dhcp+0x1cc/0x1d0) from [<7fb097d8>] (execute_command+0x54/0xa8)
  [<7fb097d8>] (execute_command+0x54/0xa8) from [<7fb0584c>] (execute_binfmt+0x80/0xc0)
  [<7fb0584c>] (execute_binfmt+0x80/0xc0) from [<7fb1522c>] (run_list_real+0xc2c/0xcdc)
  [<7fb1522c>] (run_list_real+0xc2c/0xcdc) from [<7fb1441c>] (parse_stream_outer+0x154/0x220)
  [<7fb1441c>] (parse_stream_outer+0x154/0x220) from [<7fb15554>] (run_shell+0x64/0xac)
  [<7fb15554>] (run_shell+0x64/0xac) from [<7fb01fa4>] (run_init+0x100/0x26c)
  [<7fb01fa4>] (run_init+0x100/0x26c) from [<7fb0217c>] (start_barebox+0x6c/0xd0)
  [<7fb0217c>] (start_barebox+0x6c/0xd0) from [<7fbd2864>] (psci_driver_register+0x0/0x1c)
  [<7fbd2864>] (psci_driver_register+0x0/0x1c) from [<7fb0000c>] (__bare_init_start+0x0/0x14)
  [<7fb0000c>] (__bare_init_start+0x0/0x14) from [<00a01ae0>] (0xa01ae0)
  [<00a01ae0>] (0xa01ae0) from [<00a01360>] (0xa01360)


  Memory state around the buggy address:
   0000000040419e00: 00 00 00 00 00 00 00 00 02 fc ff ff ff ff fc 00
   0000000040419e80: 00 00 00 fc 00 00 00 00 04 fc ff ff ff ff fc fc
  >0000000040419f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                     ^
   0000000040419f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   000000004041a000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 00 00 00 00 00
==================================================================

Cheers,
Ahmad Fatoum (4):
  Revert "dma: debug: detect repeated DMA sync"
  KASan: implement non-warning kasan_is_poisoned_shadow
  dma: debug: poison DMA buffers with KASAN while owned by device
  dma: debug: detect repeated DMA sync using KASAN

 drivers/dma/debug.c        | 74 ++++++++++++++++++++++++++++++++------
 include/linux/kasan.h      |  4 ++-
 lib/kasan/generic.c        | 37 +++++++++++++++++++
 lib/kasan/generic_report.c |  4 +--
 4 files changed, 106 insertions(+), 13 deletions(-)

-- 
2.39.2




^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2024-09-26 13:17 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-09-10 11:48 [PATCH 0/4] dma: debug: track DMA buffer ownership with KASAN Ahmad Fatoum
2024-09-10 11:48 ` [PATCH 1/4] Revert "dma: debug: detect repeated DMA sync" Ahmad Fatoum
2024-09-10 11:48 ` [PATCH 2/4] KASan: implement non-warning kasan_is_poisoned_shadow Ahmad Fatoum
2024-09-10 11:48 ` [PATCH 3/4] dma: debug: poison DMA buffers with KASAN while owned by device Ahmad Fatoum
2024-09-10 11:48 ` [PATCH 4/4] dma: debug: detect repeated DMA sync using KASAN Ahmad Fatoum
2024-09-26 13:16 ` [PATCH 0/4] dma: debug: track DMA buffer ownership with KASAN Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox