BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 (v6.13-rc6, PowerMac G4)

Sun Feb 2 19:44:20 AEDT 2025

Le 01/02/2025 à 16:54, Erhard Furtner a écrit :
> On Sat, 1 Feb 2025 16:14:04 +0100
> Christophe Leroy <christophe.leroy at csgroup.eu> wrote:
> 
>> Thanks for the report.
>>
>> That's something different. Previous report was:
>>
>> BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8
>>
>> This is what my patch fixes.
>>
>> New report is:
>>
>> BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0
>>
>> Christophe
> 
> Ah, sorry... I have not been very thoroughly it seems!
> 
> The dmesg looked similarly so I thought it was the same issue.
> 

This time the problem is a mixture of commit 465cabc97b42 
("powerpc/code-patching: introduce patch_instructions()") and commit 
c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") 
which is revealed by commit e4137f08816b ("mm, kasan, kmsan: instrument 
copy_from/to_kernel_nofault")

Commit c28c15b6d28a is inspired by commit b3fd8e83ada0 
("x86/alternatives: Use temporary mm for text poking") but misses the 
kasan_disable_current() / kasan_enable_current() sequence.

Was not necessary because __patch_mem() is not instrumented. But commit 
465cabc97b42 added use of copy_to_kernel_nofault() which is now 
instrumented.

The problem is that commit c28c15b6d28a makes use of a special memory 
area which is not kernel memory and it doesn't have any matching KASAN 
shadow area. And because it is located below TASK_SIZE, in addition 
kasan sees it as user memory.

Can you try the change below ?

diff --git a/arch/powerpc/lib/code-patching.c 
b/arch/powerpc/lib/code-patching.c
index 8a378fc19074..f84e0337cc02 100644
--- a/arch/powerpc/lib/code-patching.c
+++ b/arch/powerpc/lib/code-patching.c
@@ -493,7 +493,9 @@ static int __do_patch_instructions_mm(u32 *addr, u32 
*code, size_t len, bool rep

  	orig_mm = start_using_temp_mm(patching_mm);

+	kasan_disable_current();
  	err = __patch_instructions(patch_addr, code, len, repeat_instr);
+	kasan_enable_current();

  	/* context synchronisation performed by __patch_instructions */
  	stop_using_temp_mm(patching_mm, orig_mm);

