From: a.ryabinin@samsung•com (Andrey Ryabinin)
To: linux-arm-kernel@lists•infradead.org
Subject: [RFC/PATCH RESEND -next 15/21] mm: slub: add kernel address sanitizer hooks to slub allocator
Date: Tue, 15 Jul 2014 11:45:15 +0400 [thread overview]
Message-ID: <53C4DC0B.9070307@samsung.com> (raw)
In-Reply-To: <20140715060932.GJ11317@js1304-P5Q-DELUXE>
On 07/15/14 10:09, Joonsoo Kim wrote:
> On Wed, Jul 09, 2014 at 03:30:09PM +0400, Andrey Ryabinin wrote:
>> With this patch kasan will be able to catch bugs in memory allocated
>> by slub.
>> Allocated slab page, this whole page marked as unaccessible
>> in corresponding shadow memory.
>> On allocation of slub object requested allocation size marked as
>> accessible, and the rest of the object (including slub's metadata)
>> marked as redzone (unaccessible).
>>
>> We also mark object as accessible if ksize was called for this object.
>> There is some places in kernel where ksize function is called to inquire
>> size of really allocated area. Such callers could validly access whole
>> allocated memory, so it should be marked as accessible by kasan_krealloc call.
>>
>> Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung•com>
>> ---
>> include/linux/kasan.h | 22 ++++++++++
>> include/linux/slab.h | 19 +++++++--
>> lib/Kconfig.kasan | 2 +
>> mm/kasan/kasan.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++
>> mm/kasan/kasan.h | 5 +++
>> mm/kasan/report.c | 23 +++++++++++
>> mm/slab.h | 2 +-
>> mm/slab_common.c | 9 +++--
>> mm/slub.c | 24 ++++++++++-
>> 9 files changed, 208 insertions(+), 8 deletions(-)
>>
>> diff --git a/include/linux/kasan.h b/include/linux/kasan.h
>> index 4adc0a1..583c011 100644
>> --- a/include/linux/kasan.h
>> +++ b/include/linux/kasan.h
>> @@ -20,6 +20,17 @@ void kasan_init_shadow(void);
>> void kasan_alloc_pages(struct page *page, unsigned int order);
>> void kasan_free_pages(struct page *page, unsigned int order);
>>
>> +void kasan_kmalloc_large(const void *ptr, size_t size);
>> +void kasan_kfree_large(const void *ptr);
>> +void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size);
>> +void kasan_krealloc(const void *object, size_t new_size);
>> +
>> +void kasan_slab_alloc(struct kmem_cache *s, void *object);
>> +void kasan_slab_free(struct kmem_cache *s, void *object);
>> +
>> +void kasan_alloc_slab_pages(struct page *page, int order);
>> +void kasan_free_slab_pages(struct page *page, int order);
>> +
>> #else /* CONFIG_KASAN */
>>
>> static inline void unpoison_shadow(const void *address, size_t size) {}
>> @@ -34,6 +45,17 @@ static inline void kasan_alloc_shadow(void) {}
>> static inline void kasan_alloc_pages(struct page *page, unsigned int order) {}
>> static inline void kasan_free_pages(struct page *page, unsigned int order) {}
>>
>> +static inline void kasan_kmalloc_large(void *ptr, size_t size) {}
>> +static inline void kasan_kfree_large(const void *ptr) {}
>> +static inline void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size) {}
>> +static inline void kasan_krealloc(const void *object, size_t new_size) {}
>> +
>> +static inline void kasan_slab_alloc(struct kmem_cache *s, void *object) {}
>> +static inline void kasan_slab_free(struct kmem_cache *s, void *object) {}
>> +
>> +static inline void kasan_alloc_slab_pages(struct page *page, int order) {}
>> +static inline void kasan_free_slab_pages(struct page *page, int order) {}
>> +
>> #endif /* CONFIG_KASAN */
>>
>> #endif /* LINUX_KASAN_H */
>> diff --git a/include/linux/slab.h b/include/linux/slab.h
>> index 68b1feab..a9513e9 100644
>> --- a/include/linux/slab.h
>> +++ b/include/linux/slab.h
>> @@ -104,6 +104,7 @@
>> (unsigned long)ZERO_SIZE_PTR)
>>
>> #include <linux/kmemleak.h>
>> +#include <linux/kasan.h>
>>
>> struct mem_cgroup;
>> /*
>> @@ -444,6 +445,8 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags)
>> */
>> static __always_inline void *kmalloc(size_t size, gfp_t flags)
>> {
>> + void *ret;
>> +
>> if (__builtin_constant_p(size)) {
>> if (size > KMALLOC_MAX_CACHE_SIZE)
>> return kmalloc_large(size, flags);
>> @@ -454,8 +457,12 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags)
>> if (!index)
>> return ZERO_SIZE_PTR;
>>
>> - return kmem_cache_alloc_trace(kmalloc_caches[index],
>> + ret = kmem_cache_alloc_trace(kmalloc_caches[index],
>> flags, size);
>> +
>> + kasan_kmalloc(kmalloc_caches[index], ret, size);
>> +
>> + return ret;
>> }
>> #endif
>> }
>> @@ -485,6 +492,8 @@ static __always_inline int kmalloc_size(int n)
>> static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
>> {
>> #ifndef CONFIG_SLOB
>> + void *ret;
>> +
>> if (__builtin_constant_p(size) &&
>> size <= KMALLOC_MAX_CACHE_SIZE && !(flags & GFP_DMA)) {
>> int i = kmalloc_index(size);
>> @@ -492,8 +501,12 @@ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
>> if (!i)
>> return ZERO_SIZE_PTR;
>>
>> - return kmem_cache_alloc_node_trace(kmalloc_caches[i],
>> - flags, node, size);
>> + ret = kmem_cache_alloc_node_trace(kmalloc_caches[i],
>> + flags, node, size);
>> +
>> + kasan_kmalloc(kmalloc_caches[i], ret, size);
>> +
>> + return ret;
>> }
>> #endif
>> return __kmalloc_node(size, flags, node);
>> diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
>> index 2bfff78..289a624 100644
>> --- a/lib/Kconfig.kasan
>> +++ b/lib/Kconfig.kasan
>> @@ -5,6 +5,8 @@ if HAVE_ARCH_KASAN
>>
>> config KASAN
>> bool "AddressSanitizer: dynamic memory error detector"
>> + depends on SLUB
>> + select STACKTRACE
>> default n
>> help
>> Enables AddressSanitizer - dynamic memory error detector,
>> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
>> index 109478e..9b5182a 100644
>> --- a/mm/kasan/kasan.c
>> +++ b/mm/kasan/kasan.c
>> @@ -177,6 +177,116 @@ void __init kasan_init_shadow(void)
>> }
>> }
>>
>> +void kasan_alloc_slab_pages(struct page *page, int order)
>> +{
>> + if (unlikely(!kasan_initialized))
>> + return;
>> +
>> + poison_shadow(page_address(page), PAGE_SIZE << order, KASAN_SLAB_REDZONE);
>> +}
>> +
>> +void kasan_free_slab_pages(struct page *page, int order)
>> +{
>> + if (unlikely(!kasan_initialized))
>> + return;
>> +
>> + poison_shadow(page_address(page), PAGE_SIZE << order, KASAN_SLAB_FREE);
>> +}
>> +
>> +void kasan_slab_alloc(struct kmem_cache *cache, void *object)
>> +{
>> + if (unlikely(!kasan_initialized))
>> + return;
>> +
>> + if (unlikely(object == NULL))
>> + return;
>> +
>> + poison_shadow(object, cache->size, KASAN_KMALLOC_REDZONE);
>> + unpoison_shadow(object, cache->alloc_size);
>> +}
>> +
>> +void kasan_slab_free(struct kmem_cache *cache, void *object)
>> +{
>> + unsigned long size = cache->size;
>> + unsigned long rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);
>> +
>> + if (unlikely(!kasan_initialized))
>> + return;
>> +
>> + poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE);
>> +}
>> +
>> +void kasan_kmalloc(struct kmem_cache *cache, const void *object, size_t size)
>> +{
>> + unsigned long redzone_start;
>> + unsigned long redzone_end;
>> +
>> + if (unlikely(!kasan_initialized))
>> + return;
>> +
>> + if (unlikely(object == NULL))
>> + return;
>> +
>> + redzone_start = round_up((unsigned long)(object + size),
>> + KASAN_SHADOW_SCALE_SIZE);
>> + redzone_end = (unsigned long)object + cache->size;
>> +
>> + unpoison_shadow(object, size);
>> + poison_shadow((void *)redzone_start, redzone_end - redzone_start,
>> + KASAN_KMALLOC_REDZONE);
>> +
>> +}
>> +EXPORT_SYMBOL(kasan_kmalloc);
>> +
>> +void kasan_kmalloc_large(const void *ptr, size_t size)
>> +{
>> + struct page *page;
>> + unsigned long redzone_start;
>> + unsigned long redzone_end;
>> +
>> + if (unlikely(!kasan_initialized))
>> + return;
>> +
>> + if (unlikely(ptr == NULL))
>> + return;
>> +
>> + page = virt_to_page(ptr);
>> + redzone_start = round_up((unsigned long)(ptr + size),
>> + KASAN_SHADOW_SCALE_SIZE);
>> + redzone_end = (unsigned long)ptr + (PAGE_SIZE << compound_order(page));
>> +
>> + unpoison_shadow(ptr, size);
>> + poison_shadow((void *)redzone_start, redzone_end - redzone_start,
>> + KASAN_PAGE_REDZONE);
>> +}
>> +EXPORT_SYMBOL(kasan_kmalloc_large);
>> +
>> +void kasan_krealloc(const void *object, size_t size)
>> +{
>> + struct page *page;
>> +
>> + if (unlikely(object == ZERO_SIZE_PTR))
>> + return;
>> +
>> + page = virt_to_head_page(object);
>> +
>> + if (unlikely(!PageSlab(page)))
>> + kasan_kmalloc_large(object, size);
>> + else
>> + kasan_kmalloc(page->slab_cache, object, size);
>> +}
>> +
>> +void kasan_kfree_large(const void *ptr)
>> +{
>> + struct page *page;
>> +
>> + if (unlikely(!kasan_initialized))
>> + return;
>> +
>> + page = virt_to_page(ptr);
>> + poison_shadow(ptr, PAGE_SIZE << compound_order(page), KASAN_FREE_PAGE);
>> +}
>> +
>> void kasan_alloc_pages(struct page *page, unsigned int order)
>> {
>> if (unlikely(!kasan_initialized))
>> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
>> index be9597e..f925d03 100644
>> --- a/mm/kasan/kasan.h
>> +++ b/mm/kasan/kasan.h
>> @@ -6,6 +6,11 @@
>> #define KASAN_SHADOW_MASK (KASAN_SHADOW_SCALE_SIZE - 1)
>>
>> #define KASAN_FREE_PAGE 0xFF /* page was freed */
>> +#define KASAN_PAGE_REDZONE 0xFE /* redzone for kmalloc_large allocations */
>> +#define KASAN_SLAB_REDZONE 0xFD /* Slab page redzone, does not belong to any slub object */
>> +#define KASAN_KMALLOC_REDZONE 0xFC /* redzone inside slub object */
>> +#define KASAN_KMALLOC_FREE 0xFB /* object was freed (kmem_cache_free/kfree) */
>> +#define KASAN_SLAB_FREE 0xFA /* free slab page */
>> #define KASAN_SHADOW_GAP 0xF9 /* address belongs to shadow memory */
>>
>> struct access_info {
>> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
>> index 6ef9e57..6d829af 100644
>> --- a/mm/kasan/report.c
>> +++ b/mm/kasan/report.c
>> @@ -43,10 +43,15 @@ static void print_error_description(struct access_info *info)
>> u8 shadow_val = *(u8 *)kasan_mem_to_shadow(info->access_addr);
>>
>> switch (shadow_val) {
>> + case KASAN_PAGE_REDZONE:
>> + case KASAN_SLAB_REDZONE:
>> + case KASAN_KMALLOC_REDZONE:
>> case 0 ... KASAN_SHADOW_SCALE_SIZE - 1:
>> bug_type = "buffer overflow";
>> break;
>> case KASAN_FREE_PAGE:
>> + case KASAN_SLAB_FREE:
>> + case KASAN_KMALLOC_FREE:
>> bug_type = "use after free";
>> break;
>> case KASAN_SHADOW_GAP:
>> @@ -70,7 +75,25 @@ static void print_address_description(struct access_info *info)
>> page = virt_to_page(info->access_addr);
>>
>> switch (shadow_val) {
>> + case KASAN_SLAB_REDZONE:
>> + cache = virt_to_cache((void *)info->access_addr);
>> + slab_err(cache, page, "access to slab redzone");
>
> We need head page of invalid access address for slab_err() since head
> page has all meta data of this slab. So, instead of, virt_to_cache,
> use virt_to_head_page() and page->slab_cache.
>
>> + dump_stack();
>> + break;
>> + case KASAN_KMALLOC_FREE:
>> + case KASAN_KMALLOC_REDZONE:
>> + case 1 ... KASAN_SHADOW_SCALE_SIZE - 1:
>> + if (PageSlab(page)) {
>> + cache = virt_to_cache((void *)info->access_addr);
>> + slab_start = page_address(virt_to_head_page((void *)info->access_addr));
>> + object = virt_to_obj(cache, slab_start,
>> + (void *)info->access_addr);
>> + object_err(cache, page, object, "kasan error");
>> + break;
>> + }
>
> Same here, page should be head page.
>
Correct, I'll fix it.
Thanks.
> Thanks.
>
next prev parent reply other threads:[~2014-07-15 7:45 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-09 11:29 [RFC/PATCH RESEND -next 00/21] Address sanitizer for kernel (kasan) - dynamic memory error detector Andrey Ryabinin
2014-07-09 11:29 ` [RFC/PATCH RESEND -next 01/21] Add kernel address sanitizer infrastructure Andrey Ryabinin
2014-07-09 14:26 ` Christoph Lameter
2014-07-10 7:31 ` Andrey Ryabinin
2014-07-09 19:29 ` Andi Kleen
2014-07-09 20:40 ` Yuri Gribov
2014-07-10 12:10 ` Andrey Ryabinin
2014-07-09 20:26 ` Dave Hansen
2014-07-10 12:12 ` Andrey Ryabinin
2014-07-10 15:55 ` Dave Hansen
2014-07-10 19:48 ` Andrey Ryabinin
2014-07-10 20:04 ` Dave Hansen
2014-07-09 20:37 ` Dave Hansen
2014-07-09 20:38 ` Dave Hansen
2014-07-10 11:55 ` Sasha Levin
2014-07-10 13:01 ` Andrey Ryabinin
2014-07-10 13:31 ` Sasha Levin
2014-07-10 13:39 ` Andrey Ryabinin
2014-07-10 14:02 ` Sasha Levin
2014-07-10 19:04 ` Andrey Ryabinin
2014-07-10 13:50 ` Andrey Ryabinin
2014-07-09 11:29 ` [RFC/PATCH RESEND -next 02/21] init: main: initialize kasan's shadow area on boot Andrey Ryabinin
2014-07-09 11:29 ` [RFC/PATCH RESEND -next 03/21] x86: add kasan hooks fort memcpy/memmove/memset functions Andrey Ryabinin
2014-07-09 19:31 ` Andi Kleen
2014-07-10 13:54 ` Andrey Ryabinin
2014-07-09 11:29 ` [RFC/PATCH RESEND -next 04/21] x86: boot: vdso: disable instrumentation for code not linked with kernel Andrey Ryabinin
2014-07-09 11:29 ` [RFC/PATCH RESEND -next 05/21] x86: cpu: don't sanitize early stages of a secondary CPU boot Andrey Ryabinin
2014-07-09 19:33 ` Andi Kleen
2014-07-10 13:15 ` Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 06/21] x86: mm: init: allocate shadow memory for kasan Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 07/21] x86: Kconfig: enable kernel address sanitizer Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 08/21] mm: page_alloc: add kasan hooks on alloc and free pathes Andrey Ryabinin
2014-07-15 5:52 ` Joonsoo Kim
2014-07-15 6:54 ` Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 09/21] mm: Makefile: kasan: don't instrument slub.c and slab_common.c files Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 10/21] mm: slab: share virt_to_cache() between slab and slub Andrey Ryabinin
2014-07-15 5:53 ` Joonsoo Kim
2014-07-15 6:56 ` Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 11/21] mm: slub: share slab_err and object_err functions Andrey Ryabinin
2014-07-09 14:29 ` Christoph Lameter
2014-07-10 7:41 ` Andrey Ryabinin
2014-07-10 14:07 ` Christoph Lameter
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 12/21] mm: util: move krealloc/kzfree to slab_common.c Andrey Ryabinin
2014-07-09 14:32 ` Christoph Lameter
2014-07-10 7:43 ` Andrey Ryabinin
2014-07-10 14:08 ` Christoph Lameter
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 13/21] mm: slub: add allocation size field to struct kmem_cache Andrey Ryabinin
2014-07-09 14:33 ` Christoph Lameter
2014-07-10 8:44 ` Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 14/21] mm: slub: kasan: disable kasan when touching unaccessible memory Andrey Ryabinin
2014-07-15 6:04 ` Joonsoo Kim
2014-07-15 7:37 ` Andrey Ryabinin
2014-07-15 8:18 ` Joonsoo Kim
2014-07-15 9:51 ` Andrey Ryabinin
2014-07-15 14:26 ` Christoph Lameter
2014-07-15 15:02 ` Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 15/21] mm: slub: add kernel address sanitizer hooks to slub allocator Andrey Ryabinin
2014-07-09 14:48 ` Christoph Lameter
2014-07-10 9:24 ` Andrey Ryabinin
2014-07-15 6:09 ` Joonsoo Kim
2014-07-15 7:45 ` Andrey Ryabinin [this message]
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 16/21] arm: boot: compressed: disable kasan's instrumentation Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 17/21] arm: add kasan hooks fort memcpy/memmove/memset functions Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 18/21] arm: mm: reserve shadow memory for kasan Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 19/21] arm: Kconfig: enable kernel address sanitizer Andrey Ryabinin
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 20/21] fs: dcache: manually unpoison dname after allocation to shut up kasan's reports Andrey Ryabinin
2014-07-15 6:12 ` Joonsoo Kim
2014-07-15 6:08 ` Dmitry Vyukov
2014-07-15 9:34 ` Andrey Ryabinin
2014-07-15 9:45 ` Dmitry Vyukov
2014-07-09 11:30 ` [RFC/PATCH RESEND -next 21/21] lib: add kmalloc_bug_test module Andrey Ryabinin
2014-07-09 21:19 ` [RFC/PATCH RESEND -next 00/21] Address sanitizer for kernel (kasan) - dynamic memory error detector Dave Hansen
2014-07-09 21:44 ` Andi Kleen
2014-07-09 21:59 ` Vegard Nossum
2014-07-09 23:33 ` Dave Hansen
2014-07-10 0:03 ` Andi Kleen
2014-07-10 13:59 ` Andrey Ryabinin
[not found] ` <1421859105-25253-1-git-send-email-a.ryabinin@samsung.com>
2015-01-21 16:51 ` [PATCH v9 14/17] mm: vmalloc: pass additional vm_flags to __vmalloc_node_range() Andrey Ryabinin
[not found] ` <1422544321-24232-1-git-send-email-a.ryabinin@samsung.com>
2015-01-29 15:11 ` [PATCH v10 " Andrey Ryabinin
[not found] ` <1422985392-28652-1-git-send-email-a.ryabinin@samsung.com>
2015-02-03 17:43 ` [PATCH v11 16/19] " Andrey Ryabinin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53C4DC0B.9070307@samsung.com \
--to=a.ryabinin@samsung$(echo .)com \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox