linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: lizhe.67@bytedance.com
To: ryabinin.a.a@gmail.com, glider@google.com, andreyknvl@gmail.com,
	dvyukov@google.com, vincenzo.frascino@arm.com,
	akpm@linux-foundation.org
Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org,
	lizefan.x@bytedance.com, lizhe.67@bytedance.com
Subject: [RFC 0/2] kasan: introduce mem track feature
Date: Thu, 18 Jan 2024 20:41:07 +0800	[thread overview]
Message-ID: <20240118124109.37324-1-lizhe.67@bytedance.com> (raw)

From: Li Zhe <lizhe.67@bytedance.com>

1. Problem
==========
KASAN is a tools for detecting memory bugs like out-of-bounds and
use-after-free. In Generic KASAN mode, it use shadow memory to record
the accessible information of the memory. After we allocate a memory
from kernel, the shadow memory corresponding to this memory will be
marked as accessible.
In our daily development, memory problems often occur. If a task
accidentally modifies memory that does not belong to itself but has
been allocated, some strange phenomena may occur. This kind of problem
brings a lot of trouble to our development, and unluckily, this kind of
problem cannot be captured by KASAN. This is because as long as the
accessible information in shadow memory shows that the corresponding
memory can be accessed, KASAN considers the memory access to be legal.

2. Solution
===========
We solve this problem by introducing mem track feature base on KASAN
with Generic KASAN mode. In the current kernel implementation, we use
bits 0-2 of each shadow memory byte to store how many bytes in the 8
byte memory corresponding to the shadow memory byte can be accessed.
When a 8-byte-memory is inaccessible, the highest bit of its
corresponding shadow memory value is 1. Therefore, the key idea is that
we can use the currently unused four bits 3-6 in the shadow memory to
record relevant track information. Which means, we can use one bit to
track 2 bytes of memory. If the track bit of the shadow mem corresponding
to a certain memory is 1, it means that the corresponding 2-byte memory
is tracked. By adding this check logic to KASAN's callback function, we
can use KASAN's ability to capture allocated memory corruption.

3. Simple usage
===========
The first step is to mark the memory as tracked after the allocation is
completed.
The second step is to remove the tracked mark of the memory before the
legal access process and re-mark the memory as tracked after finishing
the legal access process.

The first patch completes the implementation of the mem track, and the
second patch provides an interface for using this facility, as well as
a testcase for the interface.

Li Zhe (2):
  kasan: introduce mem track feature base on kasan
  kasan: add mem track interface and its test cases

 include/linux/kasan.h        |   5 +
 lib/Kconfig.kasan            |   9 +
 mm/kasan/generic.c           | 437 +++++++++++++++++++++++++++++++++--
 mm/kasan/kasan_test_module.c |  26 +++
 mm/kasan/report_generic.c    |   6 +
 5 files changed, 467 insertions(+), 16 deletions(-)

-- 
2.20.1



             reply	other threads:[~2024-01-18 12:41 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-18 12:41 lizhe.67 [this message]
2024-01-18 12:41 ` [RFC 1/2] kasan: introduce mem track feature base on kasan lizhe.67
2024-01-18 12:41 ` [RFC 2/2] kasan: add mem track interface and its test cases lizhe.67
2024-01-18 13:28 ` [RFC 0/2] kasan: introduce mem track feature Marco Elver
2024-01-18 14:30   ` lizhe.67
2024-01-19 16:06     ` Andrey Konovalov
2024-01-22  3:03       ` lizhe.67
2024-01-22  4:49 ` Dmitry Vyukov
2024-01-22  6:26   ` lizhe.67
2024-01-22  7:03     ` Dmitry Vyukov
2024-01-23  6:27       ` lizhe.67

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240118124109.37324-1-lizhe.67@bytedance.com \
    --to=lizhe.67@bytedance.com \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@gmail.com \
    --cc=dvyukov@google.com \
    --cc=glider@google.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=linux-mm@kvack.org \
    --cc=lizefan.x@bytedance.com \
    --cc=ryabinin.a.a@gmail.com \
    --cc=vincenzo.frascino@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).