From: Alexander Potapenko <glider@google.com> To: adech.fo@gmail.com, cl@linux.com, dvyukov@google.com, akpm@linux-foundation.org, rostedt@goodmis.org, iamjoonsoo.kim@lge.com, js1304@gmail.com, kcc@google.com, aryabinin@virtuozzo.com Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH] mm, kasan: introduce a special shadow value for allocator metadata Date: Tue, 31 May 2016 12:44:26 +0200 [thread overview] Message-ID: <1464691466-59010-1-git-send-email-glider@google.com> (raw) Add a special shadow value to distinguish accesses to KASAN-specific allocator metadata. Unlike AddressSanitizer in the userspace, KASAN lets the kernel proceed after a memory error. However a write to the kmalloc metadata may cause memory corruptions that will make the tool itself unreliable and induce crashes later on. Warning about such corruptions will ease the debugging. Signed-off-by: Alexander Potapenko <glider@google.com> --- mm/kasan/kasan.c | 15 +++++++++++++++ mm/kasan/kasan.h | 1 + mm/kasan/report.c | 3 +++ 3 files changed, 19 insertions(+) diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 18b6a2b..c590366 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -518,6 +518,19 @@ void kasan_poison_slab_free(struct kmem_cache *cache, void *object) return; kasan_poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE); +#ifdef CONFIG_SLAB + if (cache->flags & SLAB_KASAN) { + struct kasan_alloc_meta *alloc_info = + get_alloc_info(cache, object); + struct kasan_free_meta *free_info = + get_free_info(cache, object); + kasan_poison_shadow(alloc_info, + sizeof(struct kasan_alloc_meta), KASAN_KMALLOC_META); + kasan_poison_shadow(free_info, + sizeof(struct kasan_free_meta), KASAN_KMALLOC_META); + } +#endif + } bool kasan_slab_free(struct kmem_cache *cache, void *object) @@ -584,6 +597,8 @@ void kasan_kmalloc(struct kmem_cache *cache, const void *object, size_t size, alloc_info->state = KASAN_STATE_ALLOC; alloc_info->alloc_size = size; set_track(&alloc_info->track, flags); + kasan_poison_shadow(alloc_info, + sizeof(struct kasan_alloc_meta), KASAN_KMALLOC_META); } #endif } diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index fb87923..1a0d82d 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -12,6 +12,7 @@ #define KASAN_KMALLOC_REDZONE 0xFC /* redzone inside slub object */ #define KASAN_KMALLOC_FREE 0xFB /* object was freed (kmem_cache_free/kfree) */ #define KASAN_GLOBAL_REDZONE 0xFA /* redzone for global variable */ +#define KASAN_KMALLOC_META 0xF9 /* redzone for kmalloc metadata */ /* * Stack redzone shadow values diff --git a/mm/kasan/report.c b/mm/kasan/report.c index b3c122d..b6d3753 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -90,6 +90,9 @@ static void print_error_description(struct kasan_access_info *info) case KASAN_KMALLOC_FREE: bug_type = "use-after-free"; break; + case KASAN_KMALLOC_META: + bug_type = "touching kmalloc metadata"; + break; } pr_err("BUG: KASAN: %s in %pS at addr %p\n", -- 2.8.0.rc3.226.g39d4020
WARNING: multiple messages have this Message-ID (diff)
From: Alexander Potapenko <glider@google.com> To: adech.fo@gmail.com, cl@linux.com, dvyukov@google.com, akpm@linux-foundation.org, rostedt@goodmis.org, iamjoonsoo.kim@lge.com, js1304@gmail.com, kcc@google.com, aryabinin@virtuozzo.com Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH] mm, kasan: introduce a special shadow value for allocator metadata Date: Tue, 31 May 2016 12:44:26 +0200 [thread overview] Message-ID: <1464691466-59010-1-git-send-email-glider@google.com> (raw) Add a special shadow value to distinguish accesses to KASAN-specific allocator metadata. Unlike AddressSanitizer in the userspace, KASAN lets the kernel proceed after a memory error. However a write to the kmalloc metadata may cause memory corruptions that will make the tool itself unreliable and induce crashes later on. Warning about such corruptions will ease the debugging. Signed-off-by: Alexander Potapenko <glider@google.com> --- mm/kasan/kasan.c | 15 +++++++++++++++ mm/kasan/kasan.h | 1 + mm/kasan/report.c | 3 +++ 3 files changed, 19 insertions(+) diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 18b6a2b..c590366 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -518,6 +518,19 @@ void kasan_poison_slab_free(struct kmem_cache *cache, void *object) return; kasan_poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE); +#ifdef CONFIG_SLAB + if (cache->flags & SLAB_KASAN) { + struct kasan_alloc_meta *alloc_info = + get_alloc_info(cache, object); + struct kasan_free_meta *free_info = + get_free_info(cache, object); + kasan_poison_shadow(alloc_info, + sizeof(struct kasan_alloc_meta), KASAN_KMALLOC_META); + kasan_poison_shadow(free_info, + sizeof(struct kasan_free_meta), KASAN_KMALLOC_META); + } +#endif + } bool kasan_slab_free(struct kmem_cache *cache, void *object) @@ -584,6 +597,8 @@ void kasan_kmalloc(struct kmem_cache *cache, const void *object, size_t size, alloc_info->state = KASAN_STATE_ALLOC; alloc_info->alloc_size = size; set_track(&alloc_info->track, flags); + kasan_poison_shadow(alloc_info, + sizeof(struct kasan_alloc_meta), KASAN_KMALLOC_META); } #endif } diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index fb87923..1a0d82d 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -12,6 +12,7 @@ #define KASAN_KMALLOC_REDZONE 0xFC /* redzone inside slub object */ #define KASAN_KMALLOC_FREE 0xFB /* object was freed (kmem_cache_free/kfree) */ #define KASAN_GLOBAL_REDZONE 0xFA /* redzone for global variable */ +#define KASAN_KMALLOC_META 0xF9 /* redzone for kmalloc metadata */ /* * Stack redzone shadow values diff --git a/mm/kasan/report.c b/mm/kasan/report.c index b3c122d..b6d3753 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -90,6 +90,9 @@ static void print_error_description(struct kasan_access_info *info) case KASAN_KMALLOC_FREE: bug_type = "use-after-free"; break; + case KASAN_KMALLOC_META: + bug_type = "touching kmalloc metadata"; + break; } pr_err("BUG: KASAN: %s in %pS at addr %p\n", -- 2.8.0.rc3.226.g39d4020 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next reply other threads:[~2016-05-31 10:44 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-05-31 10:44 Alexander Potapenko [this message] 2016-05-31 10:44 ` [PATCH] mm, kasan: introduce a special shadow value for allocator metadata Alexander Potapenko 2016-05-31 11:52 ` Andrey Ryabinin 2016-05-31 11:52 ` Andrey Ryabinin 2016-05-31 17:49 ` Alexander Potapenko 2016-05-31 17:49 ` Alexander Potapenko 2016-06-01 15:23 ` Andrey Ryabinin 2016-06-01 15:23 ` Andrey Ryabinin 2016-06-01 16:31 ` Alexander Potapenko 2016-06-01 16:31 ` Alexander Potapenko 2016-06-02 12:02 ` Alexander Potapenko 2016-06-02 12:02 ` Alexander Potapenko 2016-06-02 12:17 ` Andrey Ryabinin 2016-06-02 12:17 ` Andrey Ryabinin 2016-06-02 12:18 ` Alexander Potapenko 2016-06-02 12:18 ` Alexander Potapenko
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1464691466-59010-1-git-send-email-glider@google.com \ --to=glider@google.com \ --cc=adech.fo@gmail.com \ --cc=akpm@linux-foundation.org \ --cc=aryabinin@virtuozzo.com \ --cc=cl@linux.com \ --cc=dvyukov@google.com \ --cc=iamjoonsoo.kim@lge.com \ --cc=js1304@gmail.com \ --cc=kasan-dev@googlegroups.com \ --cc=kcc@google.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=rostedt@goodmis.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.