From: Alexander Potapenko <glider@google.com>
To: adech.fo@gmail.com, cl@linux.com, dvyukov@google.com,
akpm@linux-foundation.org, rostedt@goodmis.org,
iamjoonsoo.kim@lge.com, js1304@gmail.com, kcc@google.com,
aryabinin@virtuozzo.com
Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: [PATCH] mm, kasan: introduce a special shadow value for allocator metadata
Date: Tue, 31 May 2016 12:44:26 +0200 [thread overview]
Message-ID: <1464691466-59010-1-git-send-email-glider@google.com> (raw)
Add a special shadow value to distinguish accesses to KASAN-specific
allocator metadata.
Unlike AddressSanitizer in the userspace, KASAN lets the kernel proceed
after a memory error. However a write to the kmalloc metadata may cause
memory corruptions that will make the tool itself unreliable and induce
crashes later on. Warning about such corruptions will ease the
debugging.
Signed-off-by: Alexander Potapenko <glider@google.com>
---
mm/kasan/kasan.c | 15 +++++++++++++++
mm/kasan/kasan.h | 1 +
mm/kasan/report.c | 3 +++
3 files changed, 19 insertions(+)
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 18b6a2b..c590366 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -518,6 +518,19 @@ void kasan_poison_slab_free(struct kmem_cache *cache, void *object)
return;
kasan_poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE);
+#ifdef CONFIG_SLAB
+ if (cache->flags & SLAB_KASAN) {
+ struct kasan_alloc_meta *alloc_info =
+ get_alloc_info(cache, object);
+ struct kasan_free_meta *free_info =
+ get_free_info(cache, object);
+ kasan_poison_shadow(alloc_info,
+ sizeof(struct kasan_alloc_meta), KASAN_KMALLOC_META);
+ kasan_poison_shadow(free_info,
+ sizeof(struct kasan_free_meta), KASAN_KMALLOC_META);
+ }
+#endif
+
}
bool kasan_slab_free(struct kmem_cache *cache, void *object)
@@ -584,6 +597,8 @@ void kasan_kmalloc(struct kmem_cache *cache, const void *object, size_t size,
alloc_info->state = KASAN_STATE_ALLOC;
alloc_info->alloc_size = size;
set_track(&alloc_info->track, flags);
+ kasan_poison_shadow(alloc_info,
+ sizeof(struct kasan_alloc_meta), KASAN_KMALLOC_META);
}
#endif
}
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index fb87923..1a0d82d 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -12,6 +12,7 @@
#define KASAN_KMALLOC_REDZONE 0xFC /* redzone inside slub object */
#define KASAN_KMALLOC_FREE 0xFB /* object was freed (kmem_cache_free/kfree) */
#define KASAN_GLOBAL_REDZONE 0xFA /* redzone for global variable */
+#define KASAN_KMALLOC_META 0xF9 /* redzone for kmalloc metadata */
/*
* Stack redzone shadow values
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index b3c122d..b6d3753 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -90,6 +90,9 @@ static void print_error_description(struct kasan_access_info *info)
case KASAN_KMALLOC_FREE:
bug_type = "use-after-free";
break;
+ case KASAN_KMALLOC_META:
+ bug_type = "touching kmalloc metadata";
+ break;
}
pr_err("BUG: KASAN: %s in %pS at addr %p\n",
--
2.8.0.rc3.226.g39d4020
WARNING: multiple messages have this Message-ID (diff)
From: Alexander Potapenko <glider@google.com>
To: adech.fo@gmail.com, cl@linux.com, dvyukov@google.com,
akpm@linux-foundation.org, rostedt@goodmis.org,
iamjoonsoo.kim@lge.com, js1304@gmail.com, kcc@google.com,
aryabinin@virtuozzo.com
Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: [PATCH] mm, kasan: introduce a special shadow value for allocator metadata
Date: Tue, 31 May 2016 12:44:26 +0200 [thread overview]
Message-ID: <1464691466-59010-1-git-send-email-glider@google.com> (raw)
Add a special shadow value to distinguish accesses to KASAN-specific
allocator metadata.
Unlike AddressSanitizer in the userspace, KASAN lets the kernel proceed
after a memory error. However a write to the kmalloc metadata may cause
memory corruptions that will make the tool itself unreliable and induce
crashes later on. Warning about such corruptions will ease the
debugging.
Signed-off-by: Alexander Potapenko <glider@google.com>
---
mm/kasan/kasan.c | 15 +++++++++++++++
mm/kasan/kasan.h | 1 +
mm/kasan/report.c | 3 +++
3 files changed, 19 insertions(+)
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 18b6a2b..c590366 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -518,6 +518,19 @@ void kasan_poison_slab_free(struct kmem_cache *cache, void *object)
return;
kasan_poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE);
+#ifdef CONFIG_SLAB
+ if (cache->flags & SLAB_KASAN) {
+ struct kasan_alloc_meta *alloc_info =
+ get_alloc_info(cache, object);
+ struct kasan_free_meta *free_info =
+ get_free_info(cache, object);
+ kasan_poison_shadow(alloc_info,
+ sizeof(struct kasan_alloc_meta), KASAN_KMALLOC_META);
+ kasan_poison_shadow(free_info,
+ sizeof(struct kasan_free_meta), KASAN_KMALLOC_META);
+ }
+#endif
+
}
bool kasan_slab_free(struct kmem_cache *cache, void *object)
@@ -584,6 +597,8 @@ void kasan_kmalloc(struct kmem_cache *cache, const void *object, size_t size,
alloc_info->state = KASAN_STATE_ALLOC;
alloc_info->alloc_size = size;
set_track(&alloc_info->track, flags);
+ kasan_poison_shadow(alloc_info,
+ sizeof(struct kasan_alloc_meta), KASAN_KMALLOC_META);
}
#endif
}
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index fb87923..1a0d82d 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -12,6 +12,7 @@
#define KASAN_KMALLOC_REDZONE 0xFC /* redzone inside slub object */
#define KASAN_KMALLOC_FREE 0xFB /* object was freed (kmem_cache_free/kfree) */
#define KASAN_GLOBAL_REDZONE 0xFA /* redzone for global variable */
+#define KASAN_KMALLOC_META 0xF9 /* redzone for kmalloc metadata */
/*
* Stack redzone shadow values
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index b3c122d..b6d3753 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -90,6 +90,9 @@ static void print_error_description(struct kasan_access_info *info)
case KASAN_KMALLOC_FREE:
bug_type = "use-after-free";
break;
+ case KASAN_KMALLOC_META:
+ bug_type = "touching kmalloc metadata";
+ break;
}
pr_err("BUG: KASAN: %s in %pS at addr %p\n",
--
2.8.0.rc3.226.g39d4020
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next reply other threads:[~2016-05-31 10:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-31 10:44 Alexander Potapenko [this message]
2016-05-31 10:44 ` [PATCH] mm, kasan: introduce a special shadow value for allocator metadata Alexander Potapenko
2016-05-31 11:52 ` Andrey Ryabinin
2016-05-31 11:52 ` Andrey Ryabinin
2016-05-31 17:49 ` Alexander Potapenko
2016-05-31 17:49 ` Alexander Potapenko
2016-06-01 15:23 ` Andrey Ryabinin
2016-06-01 15:23 ` Andrey Ryabinin
2016-06-01 16:31 ` Alexander Potapenko
2016-06-01 16:31 ` Alexander Potapenko
2016-06-02 12:02 ` Alexander Potapenko
2016-06-02 12:02 ` Alexander Potapenko
2016-06-02 12:17 ` Andrey Ryabinin
2016-06-02 12:17 ` Andrey Ryabinin
2016-06-02 12:18 ` Alexander Potapenko
2016-06-02 12:18 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1464691466-59010-1-git-send-email-glider@google.com \
--to=glider@google.com \
--cc=adech.fo@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=cl@linux.com \
--cc=dvyukov@google.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=js1304@gmail.com \
--cc=kasan-dev@googlegroups.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.