From: Walter Wu <walter-zh.wu@mediatek.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Arnd Bergmann <arnd@arndb.de>
Cc: <kasan-dev@googlegroups.com>, <linux-mm@kvack.org>,
<linux-kernel@vger.kernel.org>,
<linux-arm-kernel@lists.infradead.org>,
<linux-mediatek@lists.infradead.org>, <wsd_upstream@mediatek.com>,
Walter Wu <walter-zh.wu@mediatek.com>
Subject: [PATCH 1/2] mm/kasan: dump alloc/free stack for page allocator
Date: Wed, 4 Sep 2019 14:51:33 +0800 [thread overview]
Message-ID: <20190904065133.20268-1-walter-zh.wu@mediatek.com> (raw)
This patch is KASAN report adds the alloc/free stacks for page allocator
in order to help programmer to see memory corruption caused by page.
By default, KASAN doesn't record alloc/free stack for page allocator.
It is difficult to fix up page use-after-free issue.
This feature depends on page owner to record the last stack of pages.
It is very helpful for solving the page use-after-free or out-of-bound.
KASAN report will show the last stack of page, it may be:
a) If page is in-use state, then it prints alloc stack.
It is useful to fix up page out-of-bound issue.
BUG: KASAN: slab-out-of-bounds in kmalloc_pagealloc_oob_right+0x88/0x90
Write of size 1 at addr ffffffc0d64ea00a by task cat/115
...
Allocation stack of page:
prep_new_page+0x1a0/0x1d8
get_page_from_freelist+0xd78/0x2748
__alloc_pages_nodemask+0x1d4/0x1978
kmalloc_order+0x28/0x58
kmalloc_order_trace+0x28/0xe0
kmalloc_pagealloc_oob_right+0x2c/0x90
b) If page is freed state, then it prints free stack.
It is useful to fix up page use-after-free issue.
BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0x70/0x80
Write of size 1 at addr ffffffc0d651c000 by task cat/115
...
Free stack of page:
kasan_free_pages+0x68/0x70
__free_pages_ok+0x3c0/0x1328
__free_pages+0x50/0x78
kfree+0x1c4/0x250
kmalloc_pagealloc_uaf+0x38/0x80
This has been discussed, please refer below link.
https://bugzilla.kernel.org/show_bug.cgi?id=203967
Signed-off-by: Walter Wu <walter-zh.wu@mediatek.com>
---
lib/Kconfig.kasan | 9 +++++++++
mm/kasan/common.c | 6 ++++++
2 files changed, 15 insertions(+)
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
index 4fafba1a923b..ba17f706b5f8 100644
--- a/lib/Kconfig.kasan
+++ b/lib/Kconfig.kasan
@@ -135,6 +135,15 @@ config KASAN_S390_4_LEVEL_PAGING
to 3TB of RAM with KASan enabled). This options allows to force
4-level paging instead.
+config KASAN_DUMP_PAGE
+ bool "Dump the page last stack information"
+ depends on KASAN && PAGE_OWNER
+ help
+ By default, KASAN doesn't record alloc/free stack for page allocator.
+ It is difficult to fix up page use-after-free issue.
+ This feature depends on page owner to record the last stack of page.
+ It is very helpful for solving the page use-after-free or out-of-bound.
+
config TEST_KASAN
tristate "Module for testing KASAN for bug detection"
depends on m && KASAN
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
index 2277b82902d8..2a32474efa74 100644
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -35,6 +35,7 @@
#include <linux/vmalloc.h>
#include <linux/bug.h>
#include <linux/uaccess.h>
+#include <linux/page_owner.h>
#include "kasan.h"
#include "../slab.h"
@@ -227,6 +228,11 @@ void kasan_alloc_pages(struct page *page, unsigned int order)
void kasan_free_pages(struct page *page, unsigned int order)
{
+#ifdef CONFIG_KASAN_DUMP_PAGE
+ gfp_t gfp_flags = GFP_KERNEL;
+
+ set_page_owner(page, order, gfp_flags);
+#endif
if (likely(!PageHighMem(page)))
kasan_poison_shadow(page_address(page),
PAGE_SIZE << order,
--
2.18.0
WARNING: multiple messages have this Message-ID (diff)
From: Walter Wu <walter-zh.wu@mediatek.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Arnd Bergmann <arnd@arndb.de>
Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org, wsd_upstream@mediatek.com,
Walter Wu <walter-zh.wu@mediatek.com>
Subject: [PATCH 1/2] mm/kasan: dump alloc/free stack for page allocator
Date: Wed, 4 Sep 2019 14:51:33 +0800 [thread overview]
Message-ID: <20190904065133.20268-1-walter-zh.wu@mediatek.com> (raw)
This patch is KASAN report adds the alloc/free stacks for page allocator
in order to help programmer to see memory corruption caused by page.
By default, KASAN doesn't record alloc/free stack for page allocator.
It is difficult to fix up page use-after-free issue.
This feature depends on page owner to record the last stack of pages.
It is very helpful for solving the page use-after-free or out-of-bound.
KASAN report will show the last stack of page, it may be:
a) If page is in-use state, then it prints alloc stack.
It is useful to fix up page out-of-bound issue.
BUG: KASAN: slab-out-of-bounds in kmalloc_pagealloc_oob_right+0x88/0x90
Write of size 1 at addr ffffffc0d64ea00a by task cat/115
...
Allocation stack of page:
prep_new_page+0x1a0/0x1d8
get_page_from_freelist+0xd78/0x2748
__alloc_pages_nodemask+0x1d4/0x1978
kmalloc_order+0x28/0x58
kmalloc_order_trace+0x28/0xe0
kmalloc_pagealloc_oob_right+0x2c/0x90
b) If page is freed state, then it prints free stack.
It is useful to fix up page use-after-free issue.
BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0x70/0x80
Write of size 1 at addr ffffffc0d651c000 by task cat/115
...
Free stack of page:
kasan_free_pages+0x68/0x70
__free_pages_ok+0x3c0/0x1328
__free_pages+0x50/0x78
kfree+0x1c4/0x250
kmalloc_pagealloc_uaf+0x38/0x80
This has been discussed, please refer below link.
https://bugzilla.kernel.org/show_bug.cgi?id=203967
Signed-off-by: Walter Wu <walter-zh.wu@mediatek.com>
---
lib/Kconfig.kasan | 9 +++++++++
mm/kasan/common.c | 6 ++++++
2 files changed, 15 insertions(+)
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
index 4fafba1a923b..ba17f706b5f8 100644
--- a/lib/Kconfig.kasan
+++ b/lib/Kconfig.kasan
@@ -135,6 +135,15 @@ config KASAN_S390_4_LEVEL_PAGING
to 3TB of RAM with KASan enabled). This options allows to force
4-level paging instead.
+config KASAN_DUMP_PAGE
+ bool "Dump the page last stack information"
+ depends on KASAN && PAGE_OWNER
+ help
+ By default, KASAN doesn't record alloc/free stack for page allocator.
+ It is difficult to fix up page use-after-free issue.
+ This feature depends on page owner to record the last stack of page.
+ It is very helpful for solving the page use-after-free or out-of-bound.
+
config TEST_KASAN
tristate "Module for testing KASAN for bug detection"
depends on m && KASAN
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
index 2277b82902d8..2a32474efa74 100644
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -35,6 +35,7 @@
#include <linux/vmalloc.h>
#include <linux/bug.h>
#include <linux/uaccess.h>
+#include <linux/page_owner.h>
#include "kasan.h"
#include "../slab.h"
@@ -227,6 +228,11 @@ void kasan_alloc_pages(struct page *page, unsigned int order)
void kasan_free_pages(struct page *page, unsigned int order)
{
+#ifdef CONFIG_KASAN_DUMP_PAGE
+ gfp_t gfp_flags = GFP_KERNEL;
+
+ set_page_owner(page, order, gfp_flags);
+#endif
if (likely(!PageHighMem(page)))
kasan_poison_shadow(page_address(page),
PAGE_SIZE << order,
--
2.18.0
WARNING: multiple messages have this Message-ID (diff)
From: Walter Wu <walter-zh.wu@mediatek.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
Arnd Bergmann <arnd@arndb.de>
Cc: Walter Wu <walter-zh.wu@mediatek.com>,
wsd_upstream@mediatek.com, linux-kernel@vger.kernel.org,
kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-mediatek@lists.infradead.org,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH 1/2] mm/kasan: dump alloc/free stack for page allocator
Date: Wed, 4 Sep 2019 14:51:33 +0800 [thread overview]
Message-ID: <20190904065133.20268-1-walter-zh.wu@mediatek.com> (raw)
This patch is KASAN report adds the alloc/free stacks for page allocator
in order to help programmer to see memory corruption caused by page.
By default, KASAN doesn't record alloc/free stack for page allocator.
It is difficult to fix up page use-after-free issue.
This feature depends on page owner to record the last stack of pages.
It is very helpful for solving the page use-after-free or out-of-bound.
KASAN report will show the last stack of page, it may be:
a) If page is in-use state, then it prints alloc stack.
It is useful to fix up page out-of-bound issue.
BUG: KASAN: slab-out-of-bounds in kmalloc_pagealloc_oob_right+0x88/0x90
Write of size 1 at addr ffffffc0d64ea00a by task cat/115
...
Allocation stack of page:
prep_new_page+0x1a0/0x1d8
get_page_from_freelist+0xd78/0x2748
__alloc_pages_nodemask+0x1d4/0x1978
kmalloc_order+0x28/0x58
kmalloc_order_trace+0x28/0xe0
kmalloc_pagealloc_oob_right+0x2c/0x90
b) If page is freed state, then it prints free stack.
It is useful to fix up page use-after-free issue.
BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0x70/0x80
Write of size 1 at addr ffffffc0d651c000 by task cat/115
...
Free stack of page:
kasan_free_pages+0x68/0x70
__free_pages_ok+0x3c0/0x1328
__free_pages+0x50/0x78
kfree+0x1c4/0x250
kmalloc_pagealloc_uaf+0x38/0x80
This has been discussed, please refer below link.
https://bugzilla.kernel.org/show_bug.cgi?id=203967
Signed-off-by: Walter Wu <walter-zh.wu@mediatek.com>
---
lib/Kconfig.kasan | 9 +++++++++
mm/kasan/common.c | 6 ++++++
2 files changed, 15 insertions(+)
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
index 4fafba1a923b..ba17f706b5f8 100644
--- a/lib/Kconfig.kasan
+++ b/lib/Kconfig.kasan
@@ -135,6 +135,15 @@ config KASAN_S390_4_LEVEL_PAGING
to 3TB of RAM with KASan enabled). This options allows to force
4-level paging instead.
+config KASAN_DUMP_PAGE
+ bool "Dump the page last stack information"
+ depends on KASAN && PAGE_OWNER
+ help
+ By default, KASAN doesn't record alloc/free stack for page allocator.
+ It is difficult to fix up page use-after-free issue.
+ This feature depends on page owner to record the last stack of page.
+ It is very helpful for solving the page use-after-free or out-of-bound.
+
config TEST_KASAN
tristate "Module for testing KASAN for bug detection"
depends on m && KASAN
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
index 2277b82902d8..2a32474efa74 100644
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -35,6 +35,7 @@
#include <linux/vmalloc.h>
#include <linux/bug.h>
#include <linux/uaccess.h>
+#include <linux/page_owner.h>
#include "kasan.h"
#include "../slab.h"
@@ -227,6 +228,11 @@ void kasan_alloc_pages(struct page *page, unsigned int order)
void kasan_free_pages(struct page *page, unsigned int order)
{
+#ifdef CONFIG_KASAN_DUMP_PAGE
+ gfp_t gfp_flags = GFP_KERNEL;
+
+ set_page_owner(page, order, gfp_flags);
+#endif
if (likely(!PageHighMem(page)))
kasan_poison_shadow(page_address(page),
PAGE_SIZE << order,
--
2.18.0
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2019-09-04 6:51 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-04 6:51 Walter Wu [this message]
2019-09-04 6:51 ` [PATCH 1/2] mm/kasan: dump alloc/free stack for page allocator Walter Wu
2019-09-04 6:51 ` Walter Wu
2019-09-04 12:49 ` Vlastimil Babka
2019-09-04 12:49 ` Vlastimil Babka
2019-09-04 14:06 ` Walter Wu
2019-09-04 14:06 ` Walter Wu
2019-09-04 14:06 ` Walter Wu
2019-09-04 14:13 ` Vlastimil Babka
2019-09-04 14:13 ` Vlastimil Babka
2019-09-04 14:24 ` Walter Wu
2019-09-04 14:24 ` Walter Wu
2019-09-04 14:24 ` Walter Wu
2019-09-05 8:03 ` Vlastimil Babka
2019-09-05 8:03 ` Vlastimil Babka
2019-09-06 3:15 ` Walter Wu
2019-09-06 3:15 ` Walter Wu
2019-09-06 3:15 ` Walter Wu
2019-09-04 13:44 ` Andrey Konovalov
2019-09-04 13:44 ` Andrey Konovalov
2019-09-04 13:44 ` Andrey Konovalov
2019-09-04 14:16 ` Walter Wu
2019-09-04 14:16 ` Walter Wu
2019-09-04 14:16 ` Walter Wu
2019-09-04 14:37 ` Qian Cai
2019-09-04 14:37 ` Qian Cai
2019-09-04 14:37 ` Qian Cai
2019-09-05 1:54 ` Walter Wu
2019-09-05 1:54 ` Walter Wu
2019-09-05 1:54 ` Walter Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190904065133.20268-1-walter-zh.wu@mediatek.com \
--to=walter-zh.wu@mediatek.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=matthias.bgg@gmail.com \
--cc=schwidefsky@de.ibm.com \
--cc=wsd_upstream@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.