From: Shaobo Huang <huangshaobo6@huawei.com>
To: <glider@google.com>
Cc: <akpm@linux-foundation.org>, <chenzefeng2@huawei.com>,
<dvyukov@google.com>, <elver@google.com>,
<huangshaobo6@huawei.com>, <kasan-dev@googlegroups.com>,
<linux-kernel@vger.kernel.org>, <linux-mm@kvack.org>,
<nixiaoming@huawei.com>, <wangbing6@huawei.com>,
<wangfangpeng1@huawei.com>, <young.liuyang@huawei.com>,
<zengweilin@huawei.com>, <zhongjubin@huawei.com>
Subject: Re: [PATCH] kfence: check kfence canary in panic and reboot
Date: Thu, 21 Apr 2022 20:10:18 +0800 [thread overview]
Message-ID: <20220421121018.60860-1-huangshaobo6@huawei.com> (raw)
In-Reply-To: <CAG_fn=Xs-OqpVCW5KyQLYKXNmQ4aH-KDjY0BrWpqMfPKcu-dug@mail.gmail.com>
> > From: huangshaobo <huangshaobo6@huawei.com>
> >
> > when writing out of bounds to the red zone, it can only be detected at
> > kfree. However, there were many scenarios before kfree that caused this
> > out-of-bounds write to not be detected. Therefore, it is necessary to
> > provide a method for actively detecting out-of-bounds writing to the red
> > zone, so that users can actively detect, and can be detected in the
> > system reboot or panic.
> >
> >
> After having analyzed a couple of KFENCE memory corruption reports in the
> wild, I have doubts that this approach will be helpful.
>
> Note that KFENCE knows nothing about the memory access that performs the
> actual corruption.
>
> It's rather easy to investigate corruptions of short-living objects, e.g.
> those that are allocated and freed within the same function. In that case,
> one can examine the region of the code between these two events and try to
> understand what exactly caused the corruption.
>
> But for long-living objects checked at panic/reboot we'll effectively have
> only the allocation stack and will have to check all the places where the
> corrupted object was potentially used.
> Most of the time, such reports won't be actionable.
The detection mechanism of kfence is probabilistic. It is not easy to find a bug.
It is a pity to catch a bug without reporting it. and the cost of panic detection
is not large, so panic detection is still valuable.
> > for example, if the application memory is out of bounds and written to
> > the red zone in the kfence object, the system suddenly panics, and the
> > following log can be seen during system reset:
> > BUG: KFENCE: memory corruption in atomic_notifier_call_chain+0x49/0x70
[...]
thanks,
ShaoBo Huang
next prev parent reply other threads:[~2022-04-21 12:10 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 10:49 [PATCH] kfence: check kfence canary in panic and reboot Shaobo Huang
2022-04-20 11:11 ` Marco Elver
2022-04-21 8:37 ` Shaobo Huang
2022-04-21 8:50 ` Marco Elver
2022-04-21 9:12 ` Shaobo Huang
2022-04-21 10:03 ` Alexander Potapenko
2022-04-21 12:10 ` Shaobo Huang [this message]
2022-04-21 13:06 ` Alexander Potapenko
2022-04-21 13:28 ` Marco Elver
2022-04-21 13:46 ` Shaobo Huang
2022-04-24 8:10 ` Shaobo Huang
2022-04-24 9:51 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220421121018.60860-1-huangshaobo6@huawei.com \
--to=huangshaobo6@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=chenzefeng2@huawei.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=nixiaoming@huawei.com \
--cc=wangbing6@huawei.com \
--cc=wangfangpeng1@huawei.com \
--cc=young.liuyang@huawei.com \
--cc=zengweilin@huawei.com \
--cc=zhongjubin@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.