* [PATCH v4 0/9] kasan: improve error reports
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
This patchset improves KASAN reports by making them easier to read
and a little more detailed.
Also improves mm/kasan/report.c readability.
Effectively changes a use-after-free report to:
==================================================================
BUG: KASAN: use-after-free in kmalloc_uaf+0xaa/0xb6 [test_kasan]
Write of size 1 at addr ffff88006aa59da8 by task insmod/3951
CPU: 1 PID: 3951 Comm: insmod Tainted: G B 4.10.0+ #84
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
dump_stack+0x292/0x398
print_address_description+0x73/0x280
kasan_report.part.2+0x207/0x2f0
__asan_report_store1_noabort+0x2c/0x30
kmalloc_uaf+0xaa/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x7f22cfd0b9da
RSP: 002b:00007ffe69118a78 EFLAGS: 00000206 ORIG_RAX: 00000000000000af
RAX: ffffffffffffffda RBX: 0000555671242090 RCX: 00007f22cfd0b9da
RDX: 00007f22cffcaf88 RSI: 000000000004df7e RDI: 00007f22d0399000
RBP: 00007f22cffcaf88 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f22cfd07d0a R11: 0000000000000206 R12: 0000555671243190
R13: 000000000001fe81 R14: 0000000000000000 R15: 0000000000000004
Allocated by task 3951:
save_stack_trace+0x16/0x20
save_stack+0x43/0xd0
kasan_kmalloc+0xad/0xe0
kmem_cache_alloc_trace+0x82/0x270
kmalloc_uaf+0x56/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed by task 3951:
save_stack_trace+0x16/0x20
save_stack+0x43/0xd0
kasan_slab_free+0x72/0xc0
kfree+0xe8/0x2b0
kmalloc_uaf+0x85/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc
Object at ffff88006bfb0da0 belongs to cache kmalloc-16 of size 16
accessed at offset 8
The buggy address belongs to the page:
page:ffffea0001aa9640 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x100000000000100(slab)
raw: 0100000000000100 0000000000000000 0000000000000000 0000000180800080
raw: ffffea0001abe380 0000000700000007 ffff88006c401b40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88006aa59c80: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
ffff88006aa59d00: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
>ffff88006aa59d80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
^
ffff88006aa59e00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff88006aa59e80: fb fb fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
==================================================================
from:
==================================================================
BUG: KASAN: use-after-free in kmalloc_uaf+0xaa/0xb6 [test_kasan] at addr ffff88006c4dcb28
Write of size 1 by task insmod/3984
CPU: 1 PID: 3984 Comm: insmod Tainted: G B 4.10.0+ #83
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
dump_stack+0x292/0x398
kasan_object_err+0x1c/0x70
kasan_report.part.1+0x20e/0x4e0
__asan_report_store1_noabort+0x2c/0x30
kmalloc_uaf+0xaa/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x7feca0f779da
RSP: 002b:00007ffdfeae5218 EFLAGS: 00000206 ORIG_RAX: 00000000000000af
RAX: ffffffffffffffda RBX: 000055a064c13090 RCX: 00007feca0f779da
RDX: 00007feca1236f88 RSI: 000000000004df7e RDI: 00007feca1605000
RBP: 00007feca1236f88 R08: 0000000000000003 R09: 0000000000000000
R10: 00007feca0f73d0a R11: 0000000000000206 R12: 000055a064c14190
R13: 000000000001fe81 R14: 0000000000000000 R15: 0000000000000004
Object at ffff88006c4dcb20, in cache kmalloc-16 size: 16
Allocated:
PID = 3984
save_stack_trace+0x16/0x20
save_stack+0x43/0xd0
kasan_kmalloc+0xad/0xe0
kmem_cache_alloc_trace+0x82/0x270
kmalloc_uaf+0x56/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 3984
save_stack_trace+0x16/0x20
save_stack+0x43/0xd0
kasan_slab_free+0x73/0xc0
kfree+0xe8/0x2b0
kmalloc_uaf+0x85/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
Memory state around the buggy address:
ffff88006c4dca00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff88006c4dca80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
>ffff88006c4dcb00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
^
ffff88006c4dcb80: fb fb fc fc 00 00 fc fc fb fb fc fc fb fb fc fc
ffff88006c4dcc00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
==================================================================
Changes in v4:
- reduced amount of info printed in slab object description
Changes in v3:
- make slab objects description shorter
- pass caller addr from SLUB/SLAB instead of usign __builtin_return_address
- make get_wild_bug_type() static
- combine consequent lines into one when possible
Changes in v2:
- split patch in multiple smaller ones
- improve double-free reports
Andrey Konovalov (9):
kasan: introduce helper functions for determining bug type
kasan: unify report headers
kasan: change allocation and freeing stack traces headers
kasan: simplify address description logic
kasan: change report header
kasan: improve slab object description
kasan: print page description after stacks
kasan: improve double-free report format
kasan: separate report parts by empty lines
include/linux/kasan.h | 2 +-
mm/kasan/kasan.c | 5 +-
mm/kasan/kasan.h | 2 +-
mm/kasan/report.c | 172 +++++++++++++++++++++++++++++++-------------------
mm/slab.c | 2 +-
mm/slub.c | 12 ++--
6 files changed, 121 insertions(+), 74 deletions(-)
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply [flat|nested] 43+ messages in thread
* [PATCH v4 0/9] kasan: improve error reports
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
This patchset improves KASAN reports by making them easier to read
and a little more detailed.
Also improves mm/kasan/report.c readability.
Effectively changes a use-after-free report to:
==================================================================
BUG: KASAN: use-after-free in kmalloc_uaf+0xaa/0xb6 [test_kasan]
Write of size 1 at addr ffff88006aa59da8 by task insmod/3951
CPU: 1 PID: 3951 Comm: insmod Tainted: G B 4.10.0+ #84
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
dump_stack+0x292/0x398
print_address_description+0x73/0x280
kasan_report.part.2+0x207/0x2f0
__asan_report_store1_noabort+0x2c/0x30
kmalloc_uaf+0xaa/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x7f22cfd0b9da
RSP: 002b:00007ffe69118a78 EFLAGS: 00000206 ORIG_RAX: 00000000000000af
RAX: ffffffffffffffda RBX: 0000555671242090 RCX: 00007f22cfd0b9da
RDX: 00007f22cffcaf88 RSI: 000000000004df7e RDI: 00007f22d0399000
RBP: 00007f22cffcaf88 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f22cfd07d0a R11: 0000000000000206 R12: 0000555671243190
R13: 000000000001fe81 R14: 0000000000000000 R15: 0000000000000004
Allocated by task 3951:
save_stack_trace+0x16/0x20
save_stack+0x43/0xd0
kasan_kmalloc+0xad/0xe0
kmem_cache_alloc_trace+0x82/0x270
kmalloc_uaf+0x56/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed by task 3951:
save_stack_trace+0x16/0x20
save_stack+0x43/0xd0
kasan_slab_free+0x72/0xc0
kfree+0xe8/0x2b0
kmalloc_uaf+0x85/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc
Object at ffff88006bfb0da0 belongs to cache kmalloc-16 of size 16
accessed at offset 8
The buggy address belongs to the page:
page:ffffea0001aa9640 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x100000000000100(slab)
raw: 0100000000000100 0000000000000000 0000000000000000 0000000180800080
raw: ffffea0001abe380 0000000700000007 ffff88006c401b40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88006aa59c80: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
ffff88006aa59d00: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
>ffff88006aa59d80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
^
ffff88006aa59e00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff88006aa59e80: fb fb fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
==================================================================
from:
==================================================================
BUG: KASAN: use-after-free in kmalloc_uaf+0xaa/0xb6 [test_kasan] at addr ffff88006c4dcb28
Write of size 1 by task insmod/3984
CPU: 1 PID: 3984 Comm: insmod Tainted: G B 4.10.0+ #83
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
dump_stack+0x292/0x398
kasan_object_err+0x1c/0x70
kasan_report.part.1+0x20e/0x4e0
__asan_report_store1_noabort+0x2c/0x30
kmalloc_uaf+0xaa/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x7feca0f779da
RSP: 002b:00007ffdfeae5218 EFLAGS: 00000206 ORIG_RAX: 00000000000000af
RAX: ffffffffffffffda RBX: 000055a064c13090 RCX: 00007feca0f779da
RDX: 00007feca1236f88 RSI: 000000000004df7e RDI: 00007feca1605000
RBP: 00007feca1236f88 R08: 0000000000000003 R09: 0000000000000000
R10: 00007feca0f73d0a R11: 0000000000000206 R12: 000055a064c14190
R13: 000000000001fe81 R14: 0000000000000000 R15: 0000000000000004
Object at ffff88006c4dcb20, in cache kmalloc-16 size: 16
Allocated:
PID = 3984
save_stack_trace+0x16/0x20
save_stack+0x43/0xd0
kasan_kmalloc+0xad/0xe0
kmem_cache_alloc_trace+0x82/0x270
kmalloc_uaf+0x56/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 3984
save_stack_trace+0x16/0x20
save_stack+0x43/0xd0
kasan_slab_free+0x73/0xc0
kfree+0xe8/0x2b0
kmalloc_uaf+0x85/0xb6 [test_kasan]
kmalloc_tests_init+0x4f/0xa48 [test_kasan]
do_one_initcall+0xf3/0x390
do_init_module+0x215/0x5d0
load_module+0x54de/0x82b0
SYSC_init_module+0x3be/0x430
SyS_init_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x1f/0xc2
Memory state around the buggy address:
ffff88006c4dca00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff88006c4dca80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
>ffff88006c4dcb00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
^
ffff88006c4dcb80: fb fb fc fc 00 00 fc fc fb fb fc fc fb fb fc fc
ffff88006c4dcc00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
==================================================================
Changes in v4:
- reduced amount of info printed in slab object description
Changes in v3:
- make slab objects description shorter
- pass caller addr from SLUB/SLAB instead of usign __builtin_return_address
- make get_wild_bug_type() static
- combine consequent lines into one when possible
Changes in v2:
- split patch in multiple smaller ones
- improve double-free reports
Andrey Konovalov (9):
kasan: introduce helper functions for determining bug type
kasan: unify report headers
kasan: change allocation and freeing stack traces headers
kasan: simplify address description logic
kasan: change report header
kasan: improve slab object description
kasan: print page description after stacks
kasan: improve double-free report format
kasan: separate report parts by empty lines
include/linux/kasan.h | 2 +-
mm/kasan/kasan.c | 5 +-
mm/kasan/kasan.h | 2 +-
mm/kasan/report.c | 172 +++++++++++++++++++++++++++++++-------------------
mm/slab.c | 2 +-
mm/slub.c | 12 ++--
6 files changed, 121 insertions(+), 74 deletions(-)
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 43+ messages in thread
* [PATCH v4 1/9] kasan: introduce helper functions for determining bug type
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-24 19:32 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Introduce get_shadow_bug_type() function, which determines bug type
based on the shadow value for a particular kernel address.
Introduce get_wild_bug_type() function, which determines bug type
for addresses which don't have a corresponding shadow value.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 40 ++++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 10 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index f479365530b6..e3af37b7a74c 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -49,7 +49,13 @@ static const void *find_first_bad_addr(const void *addr, size_t size)
return first_bad_addr;
}
-static void print_error_description(struct kasan_access_info *info)
+static bool addr_has_shadow(struct kasan_access_info *info)
+{
+ return (info->access_addr >=
+ kasan_shadow_to_mem((void *)KASAN_SHADOW_START));
+}
+
+static const char *get_shadow_bug_type(struct kasan_access_info *info)
{
const char *bug_type = "unknown-crash";
u8 *shadow_addr;
@@ -96,6 +102,27 @@ static void print_error_description(struct kasan_access_info *info)
break;
}
+ return bug_type;
+}
+
+static const char *get_wild_bug_type(struct kasan_access_info *info)
+{
+ const char *bug_type;
+
+ if ((unsigned long)info->access_addr < PAGE_SIZE)
+ bug_type = "null-ptr-deref";
+ else if ((unsigned long)info->access_addr < TASK_SIZE)
+ bug_type = "user-memory-access";
+ else
+ bug_type = "wild-memory-access";
+
+ return bug_type;
+}
+
+static void print_error_description(struct kasan_access_info *info)
+{
+ const char *bug_type = get_shadow_bug_type(info);
+
pr_err("BUG: KASAN: %s in %pS at addr %p\n",
bug_type, (void *)info->ip,
info->access_addr);
@@ -265,18 +292,11 @@ static void print_shadow_for_address(const void *addr)
static void kasan_report_error(struct kasan_access_info *info)
{
unsigned long flags;
- const char *bug_type;
kasan_start_report(&flags);
- if (info->access_addr <
- kasan_shadow_to_mem((void *)KASAN_SHADOW_START)) {
- if ((unsigned long)info->access_addr < PAGE_SIZE)
- bug_type = "null-ptr-deref";
- else if ((unsigned long)info->access_addr < TASK_SIZE)
- bug_type = "user-memory-access";
- else
- bug_type = "wild-memory-access";
+ if (!addr_has_shadow(info)) {
+ const char *bug_type = get_wild_bug_type(info);
pr_err("BUG: KASAN: %s on address %p\n",
bug_type, info->access_addr);
pr_err("%s of size %zu by task %s/%d\n",
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 1/9] kasan: introduce helper functions for determining bug type
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Introduce get_shadow_bug_type() function, which determines bug type
based on the shadow value for a particular kernel address.
Introduce get_wild_bug_type() function, which determines bug type
for addresses which don't have a corresponding shadow value.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 40 ++++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 10 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index f479365530b6..e3af37b7a74c 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -49,7 +49,13 @@ static const void *find_first_bad_addr(const void *addr, size_t size)
return first_bad_addr;
}
-static void print_error_description(struct kasan_access_info *info)
+static bool addr_has_shadow(struct kasan_access_info *info)
+{
+ return (info->access_addr >=
+ kasan_shadow_to_mem((void *)KASAN_SHADOW_START));
+}
+
+static const char *get_shadow_bug_type(struct kasan_access_info *info)
{
const char *bug_type = "unknown-crash";
u8 *shadow_addr;
@@ -96,6 +102,27 @@ static void print_error_description(struct kasan_access_info *info)
break;
}
+ return bug_type;
+}
+
+static const char *get_wild_bug_type(struct kasan_access_info *info)
+{
+ const char *bug_type;
+
+ if ((unsigned long)info->access_addr < PAGE_SIZE)
+ bug_type = "null-ptr-deref";
+ else if ((unsigned long)info->access_addr < TASK_SIZE)
+ bug_type = "user-memory-access";
+ else
+ bug_type = "wild-memory-access";
+
+ return bug_type;
+}
+
+static void print_error_description(struct kasan_access_info *info)
+{
+ const char *bug_type = get_shadow_bug_type(info);
+
pr_err("BUG: KASAN: %s in %pS at addr %p\n",
bug_type, (void *)info->ip,
info->access_addr);
@@ -265,18 +292,11 @@ static void print_shadow_for_address(const void *addr)
static void kasan_report_error(struct kasan_access_info *info)
{
unsigned long flags;
- const char *bug_type;
kasan_start_report(&flags);
- if (info->access_addr <
- kasan_shadow_to_mem((void *)KASAN_SHADOW_START)) {
- if ((unsigned long)info->access_addr < PAGE_SIZE)
- bug_type = "null-ptr-deref";
- else if ((unsigned long)info->access_addr < TASK_SIZE)
- bug_type = "user-memory-access";
- else
- bug_type = "wild-memory-access";
+ if (!addr_has_shadow(info)) {
+ const char *bug_type = get_wild_bug_type(info);
pr_err("BUG: KASAN: %s on address %p\n",
bug_type, info->access_addr);
pr_err("%s of size %zu by task %s/%d\n",
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 2/9] kasan: unify report headers
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-24 19:32 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Unify KASAN report header format for different kinds of bad memory
accesses. Makes the code simpler.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index e3af37b7a74c..fc0577d15671 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -119,16 +119,22 @@ static const char *get_wild_bug_type(struct kasan_access_info *info)
return bug_type;
}
+static const char *get_bug_type(struct kasan_access_info *info)
+{
+ if (addr_has_shadow(info))
+ return get_shadow_bug_type(info);
+ return get_wild_bug_type(info);
+}
+
static void print_error_description(struct kasan_access_info *info)
{
- const char *bug_type = get_shadow_bug_type(info);
+ const char *bug_type = get_bug_type(info);
pr_err("BUG: KASAN: %s in %pS at addr %p\n",
- bug_type, (void *)info->ip,
- info->access_addr);
+ bug_type, (void *)info->ip, info->access_addr);
pr_err("%s of size %zu by task %s/%d\n",
- info->is_write ? "Write" : "Read",
- info->access_size, current->comm, task_pid_nr(current));
+ info->is_write ? "Write" : "Read", info->access_size,
+ current->comm, task_pid_nr(current));
}
static inline bool kernel_or_module_addr(const void *addr)
@@ -295,17 +301,11 @@ static void kasan_report_error(struct kasan_access_info *info)
kasan_start_report(&flags);
+ print_error_description(info);
+
if (!addr_has_shadow(info)) {
- const char *bug_type = get_wild_bug_type(info);
- pr_err("BUG: KASAN: %s on address %p\n",
- bug_type, info->access_addr);
- pr_err("%s of size %zu by task %s/%d\n",
- info->is_write ? "Write" : "Read",
- info->access_size, current->comm,
- task_pid_nr(current));
dump_stack();
} else {
- print_error_description(info);
print_address_description(info);
print_shadow_for_address(info->first_bad_addr);
}
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 2/9] kasan: unify report headers
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Unify KASAN report header format for different kinds of bad memory
accesses. Makes the code simpler.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index e3af37b7a74c..fc0577d15671 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -119,16 +119,22 @@ static const char *get_wild_bug_type(struct kasan_access_info *info)
return bug_type;
}
+static const char *get_bug_type(struct kasan_access_info *info)
+{
+ if (addr_has_shadow(info))
+ return get_shadow_bug_type(info);
+ return get_wild_bug_type(info);
+}
+
static void print_error_description(struct kasan_access_info *info)
{
- const char *bug_type = get_shadow_bug_type(info);
+ const char *bug_type = get_bug_type(info);
pr_err("BUG: KASAN: %s in %pS at addr %p\n",
- bug_type, (void *)info->ip,
- info->access_addr);
+ bug_type, (void *)info->ip, info->access_addr);
pr_err("%s of size %zu by task %s/%d\n",
- info->is_write ? "Write" : "Read",
- info->access_size, current->comm, task_pid_nr(current));
+ info->is_write ? "Write" : "Read", info->access_size,
+ current->comm, task_pid_nr(current));
}
static inline bool kernel_or_module_addr(const void *addr)
@@ -295,17 +301,11 @@ static void kasan_report_error(struct kasan_access_info *info)
kasan_start_report(&flags);
+ print_error_description(info);
+
if (!addr_has_shadow(info)) {
- const char *bug_type = get_wild_bug_type(info);
- pr_err("BUG: KASAN: %s on address %p\n",
- bug_type, info->access_addr);
- pr_err("%s of size %zu by task %s/%d\n",
- info->is_write ? "Write" : "Read",
- info->access_size, current->comm,
- task_pid_nr(current));
dump_stack();
} else {
- print_error_description(info);
print_address_description(info);
print_shadow_for_address(info->first_bad_addr);
}
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 3/9] kasan: change allocation and freeing stack traces headers
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-24 19:32 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Change stack traces headers from:
Allocated:
PID = 42
to:
Allocated by task 42:
Makes the report one line shorter and look better.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index fc0577d15671..382d4d2b9052 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -175,9 +175,9 @@ static void kasan_end_report(unsigned long *flags)
kasan_enable_current();
}
-static void print_track(struct kasan_track *track)
+static void print_track(struct kasan_track *track, const char *prefix)
{
- pr_err("PID = %u\n", track->pid);
+ pr_err("%s by task %u:\n", prefix, track->pid);
if (track->stack) {
struct stack_trace trace;
@@ -199,10 +199,8 @@ static void kasan_object_err(struct kmem_cache *cache, void *object)
if (!(cache->flags & SLAB_KASAN))
return;
- pr_err("Allocated:\n");
- print_track(&alloc_info->alloc_track);
- pr_err("Freed:\n");
- print_track(&alloc_info->free_track);
+ print_track(&alloc_info->alloc_track, "Allocated");
+ print_track(&alloc_info->free_track, "Freed");
}
void kasan_report_double_free(struct kmem_cache *cache, void *object,
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 3/9] kasan: change allocation and freeing stack traces headers
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Change stack traces headers from:
Allocated:
PID = 42
to:
Allocated by task 42:
Makes the report one line shorter and look better.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index fc0577d15671..382d4d2b9052 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -175,9 +175,9 @@ static void kasan_end_report(unsigned long *flags)
kasan_enable_current();
}
-static void print_track(struct kasan_track *track)
+static void print_track(struct kasan_track *track, const char *prefix)
{
- pr_err("PID = %u\n", track->pid);
+ pr_err("%s by task %u:\n", prefix, track->pid);
if (track->stack) {
struct stack_trace trace;
@@ -199,10 +199,8 @@ static void kasan_object_err(struct kmem_cache *cache, void *object)
if (!(cache->flags & SLAB_KASAN))
return;
- pr_err("Allocated:\n");
- print_track(&alloc_info->alloc_track);
- pr_err("Freed:\n");
- print_track(&alloc_info->free_track);
+ print_track(&alloc_info->alloc_track, "Allocated");
+ print_track(&alloc_info->free_track, "Freed");
}
void kasan_report_double_free(struct kmem_cache *cache, void *object,
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 4/9] kasan: simplify address description logic
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-24 19:32 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Simplify logic for describing a memory address.
Add addr_to_page() helper function.
Makes the code easier to follow.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 382d4d2b9052..f77341979dae 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -188,11 +188,17 @@ static void print_track(struct kasan_track *track, const char *prefix)
}
}
-static void kasan_object_err(struct kmem_cache *cache, void *object)
+static struct page *addr_to_page(const void *addr)
+{
+ if ((addr >= (void *)PAGE_OFFSET) && (addr < high_memory))
+ return virt_to_head_page(addr);
+ return NULL;
+}
+
+static void describe_object(struct kmem_cache *cache, void *object)
{
struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
- dump_stack();
pr_err("Object at %p, in cache %s size: %d\n", object, cache->name,
cache->object_size);
@@ -211,34 +217,32 @@ void kasan_report_double_free(struct kmem_cache *cache, void *object,
kasan_start_report(&flags);
pr_err("BUG: Double free or freeing an invalid pointer\n");
pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
- kasan_object_err(cache, object);
+ dump_stack();
+ describe_object(cache, object);
kasan_end_report(&flags);
}
static void print_address_description(struct kasan_access_info *info)
{
const void *addr = info->access_addr;
+ struct page *page = addr_to_page(addr);
- if ((addr >= (void *)PAGE_OFFSET) &&
- (addr < high_memory)) {
- struct page *page = virt_to_head_page(addr);
-
- if (PageSlab(page)) {
- void *object;
- struct kmem_cache *cache = page->slab_cache;
- object = nearest_obj(cache, page,
- (void *)info->access_addr);
- kasan_object_err(cache, object);
- return;
- }
+ if (page)
dump_page(page, "kasan: bad access detected");
+
+ dump_stack();
+
+ if (page && PageSlab(page)) {
+ struct kmem_cache *cache = page->slab_cache;
+ void *object = nearest_obj(cache, page, (void *)addr);
+
+ describe_object(cache, object);
}
if (kernel_or_module_addr(addr)) {
if (!init_task_stack_addr(addr))
pr_err("Address belongs to variable %pS\n", addr);
}
- dump_stack();
}
static bool row_is_guilty(const void *row, const void *guilty)
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 4/9] kasan: simplify address description logic
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Simplify logic for describing a memory address.
Add addr_to_page() helper function.
Makes the code easier to follow.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 382d4d2b9052..f77341979dae 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -188,11 +188,17 @@ static void print_track(struct kasan_track *track, const char *prefix)
}
}
-static void kasan_object_err(struct kmem_cache *cache, void *object)
+static struct page *addr_to_page(const void *addr)
+{
+ if ((addr >= (void *)PAGE_OFFSET) && (addr < high_memory))
+ return virt_to_head_page(addr);
+ return NULL;
+}
+
+static void describe_object(struct kmem_cache *cache, void *object)
{
struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
- dump_stack();
pr_err("Object at %p, in cache %s size: %d\n", object, cache->name,
cache->object_size);
@@ -211,34 +217,32 @@ void kasan_report_double_free(struct kmem_cache *cache, void *object,
kasan_start_report(&flags);
pr_err("BUG: Double free or freeing an invalid pointer\n");
pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
- kasan_object_err(cache, object);
+ dump_stack();
+ describe_object(cache, object);
kasan_end_report(&flags);
}
static void print_address_description(struct kasan_access_info *info)
{
const void *addr = info->access_addr;
+ struct page *page = addr_to_page(addr);
- if ((addr >= (void *)PAGE_OFFSET) &&
- (addr < high_memory)) {
- struct page *page = virt_to_head_page(addr);
-
- if (PageSlab(page)) {
- void *object;
- struct kmem_cache *cache = page->slab_cache;
- object = nearest_obj(cache, page,
- (void *)info->access_addr);
- kasan_object_err(cache, object);
- return;
- }
+ if (page)
dump_page(page, "kasan: bad access detected");
+
+ dump_stack();
+
+ if (page && PageSlab(page)) {
+ struct kmem_cache *cache = page->slab_cache;
+ void *object = nearest_obj(cache, page, (void *)addr);
+
+ describe_object(cache, object);
}
if (kernel_or_module_addr(addr)) {
if (!init_task_stack_addr(addr))
pr_err("Address belongs to variable %pS\n", addr);
}
- dump_stack();
}
static bool row_is_guilty(const void *row, const void *guilty)
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 5/9] kasan: change report header
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-24 19:32 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Change report header format from:
BUG: KASAN: use-after-free in unwind_get_return_address+0x28a/0x2c0 at addr ffff880069437950
Read of size 8 by task insmod/3925
to:
BUG: KASAN: use-after-free in unwind_get_return_address+0x28a/0x2c0
Read of size 8 at addr ffff880069437950 by task insmod/3925
The exact access address is not usually important, so move it to the
second line. This also makes the header look visually balanced.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index f77341979dae..156f998199e2 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -130,11 +130,10 @@ static void print_error_description(struct kasan_access_info *info)
{
const char *bug_type = get_bug_type(info);
- pr_err("BUG: KASAN: %s in %pS at addr %p\n",
- bug_type, (void *)info->ip, info->access_addr);
- pr_err("%s of size %zu by task %s/%d\n",
+ pr_err("BUG: KASAN: %s in %pS\n", bug_type, (void *)info->ip);
+ pr_err("%s of size %zu at addr %p by task %s/%d\n",
info->is_write ? "Write" : "Read", info->access_size,
- current->comm, task_pid_nr(current));
+ info->access_addr, current->comm, task_pid_nr(current));
}
static inline bool kernel_or_module_addr(const void *addr)
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 5/9] kasan: change report header
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Change report header format from:
BUG: KASAN: use-after-free in unwind_get_return_address+0x28a/0x2c0 at addr ffff880069437950
Read of size 8 by task insmod/3925
to:
BUG: KASAN: use-after-free in unwind_get_return_address+0x28a/0x2c0
Read of size 8 at addr ffff880069437950 by task insmod/3925
The exact access address is not usually important, so move it to the
second line. This also makes the header look visually balanced.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index f77341979dae..156f998199e2 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -130,11 +130,10 @@ static void print_error_description(struct kasan_access_info *info)
{
const char *bug_type = get_bug_type(info);
- pr_err("BUG: KASAN: %s in %pS at addr %p\n",
- bug_type, (void *)info->ip, info->access_addr);
- pr_err("%s of size %zu by task %s/%d\n",
+ pr_err("BUG: KASAN: %s in %pS\n", bug_type, (void *)info->ip);
+ pr_err("%s of size %zu at addr %p by task %s/%d\n",
info->is_write ? "Write" : "Read", info->access_size,
- current->comm, task_pid_nr(current));
+ info->access_addr, current->comm, task_pid_nr(current));
}
static inline bool kernel_or_module_addr(const void *addr)
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 6/9] kasan: improve slab object description
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-24 19:32 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Changes slab object description from:
Object at ffff880068388540, in cache kmalloc-128 size: 128
to:
Object at ffff88006a2d5a80 belongs to cache kmalloc-128 of size 128
accessed at offset 123
This adds information about relative offset of the accessed address to
the start of the object.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 38 +++++++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 156f998199e2..06e27a342d1d 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -194,18 +194,34 @@ static struct page *addr_to_page(const void *addr)
return NULL;
}
-static void describe_object(struct kmem_cache *cache, void *object)
+static void describe_object_addr(struct kmem_cache *cache, void *object,
+ const void *addr)
{
- struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
+ unsigned long access_addr = (unsigned long)addr;
+ unsigned long object_addr = (unsigned long)object;
+ const char *rel_type;
+ int rel_bytes;
- pr_err("Object at %p, in cache %s size: %d\n", object, cache->name,
- cache->object_size);
+ pr_err("Object at %p belongs to cache %s of size %d\n",
+ object, cache->name, cache->object_size);
- if (!(cache->flags & SLAB_KASAN))
+ if (!addr)
return;
- print_track(&alloc_info->alloc_track, "Allocated");
- print_track(&alloc_info->free_track, "Freed");
+ pr_err(" accessed at offset %d\n", access_addr - object_addr);
+}
+
+static void describe_object(struct kmem_cache *cache, void *object,
+ const void *addr)
+{
+ struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
+
+ if (cache->flags & SLAB_KASAN) {
+ print_track(&alloc_info->alloc_track, "Allocated");
+ print_track(&alloc_info->free_track, "Freed");
+ }
+
+ describe_object_addr(cache, object, addr);
}
void kasan_report_double_free(struct kmem_cache *cache, void *object,
@@ -217,13 +233,13 @@ void kasan_report_double_free(struct kmem_cache *cache, void *object,
pr_err("BUG: Double free or freeing an invalid pointer\n");
pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
dump_stack();
- describe_object(cache, object);
+ describe_object(cache, object, NULL);
kasan_end_report(&flags);
}
static void print_address_description(struct kasan_access_info *info)
{
- const void *addr = info->access_addr;
+ void *addr = (void *)info->access_addr;
struct page *page = addr_to_page(addr);
if (page)
@@ -233,9 +249,9 @@ static void print_address_description(struct kasan_access_info *info)
if (page && PageSlab(page)) {
struct kmem_cache *cache = page->slab_cache;
- void *object = nearest_obj(cache, page, (void *)addr);
+ void *object = nearest_obj(cache, page, addr);
- describe_object(cache, object);
+ describe_object(cache, object, addr);
}
if (kernel_or_module_addr(addr)) {
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 6/9] kasan: improve slab object description
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Changes slab object description from:
Object at ffff880068388540, in cache kmalloc-128 size: 128
to:
Object at ffff88006a2d5a80 belongs to cache kmalloc-128 of size 128
accessed at offset 123
This adds information about relative offset of the accessed address to
the start of the object.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 38 +++++++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 156f998199e2..06e27a342d1d 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -194,18 +194,34 @@ static struct page *addr_to_page(const void *addr)
return NULL;
}
-static void describe_object(struct kmem_cache *cache, void *object)
+static void describe_object_addr(struct kmem_cache *cache, void *object,
+ const void *addr)
{
- struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
+ unsigned long access_addr = (unsigned long)addr;
+ unsigned long object_addr = (unsigned long)object;
+ const char *rel_type;
+ int rel_bytes;
- pr_err("Object at %p, in cache %s size: %d\n", object, cache->name,
- cache->object_size);
+ pr_err("Object at %p belongs to cache %s of size %d\n",
+ object, cache->name, cache->object_size);
- if (!(cache->flags & SLAB_KASAN))
+ if (!addr)
return;
- print_track(&alloc_info->alloc_track, "Allocated");
- print_track(&alloc_info->free_track, "Freed");
+ pr_err(" accessed at offset %d\n", access_addr - object_addr);
+}
+
+static void describe_object(struct kmem_cache *cache, void *object,
+ const void *addr)
+{
+ struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
+
+ if (cache->flags & SLAB_KASAN) {
+ print_track(&alloc_info->alloc_track, "Allocated");
+ print_track(&alloc_info->free_track, "Freed");
+ }
+
+ describe_object_addr(cache, object, addr);
}
void kasan_report_double_free(struct kmem_cache *cache, void *object,
@@ -217,13 +233,13 @@ void kasan_report_double_free(struct kmem_cache *cache, void *object,
pr_err("BUG: Double free or freeing an invalid pointer\n");
pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
dump_stack();
- describe_object(cache, object);
+ describe_object(cache, object, NULL);
kasan_end_report(&flags);
}
static void print_address_description(struct kasan_access_info *info)
{
- const void *addr = info->access_addr;
+ void *addr = (void *)info->access_addr;
struct page *page = addr_to_page(addr);
if (page)
@@ -233,9 +249,9 @@ static void print_address_description(struct kasan_access_info *info)
if (page && PageSlab(page)) {
struct kmem_cache *cache = page->slab_cache;
- void *object = nearest_obj(cache, page, (void *)addr);
+ void *object = nearest_obj(cache, page, addr);
- describe_object(cache, object);
+ describe_object(cache, object, addr);
}
if (kernel_or_module_addr(addr)) {
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 7/9] kasan: print page description after stacks
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-24 19:32 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Moves page description after the stacks since it's less important.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 06e27a342d1d..e0f7dbf9e883 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -242,9 +242,6 @@ static void print_address_description(struct kasan_access_info *info)
void *addr = (void *)info->access_addr;
struct page *page = addr_to_page(addr);
- if (page)
- dump_page(page, "kasan: bad access detected");
-
dump_stack();
if (page && PageSlab(page)) {
@@ -254,9 +251,14 @@ static void print_address_description(struct kasan_access_info *info)
describe_object(cache, object, addr);
}
- if (kernel_or_module_addr(addr)) {
- if (!init_task_stack_addr(addr))
- pr_err("Address belongs to variable %pS\n", addr);
+ if (kernel_or_module_addr(addr) && !init_task_stack_addr(addr)) {
+ pr_err("The buggy address belongs to the variable:\n");
+ pr_err(" %pS\n", addr);
+ }
+
+ if (page) {
+ pr_err("The buggy address belongs to the page:\n");
+ dump_page(page, "kasan: bad access detected");
}
}
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 7/9] kasan: print page description after stacks
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Moves page description after the stacks since it's less important.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 06e27a342d1d..e0f7dbf9e883 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -242,9 +242,6 @@ static void print_address_description(struct kasan_access_info *info)
void *addr = (void *)info->access_addr;
struct page *page = addr_to_page(addr);
- if (page)
- dump_page(page, "kasan: bad access detected");
-
dump_stack();
if (page && PageSlab(page)) {
@@ -254,9 +251,14 @@ static void print_address_description(struct kasan_access_info *info)
describe_object(cache, object, addr);
}
- if (kernel_or_module_addr(addr)) {
- if (!init_task_stack_addr(addr))
- pr_err("Address belongs to variable %pS\n", addr);
+ if (kernel_or_module_addr(addr) && !init_task_stack_addr(addr)) {
+ pr_err("The buggy address belongs to the variable:\n");
+ pr_err(" %pS\n", addr);
+ }
+
+ if (page) {
+ pr_err("The buggy address belongs to the page:\n");
+ dump_page(page, "kasan: bad access detected");
}
}
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 8/9] kasan: improve double-free report format
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-24 19:32 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Changes double-free report header from:
BUG: Double free or freeing an invalid pointer
Unexpected shadow byte: 0xFB
to:
BUG: KASAN: double-free or invalid-free in kmalloc_oob_left+0xe5/0xef
This makes a bug uniquely identifiable by the first report line.
To account for removing of the unexpected shadow value, print shadow
bytes at the end of the report as in reports for other kinds of bugs.
To print caller funtion name in the report header, the caller address
is passed from SLUB/SLAB free handlers.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
include/linux/kasan.h | 2 +-
mm/kasan/kasan.c | 5 +++--
mm/kasan/kasan.h | 2 +-
mm/kasan/report.c | 30 ++++++++++++++----------------
mm/slab.c | 2 +-
mm/slub.c | 12 +++++++-----
6 files changed, 27 insertions(+), 26 deletions(-)
diff --git a/include/linux/kasan.h b/include/linux/kasan.h
index 5734480c9590..554f843f1625 100644
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -62,7 +62,7 @@ void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size,
void kasan_krealloc(const void *object, size_t new_size, gfp_t flags);
void kasan_slab_alloc(struct kmem_cache *s, void *object, gfp_t flags);
-bool kasan_slab_free(struct kmem_cache *s, void *object);
+bool kasan_slab_free(struct kmem_cache *s, void *object, unsigned long pc);
struct kasan_cache {
int alloc_meta_offset;
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 98b27195e38b..83cc011bb9bc 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -567,7 +567,8 @@ static void kasan_poison_slab_free(struct kmem_cache *cache, void *object)
kasan_poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE);
}
-bool kasan_slab_free(struct kmem_cache *cache, void *object)
+bool kasan_slab_free(struct kmem_cache *cache, void *object,
+ unsigned long pc)
{
s8 shadow_byte;
@@ -577,7 +578,7 @@ bool kasan_slab_free(struct kmem_cache *cache, void *object)
shadow_byte = READ_ONCE(*(s8 *)kasan_mem_to_shadow(object));
if (shadow_byte < 0 || shadow_byte >= KASAN_SHADOW_SCALE_SIZE) {
- kasan_report_double_free(cache, object, shadow_byte);
+ kasan_report_double_free(cache, object, pc);
return true;
}
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index 1c260e6b3b3c..75729173ade9 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -104,7 +104,7 @@ static inline bool kasan_report_enabled(void)
void kasan_report(unsigned long addr, size_t size,
bool is_write, unsigned long ip);
void kasan_report_double_free(struct kmem_cache *cache, void *object,
- s8 shadow);
+ void *ip);
#if defined(CONFIG_SLAB) || defined(CONFIG_SLUB)
void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache);
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index e0f7dbf9e883..2368b8cf5f95 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -224,22 +224,8 @@ static void describe_object(struct kmem_cache *cache, void *object,
describe_object_addr(cache, object, addr);
}
-void kasan_report_double_free(struct kmem_cache *cache, void *object,
- s8 shadow)
-{
- unsigned long flags;
-
- kasan_start_report(&flags);
- pr_err("BUG: Double free or freeing an invalid pointer\n");
- pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
- dump_stack();
- describe_object(cache, object, NULL);
- kasan_end_report(&flags);
-}
-
-static void print_address_description(struct kasan_access_info *info)
+static void print_address_description(void *addr)
{
- void *addr = (void *)info->access_addr;
struct page *page = addr_to_page(addr);
dump_stack();
@@ -314,6 +300,18 @@ static void print_shadow_for_address(const void *addr)
}
}
+void kasan_report_double_free(struct kmem_cache *cache, void *object,
+ void *ip)
+{
+ unsigned long flags;
+
+ kasan_start_report(&flags);
+ pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", ip);
+ print_address_description(object);
+ print_shadow_for_address(object);
+ kasan_end_report(&flags);
+}
+
static void kasan_report_error(struct kasan_access_info *info)
{
unsigned long flags;
@@ -325,7 +323,7 @@ static void kasan_report_error(struct kasan_access_info *info)
if (!addr_has_shadow(info)) {
dump_stack();
} else {
- print_address_description(info);
+ print_address_description((void *)info->access_addr);
print_shadow_for_address(info->first_bad_addr);
}
diff --git a/mm/slab.c b/mm/slab.c
index 807d86c76908..aba5f30ea63e 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3508,7 +3508,7 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp,
unsigned long caller)
{
/* Put the object into the quarantine, don't touch it for now. */
- if (kasan_slab_free(cachep, objp))
+ if (kasan_slab_free(cachep, objp, caller))
return;
___cache_free(cachep, objp, caller);
diff --git a/mm/slub.c b/mm/slub.c
index 7f4bc7027ed5..763570a0b15e 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1325,7 +1325,8 @@ static inline void kfree_hook(const void *x)
kasan_kfree_large(x);
}
-static inline void *slab_free_hook(struct kmem_cache *s, void *x)
+static inline void *slab_free_hook(struct kmem_cache *s, void *x,
+ unsigned long addr)
{
void *freeptr;
@@ -1354,12 +1355,13 @@ static inline void *slab_free_hook(struct kmem_cache *s, void *x)
* kasan_slab_free() may put x into memory quarantine, delaying its
* reuse. In this case the object's freelist pointer is changed.
*/
- kasan_slab_free(s, x);
+ kasan_slab_free(s, x, addr);
return freeptr;
}
static inline void slab_free_freelist_hook(struct kmem_cache *s,
- void *head, void *tail)
+ void *head, void *tail,
+ unsigned long addr)
{
/*
* Compiler cannot detect this function can be removed if slab_free_hook()
@@ -1376,7 +1378,7 @@ static inline void slab_free_freelist_hook(struct kmem_cache *s,
void *freeptr;
do {
- freeptr = slab_free_hook(s, object);
+ freeptr = slab_free_hook(s, object, addr);
} while ((object != tail_obj) && (object = freeptr));
#endif
}
@@ -2958,7 +2960,7 @@ static __always_inline void slab_free(struct kmem_cache *s, struct page *page,
void *head, void *tail, int cnt,
unsigned long addr)
{
- slab_free_freelist_hook(s, head, tail);
+ slab_free_freelist_hook(s, head, tail, addr);
/*
* slab_free_freelist_hook() could have put the items into quarantine.
* If so, no need to free them.
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 8/9] kasan: improve double-free report format
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Changes double-free report header from:
BUG: Double free or freeing an invalid pointer
Unexpected shadow byte: 0xFB
to:
BUG: KASAN: double-free or invalid-free in kmalloc_oob_left+0xe5/0xef
This makes a bug uniquely identifiable by the first report line.
To account for removing of the unexpected shadow value, print shadow
bytes at the end of the report as in reports for other kinds of bugs.
To print caller funtion name in the report header, the caller address
is passed from SLUB/SLAB free handlers.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
include/linux/kasan.h | 2 +-
mm/kasan/kasan.c | 5 +++--
mm/kasan/kasan.h | 2 +-
mm/kasan/report.c | 30 ++++++++++++++----------------
mm/slab.c | 2 +-
mm/slub.c | 12 +++++++-----
6 files changed, 27 insertions(+), 26 deletions(-)
diff --git a/include/linux/kasan.h b/include/linux/kasan.h
index 5734480c9590..554f843f1625 100644
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -62,7 +62,7 @@ void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size,
void kasan_krealloc(const void *object, size_t new_size, gfp_t flags);
void kasan_slab_alloc(struct kmem_cache *s, void *object, gfp_t flags);
-bool kasan_slab_free(struct kmem_cache *s, void *object);
+bool kasan_slab_free(struct kmem_cache *s, void *object, unsigned long pc);
struct kasan_cache {
int alloc_meta_offset;
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 98b27195e38b..83cc011bb9bc 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -567,7 +567,8 @@ static void kasan_poison_slab_free(struct kmem_cache *cache, void *object)
kasan_poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE);
}
-bool kasan_slab_free(struct kmem_cache *cache, void *object)
+bool kasan_slab_free(struct kmem_cache *cache, void *object,
+ unsigned long pc)
{
s8 shadow_byte;
@@ -577,7 +578,7 @@ bool kasan_slab_free(struct kmem_cache *cache, void *object)
shadow_byte = READ_ONCE(*(s8 *)kasan_mem_to_shadow(object));
if (shadow_byte < 0 || shadow_byte >= KASAN_SHADOW_SCALE_SIZE) {
- kasan_report_double_free(cache, object, shadow_byte);
+ kasan_report_double_free(cache, object, pc);
return true;
}
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index 1c260e6b3b3c..75729173ade9 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -104,7 +104,7 @@ static inline bool kasan_report_enabled(void)
void kasan_report(unsigned long addr, size_t size,
bool is_write, unsigned long ip);
void kasan_report_double_free(struct kmem_cache *cache, void *object,
- s8 shadow);
+ void *ip);
#if defined(CONFIG_SLAB) || defined(CONFIG_SLUB)
void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache);
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index e0f7dbf9e883..2368b8cf5f95 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -224,22 +224,8 @@ static void describe_object(struct kmem_cache *cache, void *object,
describe_object_addr(cache, object, addr);
}
-void kasan_report_double_free(struct kmem_cache *cache, void *object,
- s8 shadow)
-{
- unsigned long flags;
-
- kasan_start_report(&flags);
- pr_err("BUG: Double free or freeing an invalid pointer\n");
- pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
- dump_stack();
- describe_object(cache, object, NULL);
- kasan_end_report(&flags);
-}
-
-static void print_address_description(struct kasan_access_info *info)
+static void print_address_description(void *addr)
{
- void *addr = (void *)info->access_addr;
struct page *page = addr_to_page(addr);
dump_stack();
@@ -314,6 +300,18 @@ static void print_shadow_for_address(const void *addr)
}
}
+void kasan_report_double_free(struct kmem_cache *cache, void *object,
+ void *ip)
+{
+ unsigned long flags;
+
+ kasan_start_report(&flags);
+ pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", ip);
+ print_address_description(object);
+ print_shadow_for_address(object);
+ kasan_end_report(&flags);
+}
+
static void kasan_report_error(struct kasan_access_info *info)
{
unsigned long flags;
@@ -325,7 +323,7 @@ static void kasan_report_error(struct kasan_access_info *info)
if (!addr_has_shadow(info)) {
dump_stack();
} else {
- print_address_description(info);
+ print_address_description((void *)info->access_addr);
print_shadow_for_address(info->first_bad_addr);
}
diff --git a/mm/slab.c b/mm/slab.c
index 807d86c76908..aba5f30ea63e 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3508,7 +3508,7 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp,
unsigned long caller)
{
/* Put the object into the quarantine, don't touch it for now. */
- if (kasan_slab_free(cachep, objp))
+ if (kasan_slab_free(cachep, objp, caller))
return;
___cache_free(cachep, objp, caller);
diff --git a/mm/slub.c b/mm/slub.c
index 7f4bc7027ed5..763570a0b15e 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1325,7 +1325,8 @@ static inline void kfree_hook(const void *x)
kasan_kfree_large(x);
}
-static inline void *slab_free_hook(struct kmem_cache *s, void *x)
+static inline void *slab_free_hook(struct kmem_cache *s, void *x,
+ unsigned long addr)
{
void *freeptr;
@@ -1354,12 +1355,13 @@ static inline void *slab_free_hook(struct kmem_cache *s, void *x)
* kasan_slab_free() may put x into memory quarantine, delaying its
* reuse. In this case the object's freelist pointer is changed.
*/
- kasan_slab_free(s, x);
+ kasan_slab_free(s, x, addr);
return freeptr;
}
static inline void slab_free_freelist_hook(struct kmem_cache *s,
- void *head, void *tail)
+ void *head, void *tail,
+ unsigned long addr)
{
/*
* Compiler cannot detect this function can be removed if slab_free_hook()
@@ -1376,7 +1378,7 @@ static inline void slab_free_freelist_hook(struct kmem_cache *s,
void *freeptr;
do {
- freeptr = slab_free_hook(s, object);
+ freeptr = slab_free_hook(s, object, addr);
} while ((object != tail_obj) && (object = freeptr));
#endif
}
@@ -2958,7 +2960,7 @@ static __always_inline void slab_free(struct kmem_cache *s, struct page *page,
void *head, void *tail, int cnt,
unsigned long addr)
{
- slab_free_freelist_hook(s, head, tail);
+ slab_free_freelist_hook(s, head, tail, addr);
/*
* slab_free_freelist_hook() could have put the items into quarantine.
* If so, no need to free them.
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 9/9] kasan: separate report parts by empty lines
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-24 19:32 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Makes the report easier to read.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 2368b8cf5f95..a79fc1036161 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -218,7 +218,9 @@ static void describe_object(struct kmem_cache *cache, void *object,
if (cache->flags & SLAB_KASAN) {
print_track(&alloc_info->alloc_track, "Allocated");
+ pr_err("\n");
print_track(&alloc_info->free_track, "Freed");
+ pr_err("\n");
}
describe_object_addr(cache, object, addr);
@@ -229,6 +231,7 @@ static void print_address_description(void *addr)
struct page *page = addr_to_page(addr);
dump_stack();
+ pr_err("\n");
if (page && PageSlab(page)) {
struct kmem_cache *cache = page->slab_cache;
@@ -307,7 +310,9 @@ void kasan_report_double_free(struct kmem_cache *cache, void *object,
kasan_start_report(&flags);
pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", ip);
+ pr_err("\n");
print_address_description(object);
+ pr_err("\n");
print_shadow_for_address(object);
kasan_end_report(&flags);
}
@@ -319,11 +324,13 @@ static void kasan_report_error(struct kasan_access_info *info)
kasan_start_report(&flags);
print_error_description(info);
+ pr_err("\n");
if (!addr_has_shadow(info)) {
dump_stack();
} else {
print_address_description((void *)info->access_addr);
+ pr_err("\n");
print_shadow_for_address(info->first_bad_addr);
}
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 9/9] kasan: separate report parts by empty lines
@ 2017-03-24 19:32 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-24 19:32 UTC (permalink / raw)
To: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
Cc: Andrey Konovalov
Makes the report easier to read.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 2368b8cf5f95..a79fc1036161 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -218,7 +218,9 @@ static void describe_object(struct kmem_cache *cache, void *object,
if (cache->flags & SLAB_KASAN) {
print_track(&alloc_info->alloc_track, "Allocated");
+ pr_err("\n");
print_track(&alloc_info->free_track, "Freed");
+ pr_err("\n");
}
describe_object_addr(cache, object, addr);
@@ -229,6 +231,7 @@ static void print_address_description(void *addr)
struct page *page = addr_to_page(addr);
dump_stack();
+ pr_err("\n");
if (page && PageSlab(page)) {
struct kmem_cache *cache = page->slab_cache;
@@ -307,7 +310,9 @@ void kasan_report_double_free(struct kmem_cache *cache, void *object,
kasan_start_report(&flags);
pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", ip);
+ pr_err("\n");
print_address_description(object);
+ pr_err("\n");
print_shadow_for_address(object);
kasan_end_report(&flags);
}
@@ -319,11 +324,13 @@ static void kasan_report_error(struct kasan_access_info *info)
kasan_start_report(&flags);
print_error_description(info);
+ pr_err("\n");
if (!addr_has_shadow(info)) {
dump_stack();
} else {
print_address_description((void *)info->access_addr);
+ pr_err("\n");
print_shadow_for_address(info->first_bad_addr);
}
--
2.12.1.578.ge9c3154ca4-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers
@ 2017-03-28 14:00 Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
` (6 more replies)
0 siblings, 7 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
This patchset addresses multiple overflows and signedness-related issues
in packet socket ring buffers.
Andrey Konovalov (5):
net/packet: fix overflow in check for priv area size
net/packet: add explicit checks for tp_frame_size
net/packet: fix overflow in check for tp_frame_nr
net/packet: fix overflow in check for tp_reserve
net/packet: reorder checks for ring buffer parameters
net/packet/af_packet.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
--
2.12.2.564.g063fe858b8-goog
^ permalink raw reply [flat|nested] 43+ messages in thread
* [PATCH v4 1/9] kasan: introduce helper functions for determining bug type
2017-03-24 19:32 ` Andrey Konovalov
` (9 preceding siblings ...)
(?)
@ 2017-03-28 14:00 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Introduce get_shadow_bug_type() function, which determines bug type
based on the shadow value for a particular kernel address.
Introduce get_wild_bug_type() function, which determines bug type
for addresses which don't have a corresponding shadow value.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 40 ++++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 10 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index f479365530b6..e3af37b7a74c 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -49,7 +49,13 @@ static const void *find_first_bad_addr(const void *addr, size_t size)
return first_bad_addr;
}
-static void print_error_description(struct kasan_access_info *info)
+static bool addr_has_shadow(struct kasan_access_info *info)
+{
+ return (info->access_addr >=
+ kasan_shadow_to_mem((void *)KASAN_SHADOW_START));
+}
+
+static const char *get_shadow_bug_type(struct kasan_access_info *info)
{
const char *bug_type = "unknown-crash";
u8 *shadow_addr;
@@ -96,6 +102,27 @@ static void print_error_description(struct kasan_access_info *info)
break;
}
+ return bug_type;
+}
+
+static const char *get_wild_bug_type(struct kasan_access_info *info)
+{
+ const char *bug_type;
+
+ if ((unsigned long)info->access_addr < PAGE_SIZE)
+ bug_type = "null-ptr-deref";
+ else if ((unsigned long)info->access_addr < TASK_SIZE)
+ bug_type = "user-memory-access";
+ else
+ bug_type = "wild-memory-access";
+
+ return bug_type;
+}
+
+static void print_error_description(struct kasan_access_info *info)
+{
+ const char *bug_type = get_shadow_bug_type(info);
+
pr_err("BUG: KASAN: %s in %pS at addr %p\n",
bug_type, (void *)info->ip,
info->access_addr);
@@ -265,18 +292,11 @@ static void print_shadow_for_address(const void *addr)
static void kasan_report_error(struct kasan_access_info *info)
{
unsigned long flags;
- const char *bug_type;
kasan_start_report(&flags);
- if (info->access_addr <
- kasan_shadow_to_mem((void *)KASAN_SHADOW_START)) {
- if ((unsigned long)info->access_addr < PAGE_SIZE)
- bug_type = "null-ptr-deref";
- else if ((unsigned long)info->access_addr < TASK_SIZE)
- bug_type = "user-memory-access";
- else
- bug_type = "wild-memory-access";
+ if (!addr_has_shadow(info)) {
+ const char *bug_type = get_wild_bug_type(info);
pr_err("BUG: KASAN: %s on address %p\n",
bug_type, info->access_addr);
pr_err("%s of size %zu by task %s/%d\n",
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH 1/5] net/packet: fix overflow in check for priv area size
2017-03-28 14:00 [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-28 14:00 ` Andrey Konovalov
2017-03-28 14:00 ` [PATCH 2/5] net/packet: add explicit checks for tp_frame_size Andrey Konovalov
` (4 subsequent siblings)
6 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).
Compare them as is instead.
Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
net/packet/af_packet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index a0dbe7ca8f72..2323ee35dc09 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4193,8 +4193,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
goto out;
if (po->tp_version >= TPACKET_V3 &&
- (int)(req->tp_block_size -
- BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
+ req->tp_block_size <=
+ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
goto out;
if (unlikely(req->tp_frame_size < po->tp_hdrlen +
po->tp_reserve))
--
2.12.2.564.g063fe858b8-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 2/9] kasan: unify report headers
2017-03-24 19:32 ` Andrey Konovalov
` (10 preceding siblings ...)
(?)
@ 2017-03-28 14:00 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Unify KASAN report header format for different kinds of bad memory
accesses. Makes the code simpler.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index e3af37b7a74c..fc0577d15671 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -119,16 +119,22 @@ static const char *get_wild_bug_type(struct kasan_access_info *info)
return bug_type;
}
+static const char *get_bug_type(struct kasan_access_info *info)
+{
+ if (addr_has_shadow(info))
+ return get_shadow_bug_type(info);
+ return get_wild_bug_type(info);
+}
+
static void print_error_description(struct kasan_access_info *info)
{
- const char *bug_type = get_shadow_bug_type(info);
+ const char *bug_type = get_bug_type(info);
pr_err("BUG: KASAN: %s in %pS at addr %p\n",
- bug_type, (void *)info->ip,
- info->access_addr);
+ bug_type, (void *)info->ip, info->access_addr);
pr_err("%s of size %zu by task %s/%d\n",
- info->is_write ? "Write" : "Read",
- info->access_size, current->comm, task_pid_nr(current));
+ info->is_write ? "Write" : "Read", info->access_size,
+ current->comm, task_pid_nr(current));
}
static inline bool kernel_or_module_addr(const void *addr)
@@ -295,17 +301,11 @@ static void kasan_report_error(struct kasan_access_info *info)
kasan_start_report(&flags);
+ print_error_description(info);
+
if (!addr_has_shadow(info)) {
- const char *bug_type = get_wild_bug_type(info);
- pr_err("BUG: KASAN: %s on address %p\n",
- bug_type, info->access_addr);
- pr_err("%s of size %zu by task %s/%d\n",
- info->is_write ? "Write" : "Read",
- info->access_size, current->comm,
- task_pid_nr(current));
dump_stack();
} else {
- print_error_description(info);
print_address_description(info);
print_shadow_for_address(info->first_bad_addr);
}
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH 2/5] net/packet: add explicit checks for tp_frame_size
2017-03-28 14:00 [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-28 14:00 ` [PATCH 1/5] net/packet: fix overflow in check for priv area size Andrey Konovalov
@ 2017-03-28 14:00 ` Andrey Konovalov
2017-03-28 14:00 ` [PATCH 3/5] net/packet: fix overflow in check for tp_frame_nr Andrey Konovalov
` (3 subsequent siblings)
6 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
tp_frame_size can't be 0 or be larger than tp_block_size.
As a result the check for frames_per_block == 0 is not needed any more.
Also do explicit checks for tp_block_size, instead of casting to int.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
net/packet/af_packet.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 2323ee35dc09..506348abdf2f 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4188,8 +4188,16 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
}
err = -EINVAL;
- if (unlikely((int)req->tp_block_size <= 0))
+
+ if (unlikely(req->tp_block_size > INT_MAX))
+ goto out;
+ if (unlikely(req->tp_block_size == 0))
+ goto out;
+ if (unlikely(req->tp_frame_size > req->tp_block_size))
goto out;
+ if (unlikely(req->tp_frame_size == 0))
+ goto out;
+
if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
goto out;
if (po->tp_version >= TPACKET_V3 &&
@@ -4203,8 +4211,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
goto out;
rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
- if (unlikely(rb->frames_per_block == 0))
- goto out;
if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
req->tp_frame_nr))
goto out;
--
2.12.2.564.g063fe858b8-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 3/9] kasan: change allocation and freeing stack traces headers
2017-03-24 19:32 ` Andrey Konovalov
` (11 preceding siblings ...)
(?)
@ 2017-03-28 14:00 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Change stack traces headers from:
Allocated:
PID = 42
to:
Allocated by task 42:
Makes the report one line shorter and look better.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index fc0577d15671..382d4d2b9052 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -175,9 +175,9 @@ static void kasan_end_report(unsigned long *flags)
kasan_enable_current();
}
-static void print_track(struct kasan_track *track)
+static void print_track(struct kasan_track *track, const char *prefix)
{
- pr_err("PID = %u\n", track->pid);
+ pr_err("%s by task %u:\n", prefix, track->pid);
if (track->stack) {
struct stack_trace trace;
@@ -199,10 +199,8 @@ static void kasan_object_err(struct kmem_cache *cache, void *object)
if (!(cache->flags & SLAB_KASAN))
return;
- pr_err("Allocated:\n");
- print_track(&alloc_info->alloc_track);
- pr_err("Freed:\n");
- print_track(&alloc_info->free_track);
+ print_track(&alloc_info->alloc_track, "Allocated");
+ print_track(&alloc_info->free_track, "Freed");
}
void kasan_report_double_free(struct kmem_cache *cache, void *object,
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH 3/5] net/packet: fix overflow in check for tp_frame_nr
2017-03-28 14:00 [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Andrey Konovalov
` (2 preceding siblings ...)
2017-03-28 14:00 ` [PATCH 2/5] net/packet: add explicit checks for tp_frame_size Andrey Konovalov
@ 2017-03-28 14:00 ` Andrey Konovalov
2017-03-28 14:00 ` [PATCH 4/5] net/packet: fix overflow in check for tp_reserve Andrey Konovalov
` (2 subsequent siblings)
6 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.
Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
Since frames_per_block <= tp_block_size, the expression would
never overflow.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
net/packet/af_packet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 506348abdf2f..c5c43fff8c01 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4197,6 +4197,9 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
goto out;
if (unlikely(req->tp_frame_size == 0))
goto out;
+ if (unlikely((u64)req->tp_block_size * req->tp_block_nr >
+ UINT_MAX))
+ goto out;
if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
goto out;
--
2.12.2.564.g063fe858b8-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 4/9] kasan: simplify address description logic
2017-03-24 19:32 ` Andrey Konovalov
` (12 preceding siblings ...)
(?)
@ 2017-03-28 14:00 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Simplify logic for describing a memory address.
Add addr_to_page() helper function.
Makes the code easier to follow.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 382d4d2b9052..f77341979dae 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -188,11 +188,17 @@ static void print_track(struct kasan_track *track, const char *prefix)
}
}
-static void kasan_object_err(struct kmem_cache *cache, void *object)
+static struct page *addr_to_page(const void *addr)
+{
+ if ((addr >= (void *)PAGE_OFFSET) && (addr < high_memory))
+ return virt_to_head_page(addr);
+ return NULL;
+}
+
+static void describe_object(struct kmem_cache *cache, void *object)
{
struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
- dump_stack();
pr_err("Object at %p, in cache %s size: %d\n", object, cache->name,
cache->object_size);
@@ -211,34 +217,32 @@ void kasan_report_double_free(struct kmem_cache *cache, void *object,
kasan_start_report(&flags);
pr_err("BUG: Double free or freeing an invalid pointer\n");
pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
- kasan_object_err(cache, object);
+ dump_stack();
+ describe_object(cache, object);
kasan_end_report(&flags);
}
static void print_address_description(struct kasan_access_info *info)
{
const void *addr = info->access_addr;
+ struct page *page = addr_to_page(addr);
- if ((addr >= (void *)PAGE_OFFSET) &&
- (addr < high_memory)) {
- struct page *page = virt_to_head_page(addr);
-
- if (PageSlab(page)) {
- void *object;
- struct kmem_cache *cache = page->slab_cache;
- object = nearest_obj(cache, page,
- (void *)info->access_addr);
- kasan_object_err(cache, object);
- return;
- }
+ if (page)
dump_page(page, "kasan: bad access detected");
+
+ dump_stack();
+
+ if (page && PageSlab(page)) {
+ struct kmem_cache *cache = page->slab_cache;
+ void *object = nearest_obj(cache, page, (void *)addr);
+
+ describe_object(cache, object);
}
if (kernel_or_module_addr(addr)) {
if (!init_task_stack_addr(addr))
pr_err("Address belongs to variable %pS\n", addr);
}
- dump_stack();
}
static bool row_is_guilty(const void *row, const void *guilty)
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH 4/5] net/packet: fix overflow in check for tp_reserve
2017-03-28 14:00 [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Andrey Konovalov
` (3 preceding siblings ...)
2017-03-28 14:00 ` [PATCH 3/5] net/packet: fix overflow in check for tp_frame_nr Andrey Konovalov
@ 2017-03-28 14:00 ` Andrey Konovalov
2017-03-28 15:00 ` Willem de Bruijn
2017-03-28 14:00 ` [PATCH 5/5] net/packet: reorder checks for ring buffer parameters Andrey Konovalov
2017-03-28 15:06 ` [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Willem de Bruijn
6 siblings, 1 reply; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
Fix by checking that tp_reserve <= INT_MAX on assign.
This also takes cared of an overflow when calculating
macoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 + po->tp_reserve
snaplen = skb->len
macoff + snaplen
since macoff ~ INT_MAX and snaplen < SKB_MAX_ALLOC.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
net/packet/af_packet.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index c5c43fff8c01..28b49749d1af 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
return -EBUSY;
if (copy_from_user(&val, optval, sizeof(val)))
return -EFAULT;
+ if (val > INT_MAX)
+ return -EINVAL;
po->tp_reserve = val;
return 0;
}
@@ -4200,6 +4202,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
if (unlikely((u64)req->tp_block_size * req->tp_block_nr >
UINT_MAX))
goto out;
+ if (unlikely(po->tp_reserve >= req->tp_frame_size))
+ goto out;
if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
goto out;
@@ -4207,9 +4211,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
req->tp_block_size <=
BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
goto out;
- if (unlikely(req->tp_frame_size < po->tp_hdrlen +
- po->tp_reserve))
- goto out;
if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
goto out;
--
2.12.2.564.g063fe858b8-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 5/9] kasan: change report header
2017-03-24 19:32 ` Andrey Konovalov
` (13 preceding siblings ...)
(?)
@ 2017-03-28 14:00 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Change report header format from:
BUG: KASAN: use-after-free in unwind_get_return_address+0x28a/0x2c0 at addr ffff880069437950
Read of size 8 by task insmod/3925
to:
BUG: KASAN: use-after-free in unwind_get_return_address+0x28a/0x2c0
Read of size 8 at addr ffff880069437950 by task insmod/3925
The exact access address is not usually important, so move it to the
second line. This also makes the header look visually balanced.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index f77341979dae..156f998199e2 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -130,11 +130,10 @@ static void print_error_description(struct kasan_access_info *info)
{
const char *bug_type = get_bug_type(info);
- pr_err("BUG: KASAN: %s in %pS at addr %p\n",
- bug_type, (void *)info->ip, info->access_addr);
- pr_err("%s of size %zu by task %s/%d\n",
+ pr_err("BUG: KASAN: %s in %pS\n", bug_type, (void *)info->ip);
+ pr_err("%s of size %zu at addr %p by task %s/%d\n",
info->is_write ? "Write" : "Read", info->access_size,
- current->comm, task_pid_nr(current));
+ info->access_addr, current->comm, task_pid_nr(current));
}
static inline bool kernel_or_module_addr(const void *addr)
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH 5/5] net/packet: reorder checks for ring buffer parameters
2017-03-28 14:00 [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Andrey Konovalov
` (4 preceding siblings ...)
2017-03-28 14:00 ` [PATCH 4/5] net/packet: fix overflow in check for tp_reserve Andrey Konovalov
@ 2017-03-28 14:00 ` Andrey Konovalov
2017-03-28 15:06 ` [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Willem de Bruijn
6 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
No semantic changes.
Improves readability.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
net/packet/af_packet.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 28b49749d1af..de25736a7988 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4191,6 +4191,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
err = -EINVAL;
+ if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ goto out;
+ if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
+ goto out;
+
if (unlikely(req->tp_block_size > INT_MAX))
goto out;
if (unlikely(req->tp_block_size == 0))
@@ -4205,19 +4210,15 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
if (unlikely(po->tp_reserve >= req->tp_frame_size))
goto out;
- if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
+ if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
+ req->tp_frame_nr))
goto out;
+
if (po->tp_version >= TPACKET_V3 &&
req->tp_block_size <=
BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
goto out;
- if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
- goto out;
-
- rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
- if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
- req->tp_frame_nr))
- goto out;
err = -ENOMEM;
order = get_order(req->tp_block_size);
--
2.12.2.564.g063fe858b8-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 6/9] kasan: improve slab object description
2017-03-24 19:32 ` Andrey Konovalov
` (14 preceding siblings ...)
(?)
@ 2017-03-28 14:00 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Changes slab object description from:
Object at ffff880068388540, in cache kmalloc-128 size: 128
to:
Object at ffff88006a2d5a80 belongs to cache kmalloc-128 of size 128
accessed at offset 123
This adds information about relative offset of the accessed address to
the start of the object.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 38 +++++++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 156f998199e2..06e27a342d1d 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -194,18 +194,34 @@ static struct page *addr_to_page(const void *addr)
return NULL;
}
-static void describe_object(struct kmem_cache *cache, void *object)
+static void describe_object_addr(struct kmem_cache *cache, void *object,
+ const void *addr)
{
- struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
+ unsigned long access_addr = (unsigned long)addr;
+ unsigned long object_addr = (unsigned long)object;
+ const char *rel_type;
+ int rel_bytes;
- pr_err("Object at %p, in cache %s size: %d\n", object, cache->name,
- cache->object_size);
+ pr_err("Object at %p belongs to cache %s of size %d\n",
+ object, cache->name, cache->object_size);
- if (!(cache->flags & SLAB_KASAN))
+ if (!addr)
return;
- print_track(&alloc_info->alloc_track, "Allocated");
- print_track(&alloc_info->free_track, "Freed");
+ pr_err(" accessed at offset %d\n", access_addr - object_addr);
+}
+
+static void describe_object(struct kmem_cache *cache, void *object,
+ const void *addr)
+{
+ struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
+
+ if (cache->flags & SLAB_KASAN) {
+ print_track(&alloc_info->alloc_track, "Allocated");
+ print_track(&alloc_info->free_track, "Freed");
+ }
+
+ describe_object_addr(cache, object, addr);
}
void kasan_report_double_free(struct kmem_cache *cache, void *object,
@@ -217,13 +233,13 @@ void kasan_report_double_free(struct kmem_cache *cache, void *object,
pr_err("BUG: Double free or freeing an invalid pointer\n");
pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
dump_stack();
- describe_object(cache, object);
+ describe_object(cache, object, NULL);
kasan_end_report(&flags);
}
static void print_address_description(struct kasan_access_info *info)
{
- const void *addr = info->access_addr;
+ void *addr = (void *)info->access_addr;
struct page *page = addr_to_page(addr);
if (page)
@@ -233,9 +249,9 @@ static void print_address_description(struct kasan_access_info *info)
if (page && PageSlab(page)) {
struct kmem_cache *cache = page->slab_cache;
- void *object = nearest_obj(cache, page, (void *)addr);
+ void *object = nearest_obj(cache, page, addr);
- describe_object(cache, object);
+ describe_object(cache, object, addr);
}
if (kernel_or_module_addr(addr)) {
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 7/9] kasan: print page description after stacks
2017-03-24 19:32 ` Andrey Konovalov
` (15 preceding siblings ...)
(?)
@ 2017-03-28 14:00 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Moves page description after the stacks since it's less important.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 06e27a342d1d..e0f7dbf9e883 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -242,9 +242,6 @@ static void print_address_description(struct kasan_access_info *info)
void *addr = (void *)info->access_addr;
struct page *page = addr_to_page(addr);
- if (page)
- dump_page(page, "kasan: bad access detected");
-
dump_stack();
if (page && PageSlab(page)) {
@@ -254,9 +251,14 @@ static void print_address_description(struct kasan_access_info *info)
describe_object(cache, object, addr);
}
- if (kernel_or_module_addr(addr)) {
- if (!init_task_stack_addr(addr))
- pr_err("Address belongs to variable %pS\n", addr);
+ if (kernel_or_module_addr(addr) && !init_task_stack_addr(addr)) {
+ pr_err("The buggy address belongs to the variable:\n");
+ pr_err(" %pS\n", addr);
+ }
+
+ if (page) {
+ pr_err("The buggy address belongs to the page:\n");
+ dump_page(page, "kasan: bad access detected");
}
}
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 8/9] kasan: improve double-free report format
2017-03-24 19:32 ` Andrey Konovalov
` (16 preceding siblings ...)
(?)
@ 2017-03-28 14:00 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Changes double-free report header from:
BUG: Double free or freeing an invalid pointer
Unexpected shadow byte: 0xFB
to:
BUG: KASAN: double-free or invalid-free in kmalloc_oob_left+0xe5/0xef
This makes a bug uniquely identifiable by the first report line.
To account for removing of the unexpected shadow value, print shadow
bytes at the end of the report as in reports for other kinds of bugs.
To print caller funtion name in the report header, the caller address
is passed from SLUB/SLAB free handlers.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
include/linux/kasan.h | 2 +-
mm/kasan/kasan.c | 5 +++--
mm/kasan/kasan.h | 2 +-
mm/kasan/report.c | 30 ++++++++++++++----------------
mm/slab.c | 2 +-
mm/slub.c | 12 +++++++-----
6 files changed, 27 insertions(+), 26 deletions(-)
diff --git a/include/linux/kasan.h b/include/linux/kasan.h
index 5734480c9590..554f843f1625 100644
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -62,7 +62,7 @@ void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size,
void kasan_krealloc(const void *object, size_t new_size, gfp_t flags);
void kasan_slab_alloc(struct kmem_cache *s, void *object, gfp_t flags);
-bool kasan_slab_free(struct kmem_cache *s, void *object);
+bool kasan_slab_free(struct kmem_cache *s, void *object, unsigned long pc);
struct kasan_cache {
int alloc_meta_offset;
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 98b27195e38b..83cc011bb9bc 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -567,7 +567,8 @@ static void kasan_poison_slab_free(struct kmem_cache *cache, void *object)
kasan_poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE);
}
-bool kasan_slab_free(struct kmem_cache *cache, void *object)
+bool kasan_slab_free(struct kmem_cache *cache, void *object,
+ unsigned long pc)
{
s8 shadow_byte;
@@ -577,7 +578,7 @@ bool kasan_slab_free(struct kmem_cache *cache, void *object)
shadow_byte = READ_ONCE(*(s8 *)kasan_mem_to_shadow(object));
if (shadow_byte < 0 || shadow_byte >= KASAN_SHADOW_SCALE_SIZE) {
- kasan_report_double_free(cache, object, shadow_byte);
+ kasan_report_double_free(cache, object, pc);
return true;
}
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index 1c260e6b3b3c..75729173ade9 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -104,7 +104,7 @@ static inline bool kasan_report_enabled(void)
void kasan_report(unsigned long addr, size_t size,
bool is_write, unsigned long ip);
void kasan_report_double_free(struct kmem_cache *cache, void *object,
- s8 shadow);
+ void *ip);
#if defined(CONFIG_SLAB) || defined(CONFIG_SLUB)
void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache);
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index e0f7dbf9e883..2368b8cf5f95 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -224,22 +224,8 @@ static void describe_object(struct kmem_cache *cache, void *object,
describe_object_addr(cache, object, addr);
}
-void kasan_report_double_free(struct kmem_cache *cache, void *object,
- s8 shadow)
-{
- unsigned long flags;
-
- kasan_start_report(&flags);
- pr_err("BUG: Double free or freeing an invalid pointer\n");
- pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
- dump_stack();
- describe_object(cache, object, NULL);
- kasan_end_report(&flags);
-}
-
-static void print_address_description(struct kasan_access_info *info)
+static void print_address_description(void *addr)
{
- void *addr = (void *)info->access_addr;
struct page *page = addr_to_page(addr);
dump_stack();
@@ -314,6 +300,18 @@ static void print_shadow_for_address(const void *addr)
}
}
+void kasan_report_double_free(struct kmem_cache *cache, void *object,
+ void *ip)
+{
+ unsigned long flags;
+
+ kasan_start_report(&flags);
+ pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", ip);
+ print_address_description(object);
+ print_shadow_for_address(object);
+ kasan_end_report(&flags);
+}
+
static void kasan_report_error(struct kasan_access_info *info)
{
unsigned long flags;
@@ -325,7 +323,7 @@ static void kasan_report_error(struct kasan_access_info *info)
if (!addr_has_shadow(info)) {
dump_stack();
} else {
- print_address_description(info);
+ print_address_description((void *)info->access_addr);
print_shadow_for_address(info->first_bad_addr);
}
diff --git a/mm/slab.c b/mm/slab.c
index 807d86c76908..aba5f30ea63e 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3508,7 +3508,7 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp,
unsigned long caller)
{
/* Put the object into the quarantine, don't touch it for now. */
- if (kasan_slab_free(cachep, objp))
+ if (kasan_slab_free(cachep, objp, caller))
return;
___cache_free(cachep, objp, caller);
diff --git a/mm/slub.c b/mm/slub.c
index 7f4bc7027ed5..763570a0b15e 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1325,7 +1325,8 @@ static inline void kfree_hook(const void *x)
kasan_kfree_large(x);
}
-static inline void *slab_free_hook(struct kmem_cache *s, void *x)
+static inline void *slab_free_hook(struct kmem_cache *s, void *x,
+ unsigned long addr)
{
void *freeptr;
@@ -1354,12 +1355,13 @@ static inline void *slab_free_hook(struct kmem_cache *s, void *x)
* kasan_slab_free() may put x into memory quarantine, delaying its
* reuse. In this case the object's freelist pointer is changed.
*/
- kasan_slab_free(s, x);
+ kasan_slab_free(s, x, addr);
return freeptr;
}
static inline void slab_free_freelist_hook(struct kmem_cache *s,
- void *head, void *tail)
+ void *head, void *tail,
+ unsigned long addr)
{
/*
* Compiler cannot detect this function can be removed if slab_free_hook()
@@ -1376,7 +1378,7 @@ static inline void slab_free_freelist_hook(struct kmem_cache *s,
void *freeptr;
do {
- freeptr = slab_free_hook(s, object);
+ freeptr = slab_free_hook(s, object, addr);
} while ((object != tail_obj) && (object = freeptr));
#endif
}
@@ -2958,7 +2960,7 @@ static __always_inline void slab_free(struct kmem_cache *s, struct page *page,
void *head, void *tail, int cnt,
unsigned long addr)
{
- slab_free_freelist_hook(s, head, tail);
+ slab_free_freelist_hook(s, head, tail, addr);
/*
* slab_free_freelist_hook() could have put the items into quarantine.
* If so, no need to free them.
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* [PATCH v4 9/9] kasan: separate report parts by empty lines
2017-03-24 19:32 ` Andrey Konovalov
` (17 preceding siblings ...)
(?)
@ 2017-03-28 14:00 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:00 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
Makes the report easier to read.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/kasan/report.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 2368b8cf5f95..a79fc1036161 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -218,7 +218,9 @@ static void describe_object(struct kmem_cache *cache, void *object,
if (cache->flags & SLAB_KASAN) {
print_track(&alloc_info->alloc_track, "Allocated");
+ pr_err("\n");
print_track(&alloc_info->free_track, "Freed");
+ pr_err("\n");
}
describe_object_addr(cache, object, addr);
@@ -229,6 +231,7 @@ static void print_address_description(void *addr)
struct page *page = addr_to_page(addr);
dump_stack();
+ pr_err("\n");
if (page && PageSlab(page)) {
struct kmem_cache *cache = page->slab_cache;
@@ -307,7 +310,9 @@ void kasan_report_double_free(struct kmem_cache *cache, void *object,
kasan_start_report(&flags);
pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", ip);
+ pr_err("\n");
print_address_description(object);
+ pr_err("\n");
print_shadow_for_address(object);
kasan_end_report(&flags);
}
@@ -319,11 +324,13 @@ static void kasan_report_error(struct kasan_access_info *info)
kasan_start_report(&flags);
print_error_description(info);
+ pr_err("\n");
if (!addr_has_shadow(info)) {
dump_stack();
} else {
print_address_description((void *)info->access_addr);
+ pr_err("\n");
print_shadow_for_address(info->first_bad_addr);
}
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 43+ messages in thread
* Re: [PATCH v4 1/9] kasan: introduce helper functions for determining bug type
2017-03-24 19:32 ` Andrey Konovalov
(?)
@ 2017-03-28 14:03 ` Andrey Konovalov
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 14:03 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek
Cc: netdev, Dmitry Vyukov, Kostya Serebryany, Andrey Konovalov
On Tue, Mar 28, 2017 at 4:00 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> Introduce get_shadow_bug_type() function, which determines bug type
> based on the shadow value for a particular kernel address.
> Introduce get_wild_bug_type() function, which determines bug type
> for addresses which don't have a corresponding shadow value.
>
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> ---
> mm/kasan/report.c | 40 ++++++++++++++++++++++++++++++----------
> 1 file changed, 30 insertions(+), 10 deletions(-)
>
> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
> index f479365530b6..e3af37b7a74c 100644
> --- a/mm/kasan/report.c
> +++ b/mm/kasan/report.c
> @@ -49,7 +49,13 @@ static const void *find_first_bad_addr(const void *addr, size_t size)
> return first_bad_addr;
> }
>
> -static void print_error_description(struct kasan_access_info *info)
> +static bool addr_has_shadow(struct kasan_access_info *info)
> +{
> + return (info->access_addr >=
> + kasan_shadow_to_mem((void *)KASAN_SHADOW_START));
> +}
> +
> +static const char *get_shadow_bug_type(struct kasan_access_info *info)
> {
> const char *bug_type = "unknown-crash";
> u8 *shadow_addr;
> @@ -96,6 +102,27 @@ static void print_error_description(struct kasan_access_info *info)
> break;
> }
>
> + return bug_type;
> +}
> +
> +static const char *get_wild_bug_type(struct kasan_access_info *info)
> +{
> + const char *bug_type;
> +
> + if ((unsigned long)info->access_addr < PAGE_SIZE)
> + bug_type = "null-ptr-deref";
> + else if ((unsigned long)info->access_addr < TASK_SIZE)
> + bug_type = "user-memory-access";
> + else
> + bug_type = "wild-memory-access";
> +
> + return bug_type;
> +}
> +
> +static void print_error_description(struct kasan_access_info *info)
> +{
> + const char *bug_type = get_shadow_bug_type(info);
> +
> pr_err("BUG: KASAN: %s in %pS at addr %p\n",
> bug_type, (void *)info->ip,
> info->access_addr);
> @@ -265,18 +292,11 @@ static void print_shadow_for_address(const void *addr)
> static void kasan_report_error(struct kasan_access_info *info)
> {
> unsigned long flags;
> - const char *bug_type;
>
> kasan_start_report(&flags);
>
> - if (info->access_addr <
> - kasan_shadow_to_mem((void *)KASAN_SHADOW_START)) {
> - if ((unsigned long)info->access_addr < PAGE_SIZE)
> - bug_type = "null-ptr-deref";
> - else if ((unsigned long)info->access_addr < TASK_SIZE)
> - bug_type = "user-memory-access";
> - else
> - bug_type = "wild-memory-access";
> + if (!addr_has_shadow(info)) {
> + const char *bug_type = get_wild_bug_type(info);
> pr_err("BUG: KASAN: %s on address %p\n",
> bug_type, info->access_addr);
> pr_err("%s of size %zu by task %s/%d\n",
> --
> 2.12.1.578.ge9c3154ca4-goog
>
Oops, accidently resent KASAN patchset together with AF_PACKET fixes.
Please ignore "[PATCH v4] kasan" patches.
^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [PATCH 4/5] net/packet: fix overflow in check for tp_reserve
2017-03-28 14:00 ` [PATCH 4/5] net/packet: fix overflow in check for tp_reserve Andrey Konovalov
@ 2017-03-28 15:00 ` Willem de Bruijn
2017-03-28 15:11 ` Andrey Konovalov
0 siblings, 1 reply; 43+ messages in thread
From: Willem de Bruijn @ 2017-03-28 15:00 UTC (permalink / raw)
To: Andrey Konovalov
Cc: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek,
Network Development, Dmitry Vyukov, Kostya Serebryany
On Tue, Mar 28, 2017 at 10:00 AM, Andrey Konovalov
<andreyknvl@google.com> wrote:
> When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
>
> Fix by checking that tp_reserve <= INT_MAX on assign.
>
> This also takes cared of an overflow when calculating
> macoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 + po->tp_reserve
> snaplen = skb->len
> macoff + snaplen
> since macoff ~ INT_MAX and snaplen < SKB_MAX_ALLOC.
This refers to the overflow of macoff + snaplen?
Note that macoff is unsigned short, so will truncate any overflow from
tp_reserve.
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> ---
> net/packet/af_packet.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index c5c43fff8c01..28b49749d1af 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
> @@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
> return -EBUSY;
> if (copy_from_user(&val, optval, sizeof(val)))
> return -EFAULT;
> + if (val > INT_MAX)
> + return -EINVAL;
This change on its own is sufficient to avoid the overflow. For net
and backports to stable, this minimal patch is preferable.
> po->tp_reserve = val;
> return 0;
> }
> @@ -4200,6 +4202,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
> if (unlikely((u64)req->tp_block_size * req->tp_block_nr >
> UINT_MAX))
> goto out;
> + if (unlikely(po->tp_reserve >= req->tp_frame_size))
> + goto out;
>
> if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
> goto out;
> @@ -4207,9 +4211,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
> req->tp_block_size <=
> BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
> goto out;
> - if (unlikely(req->tp_frame_size < po->tp_hdrlen +
> - po->tp_reserve))
> - goto out;
Is there a reason that the test is moved up? It is probably not
correct to remove tp_hdrlen from the test.
> if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
> goto out;
>
> --
> 2.12.2.564.g063fe858b8-goog
>
^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers
2017-03-28 14:00 [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Andrey Konovalov
` (5 preceding siblings ...)
2017-03-28 14:00 ` [PATCH 5/5] net/packet: reorder checks for ring buffer parameters Andrey Konovalov
@ 2017-03-28 15:06 ` Willem de Bruijn
2017-03-28 15:15 ` Andrey Konovalov
6 siblings, 1 reply; 43+ messages in thread
From: Willem de Bruijn @ 2017-03-28 15:06 UTC (permalink / raw)
To: Andrey Konovalov
Cc: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek,
Network Development, Dmitry Vyukov, Kostya Serebryany
On Tue, Mar 28, 2017 at 10:00 AM, Andrey Konovalov
<andreyknvl@google.com> wrote:
> This patchset addresses multiple overflows and signedness-related issues
> in packet socket ring buffers.
>
> Andrey Konovalov (5):
> net/packet: fix overflow in check for priv area size
> net/packet: add explicit checks for tp_frame_size
> net/packet: fix overflow in check for tp_frame_nr
> net/packet: fix overflow in check for tp_reserve
> net/packet: reorder checks for ring buffer parameters
These are a lot of changes to backport to stable kernels.
Can we separate the minimal patch set needed to address known overflow
to send to net (with annotation [PATCH net]) and follow up with the larger
cleanup to net-next.
>
> net/packet/af_packet.c | 31 +++++++++++++++++++++----------
> 1 file changed, 21 insertions(+), 10 deletions(-)
>
> --
> 2.12.2.564.g063fe858b8-goog
>
^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [PATCH 4/5] net/packet: fix overflow in check for tp_reserve
2017-03-28 15:00 ` Willem de Bruijn
@ 2017-03-28 15:11 ` Andrey Konovalov
2017-03-28 15:21 ` Willem de Bruijn
0 siblings, 1 reply; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 15:11 UTC (permalink / raw)
To: Willem de Bruijn
Cc: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek,
Network Development, Dmitry Vyukov, Kostya Serebryany
On Tue, Mar 28, 2017 at 5:00 PM, Willem de Bruijn
<willemdebruijn.kernel@gmail.com> wrote:
> On Tue, Mar 28, 2017 at 10:00 AM, Andrey Konovalov
> <andreyknvl@google.com> wrote:
>> When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
>>
>> Fix by checking that tp_reserve <= INT_MAX on assign.
>>
>> This also takes cared of an overflow when calculating
>> macoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 + po->tp_reserve
>> snaplen = skb->len
>> macoff + snaplen
>> since macoff ~ INT_MAX and snaplen < SKB_MAX_ALLOC.
>
> This refers to the overflow of macoff + snaplen?
>
> Note that macoff is unsigned short, so will truncate any overflow from
> tp_reserve.
Yes, you're right.
Should I make macoff unsigned int to fix this?
>
>> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
>> ---
>> net/packet/af_packet.c | 7 ++++---
>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
>> index c5c43fff8c01..28b49749d1af 100644
>> --- a/net/packet/af_packet.c
>> +++ b/net/packet/af_packet.c
>> @@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
>> return -EBUSY;
>> if (copy_from_user(&val, optval, sizeof(val)))
>> return -EFAULT;
>> + if (val > INT_MAX)
>> + return -EINVAL;
>
> This change on its own is sufficient to avoid the overflow. For net
> and backports to stable, this minimal patch is preferable.
I will put it into a separate patch then.
>
>> po->tp_reserve = val;
>> return 0;
>> }
>> @@ -4200,6 +4202,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
>> if (unlikely((u64)req->tp_block_size * req->tp_block_nr >
>> UINT_MAX))
>> goto out;
>> + if (unlikely(po->tp_reserve >= req->tp_frame_size))
>> + goto out;
>>
>> if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
>> goto out;
>> @@ -4207,9 +4211,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
>> req->tp_block_size <=
>> BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
>> goto out;
>> - if (unlikely(req->tp_frame_size < po->tp_hdrlen +
>> - po->tp_reserve))
>> - goto out;
>
> Is there a reason that the test is moved up? It is probably not
> correct to remove tp_hdrlen from the test.
Just to group together all checks of tp_frame_size and tp_block_size.
I'm not sure there's any difference between checking against
po->tp_hdrlen + po->tp_reserve and just po->tp_reserve.
I guess the correct check should be against
TPACKET_ALIGN(po->tp_hdrlen) + 16 + po->tp_reserve.
Should I use this value?
>
>> if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
>> goto out;
>>
>> --
>> 2.12.2.564.g063fe858b8-goog
>>
^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers
2017-03-28 15:06 ` [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Willem de Bruijn
@ 2017-03-28 15:15 ` Andrey Konovalov
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Konovalov @ 2017-03-28 15:15 UTC (permalink / raw)
To: Willem de Bruijn
Cc: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek,
Network Development, Dmitry Vyukov, Kostya Serebryany
On Tue, Mar 28, 2017 at 5:06 PM, Willem de Bruijn
<willemdebruijn.kernel@gmail.com> wrote:
> On Tue, Mar 28, 2017 at 10:00 AM, Andrey Konovalov
> <andreyknvl@google.com> wrote:
>> This patchset addresses multiple overflows and signedness-related issues
>> in packet socket ring buffers.
>>
>> Andrey Konovalov (5):
>> net/packet: fix overflow in check for priv area size
>> net/packet: add explicit checks for tp_frame_size
>> net/packet: fix overflow in check for tp_frame_nr
>> net/packet: fix overflow in check for tp_reserve
>> net/packet: reorder checks for ring buffer parameters
>
> These are a lot of changes to backport to stable kernels.
>
> Can we separate the minimal patch set needed to address known overflow
> to send to net (with annotation [PATCH net]) and follow up with the larger
> cleanup to net-next.
Sure, I can put patches 2 and 5 to a separate patchset.
>
>>
>> net/packet/af_packet.c | 31 +++++++++++++++++++++----------
>> 1 file changed, 21 insertions(+), 10 deletions(-)
>>
>> --
>> 2.12.2.564.g063fe858b8-goog
>>
^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [PATCH 4/5] net/packet: fix overflow in check for tp_reserve
2017-03-28 15:11 ` Andrey Konovalov
@ 2017-03-28 15:21 ` Willem de Bruijn
0 siblings, 0 replies; 43+ messages in thread
From: Willem de Bruijn @ 2017-03-28 15:21 UTC (permalink / raw)
To: Andrey Konovalov
Cc: David S . Miller, Eric Dumazet, Willem de Bruijn, Craig Gallek,
Network Development, Dmitry Vyukov, Kostya Serebryany
On Tue, Mar 28, 2017 at 11:11 AM, Andrey Konovalov
<andreyknvl@google.com> wrote:
> On Tue, Mar 28, 2017 at 5:00 PM, Willem de Bruijn
> <willemdebruijn.kernel@gmail.com> wrote:
>> On Tue, Mar 28, 2017 at 10:00 AM, Andrey Konovalov
>> <andreyknvl@google.com> wrote:
>>> When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
>>>
>>> Fix by checking that tp_reserve <= INT_MAX on assign.
>>>
>>> This also takes cared of an overflow when calculating
>>> macoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 + po->tp_reserve
>>> snaplen = skb->len
>>> macoff + snaplen
>>> since macoff ~ INT_MAX and snaplen < SKB_MAX_ALLOC.
>>
>> This refers to the overflow of macoff + snaplen?
>>
>> Note that macoff is unsigned short, so will truncate any overflow from
>> tp_reserve.
>
> Yes, you're right.
> Should I make macoff unsigned int to fix this?
This is an unrelated issue. On first read, it seems quite harmless as
a process can
cause data to be placed at an offset that causes it to be overwritten
by the tpacket_hdr
later. Worth looking into more closely separately.
>>
>>> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
>>> ---
>>> net/packet/af_packet.c | 7 ++++---
>>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
>>> index c5c43fff8c01..28b49749d1af 100644
>>> --- a/net/packet/af_packet.c
>>> +++ b/net/packet/af_packet.c
>>> @@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
>>> return -EBUSY;
>>> if (copy_from_user(&val, optval, sizeof(val)))
>>> return -EFAULT;
>>> + if (val > INT_MAX)
>>> + return -EINVAL;
>>
>> This change on its own is sufficient to avoid the overflow. For net
>> and backports to stable, this minimal patch is preferable.
>
> I will put it into a separate patch then.
Thanks.
>
>>
>>> po->tp_reserve = val;
>>> return 0;
>>> }
>>> @@ -4200,6 +4202,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
>>> if (unlikely((u64)req->tp_block_size * req->tp_block_nr >
>>> UINT_MAX))
>>> goto out;
>>> + if (unlikely(po->tp_reserve >= req->tp_frame_size))
>>> + goto out;
>>>
>>> if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
>>> goto out;
>>> @@ -4207,9 +4211,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
>>> req->tp_block_size <=
>>> BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
>>> goto out;
>>> - if (unlikely(req->tp_frame_size < po->tp_hdrlen +
>>> - po->tp_reserve))
>>> - goto out;
>>
>> Is there a reason that the test is moved up? It is probably not
>> correct to remove tp_hdrlen from the test.
>
> Just to group together all checks of tp_frame_size and tp_block_size.
That makes sense, but indeed more for net-next. I would then send a single patch
that includes the other new block and frame tests.
> I'm not sure there's any difference between checking against
> po->tp_hdrlen + po->tp_reserve and just po->tp_reserve.
> I guess the correct check should be against
> TPACKET_ALIGN(po->tp_hdrlen) + 16 + po->tp_reserve.
>
> Should I use this value?
Yes, for net-next this seems like a good tightening of the test.
^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [PATCH v4 0/9] kasan: improve error reports
2017-03-24 19:32 ` Andrey Konovalov
@ 2017-03-29 13:33 ` Andrey Ryabinin
-1 siblings, 0 replies; 43+ messages in thread
From: Andrey Ryabinin @ 2017-03-29 13:33 UTC (permalink / raw)
To: Andrey Konovalov, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
On 03/24/2017 10:32 PM, Andrey Konovalov wrote:
>
> Andrey Konovalov (9):
> kasan: introduce helper functions for determining bug type
> kasan: unify report headers
> kasan: change allocation and freeing stack traces headers
> kasan: simplify address description logic
> kasan: change report header
> kasan: improve slab object description
> kasan: print page description after stacks
> kasan: improve double-free report format
> kasan: separate report parts by empty lines
>
> include/linux/kasan.h | 2 +-
> mm/kasan/kasan.c | 5 +-
> mm/kasan/kasan.h | 2 +-
> mm/kasan/report.c | 172 +++++++++++++++++++++++++++++++-------------------
> mm/slab.c | 2 +-
> mm/slub.c | 12 ++--
> 6 files changed, 121 insertions(+), 74 deletions(-)
>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [PATCH v4 0/9] kasan: improve error reports
@ 2017-03-29 13:33 ` Andrey Ryabinin
0 siblings, 0 replies; 43+ messages in thread
From: Andrey Ryabinin @ 2017-03-29 13:33 UTC (permalink / raw)
To: Andrey Konovalov, Alexander Potapenko, Dmitry Vyukov, kasan-dev,
linux-mm, linux-kernel
On 03/24/2017 10:32 PM, Andrey Konovalov wrote:
>
> Andrey Konovalov (9):
> kasan: introduce helper functions for determining bug type
> kasan: unify report headers
> kasan: change allocation and freeing stack traces headers
> kasan: simplify address description logic
> kasan: change report header
> kasan: improve slab object description
> kasan: print page description after stacks
> kasan: improve double-free report format
> kasan: separate report parts by empty lines
>
> include/linux/kasan.h | 2 +-
> mm/kasan/kasan.c | 5 +-
> mm/kasan/kasan.h | 2 +-
> mm/kasan/report.c | 172 +++++++++++++++++++++++++++++++-------------------
> mm/slab.c | 2 +-
> mm/slub.c | 12 ++--
> 6 files changed, 121 insertions(+), 74 deletions(-)
>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 43+ messages in thread
end of thread, other threads:[~2017-03-29 13:31 UTC | newest]
Thread overview: 43+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-28 14:00 [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 0/9] kasan: improve error reports Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 1/9] kasan: introduce helper functions for determining bug type Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-28 14:03 ` Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 2/9] kasan: unify report headers Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 3/9] kasan: change allocation and freeing stack traces headers Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 4/9] kasan: simplify address description logic Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 5/9] kasan: change report header Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 6/9] kasan: improve slab object description Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 7/9] kasan: print page description after stacks Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 8/9] kasan: improve double-free report format Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-24 19:32 ` [PATCH v4 9/9] kasan: separate report parts by empty lines Andrey Konovalov
2017-03-24 19:32 ` Andrey Konovalov
2017-03-28 14:00 ` [PATCH v4 1/9] kasan: introduce helper functions for determining bug type Andrey Konovalov
2017-03-28 14:00 ` [PATCH v4 2/9] kasan: unify report headers Andrey Konovalov
2017-03-28 14:00 ` [PATCH v4 3/9] kasan: change allocation and freeing stack traces headers Andrey Konovalov
2017-03-28 14:00 ` [PATCH v4 4/9] kasan: simplify address description logic Andrey Konovalov
2017-03-28 14:00 ` [PATCH v4 5/9] kasan: change report header Andrey Konovalov
2017-03-28 14:00 ` [PATCH v4 6/9] kasan: improve slab object description Andrey Konovalov
2017-03-28 14:00 ` [PATCH v4 7/9] kasan: print page description after stacks Andrey Konovalov
2017-03-28 14:00 ` [PATCH v4 8/9] kasan: improve double-free report format Andrey Konovalov
2017-03-28 14:00 ` [PATCH v4 9/9] kasan: separate report parts by empty lines Andrey Konovalov
2017-03-29 13:33 ` [PATCH v4 0/9] kasan: improve error reports Andrey Ryabinin
2017-03-29 13:33 ` Andrey Ryabinin
2017-03-28 14:00 ` [PATCH 1/5] net/packet: fix overflow in check for priv area size Andrey Konovalov
2017-03-28 14:00 ` [PATCH 2/5] net/packet: add explicit checks for tp_frame_size Andrey Konovalov
2017-03-28 14:00 ` [PATCH 3/5] net/packet: fix overflow in check for tp_frame_nr Andrey Konovalov
2017-03-28 14:00 ` [PATCH 4/5] net/packet: fix overflow in check for tp_reserve Andrey Konovalov
2017-03-28 15:00 ` Willem de Bruijn
2017-03-28 15:11 ` Andrey Konovalov
2017-03-28 15:21 ` Willem de Bruijn
2017-03-28 14:00 ` [PATCH 5/5] net/packet: reorder checks for ring buffer parameters Andrey Konovalov
2017-03-28 15:06 ` [PATCH 0/5] net/packet: fix multiple overflow issues in ring buffers Willem de Bruijn
2017-03-28 15:15 ` Andrey Konovalov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.