From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id 9B5616B0279 for ; Thu, 6 Jul 2017 18:01:37 -0400 (EDT) Received: by mail-pf0-f199.google.com with SMTP id c23so15022548pfe.11 for ; Thu, 06 Jul 2017 15:01:37 -0700 (PDT) Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com. [2607:f8b0:400e:c05::22a]) by mx.google.com with ESMTPS id 12si997537plb.93.2017.07.06.15.01.35 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Jul 2017 15:01:35 -0700 (PDT) Received: by mail-pg0-x22a.google.com with SMTP id k14so7253821pgr.0 for ; Thu, 06 Jul 2017 15:01:35 -0700 (PDT) From: Greg Hackmann Subject: [PATCH 0/4] kasan: add clang support Date: Thu, 6 Jul 2017 15:01:10 -0700 Message-Id: <20170706220114.142438-1-ghackmann@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann This patch series adds support for building KASAN-enabled kernels with clang. This mostly involves adding callbacks for a couple of new features in LLVM's AddressSanitizer implementation. We also need to probe for the (slightly different) CFLAGS used to configure ASAN with clang. *** BLURB HERE *** Alexander Potapenko (1): kasan: added functions for unpoisoning stack variables Greg Hackmann (3): kasan: support alloca() poisoning kasan: support LLVM-style asan parameters kasan: add compiler support for clang include/linux/compiler-clang.h | 10 ++++++++++ lib/test_kasan.c | 22 ++++++++++++++++++++++ mm/kasan/kasan.c | 41 +++++++++++++++++++++++++++++++++++++++++ mm/kasan/kasan.h | 8 ++++++++ mm/kasan/report.c | 3 +++ scripts/Makefile.kasan | 10 +++++++++- 6 files changed, 93 insertions(+), 1 deletion(-) -- 2.13.2.725.g09c95d1e9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f69.google.com (mail-pg0-f69.google.com [74.125.83.69]) by kanga.kvack.org (Postfix) with ESMTP id 4B11B6B02C3 for ; Thu, 6 Jul 2017 18:01:40 -0400 (EDT) Received: by mail-pg0-f69.google.com with SMTP id u5so15391064pgq.14 for ; Thu, 06 Jul 2017 15:01:40 -0700 (PDT) Received: from mail-pg0-x230.google.com (mail-pg0-x230.google.com. [2607:f8b0:400e:c05::230]) by mx.google.com with ESMTPS id 71si899007plb.261.2017.07.06.15.01.39 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Jul 2017 15:01:39 -0700 (PDT) Received: by mail-pg0-x230.google.com with SMTP id t186so7259530pgb.1 for ; Thu, 06 Jul 2017 15:01:39 -0700 (PDT) From: Greg Hackmann Subject: [PATCH 1/4] kasan: support alloca() poisoning Date: Thu, 6 Jul 2017 15:01:11 -0700 Message-Id: <20170706220114.142438-2-ghackmann@google.com> In-Reply-To: <20170706220114.142438-1-ghackmann@google.com> References: <20170706220114.142438-1-ghackmann@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann clang's AddressSanitizer implementation adds redzones on either side of alloca()ed buffers. These redzones are 32-byte aligned and at least 32 bytes long. __asan_alloca_poison() is passed the size and address of the allocated buffer, *excluding* the redzones on either side. The left redzone will always be to the immediate left of this buffer; but AddressSanitizer may need to add padding between the end of the buffer and the right redzone. If there are any 8-byte chunks inside this padding, we should poison those too. __asan_allocas_unpoison() is just passed the top and bottom of the dynamic stack area, so unpoisoning is simpler. Signed-off-by: Greg Hackmann --- lib/test_kasan.c | 22 ++++++++++++++++++++++ mm/kasan/kasan.c | 26 ++++++++++++++++++++++++++ mm/kasan/kasan.h | 8 ++++++++ mm/kasan/report.c | 3 +++ 4 files changed, 59 insertions(+) diff --git a/lib/test_kasan.c b/lib/test_kasan.c index a25c9763fce1..f774fcafb696 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -473,6 +473,26 @@ static noinline void __init use_after_scope_test(void) p[1023] = 1; } +static noinline void __init kasan_alloca_oob_left(void) +{ + volatile int i = 10; + char alloca_array[i]; + char *p = alloca_array - 1; + + pr_info("out-of-bounds to left on alloca\n"); + *(volatile char *)p; +} + +static noinline void __init kasan_alloca_oob_right(void) +{ + volatile int i = 10; + char alloca_array[i]; + char *p = alloca_array + round_up(i, 8); + + pr_info("out-of-bounds to right on alloca\n"); + *(volatile char *)p; +} + static int __init kmalloc_tests_init(void) { /* @@ -503,6 +523,8 @@ static int __init kmalloc_tests_init(void) memcg_accounted_kmem_cache(); kasan_stack_oob(); kasan_global_oob(); + kasan_alloca_oob_left(); + kasan_alloca_oob_right(); ksize_unpoisons_memory(); copy_user_test(); use_after_scope_test(); diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index c81549d5c833..892b626f564b 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -802,6 +802,32 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size) } EXPORT_SYMBOL(__asan_unpoison_stack_memory); +/* Emitted by compiler to poison alloca()ed objects. */ +void __asan_alloca_poison(unsigned long addr, size_t size) +{ + size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE); + size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) - + round_up(size, KASAN_SHADOW_SCALE_SIZE); + + const void *left_redzone = (const void *)(addr - + KASAN_ALLOCA_REDZONE_SIZE); + const void *right_redzone = (const void *)(addr + rounded_up_size); + + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE, + KASAN_ALLOCA_LEFT); + kasan_poison_shadow(right_redzone, + padding_size + KASAN_ALLOCA_REDZONE_SIZE, + KASAN_ALLOCA_RIGHT); +} +EXPORT_SYMBOL(__asan_alloca_poison); + +/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */ +void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) +{ + kasan_unpoison_shadow(stack_top, stack_bottom - stack_top); +} +EXPORT_SYMBOL(__asan_allocas_unpoison); + #ifdef CONFIG_MEMORY_HOTPLUG static int kasan_mem_notifier(struct notifier_block *nb, unsigned long action, void *data) diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index 1229298cce64..b857dc70d6a2 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -23,6 +23,14 @@ #define KASAN_STACK_PARTIAL 0xF4 #define KASAN_USE_AFTER_SCOPE 0xF8 +/* + * alloca redzone shadow values + */ +#define KASAN_ALLOCA_LEFT 0xCA +#define KASAN_ALLOCA_RIGHT 0xCB + +#define KASAN_ALLOCA_REDZONE_SIZE 32 + /* Don't break randconfig/all*config builds */ #ifndef KASAN_ABI_VERSION #define KASAN_ABI_VERSION 1 diff --git a/mm/kasan/report.c b/mm/kasan/report.c index beee0e980e2d..c6a5b7ab9e3a 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -101,6 +101,9 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info) break; case KASAN_USE_AFTER_SCOPE: bug_type = "use-after-scope"; + case KASAN_ALLOCA_LEFT: + case KASAN_ALLOCA_RIGHT: + bug_type = "alloca-out-of-bounds"; break; } -- 2.13.2.725.g09c95d1e9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f200.google.com (mail-pf0-f200.google.com [209.85.192.200]) by kanga.kvack.org (Postfix) with ESMTP id 259096B02F3 for ; Thu, 6 Jul 2017 18:01:42 -0400 (EDT) Received: by mail-pf0-f200.google.com with SMTP id c23so15026063pfe.11 for ; Thu, 06 Jul 2017 15:01:42 -0700 (PDT) Received: from mail-pg0-x232.google.com (mail-pg0-x232.google.com. [2607:f8b0:400e:c05::232]) by mx.google.com with ESMTPS id q87si747143pfg.77.2017.07.06.15.01.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Jul 2017 15:01:41 -0700 (PDT) Received: by mail-pg0-x232.google.com with SMTP id j186so7197577pge.2 for ; Thu, 06 Jul 2017 15:01:41 -0700 (PDT) From: Greg Hackmann Subject: [PATCH 2/4] kasan: added functions for unpoisoning stack variables Date: Thu, 6 Jul 2017 15:01:12 -0700 Message-Id: <20170706220114.142438-3-ghackmann@google.com> In-Reply-To: <20170706220114.142438-1-ghackmann@google.com> References: <20170706220114.142438-1-ghackmann@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann From: Alexander Potapenko As a code-size optimization, LLVM builds since r279383 may bulk-manipulate the shadow region when (un)poisoning large memory blocks. This requires new callbacks that simply do an uninstrumented memset(). This fixes linking the Clang-built kernel when using KASAN. Signed-off-by: Alexander Potapenko [ghackmann@google.com: fix memset() parameters, and tweak commit message to describe new callbacks] Signed-off-by: Greg Hackmann --- mm/kasan/kasan.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 892b626f564b..89911e5c69f9 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -828,6 +828,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) } EXPORT_SYMBOL(__asan_allocas_unpoison); +/* Emitted by the compiler to [un]poison local variables. */ +#define DEFINE_ASAN_SET_SHADOW(byte) \ + void __asan_set_shadow_##byte(const void *addr, size_t size) \ + { \ + __memset((void *)addr, 0x##byte, size); \ + } \ + EXPORT_SYMBOL(__asan_set_shadow_##byte) + +DEFINE_ASAN_SET_SHADOW(00); +DEFINE_ASAN_SET_SHADOW(f1); +DEFINE_ASAN_SET_SHADOW(f2); +DEFINE_ASAN_SET_SHADOW(f3); +DEFINE_ASAN_SET_SHADOW(f5); +DEFINE_ASAN_SET_SHADOW(f8); + #ifdef CONFIG_MEMORY_HOTPLUG static int kasan_mem_notifier(struct notifier_block *nb, unsigned long action, void *data) -- 2.13.2.725.g09c95d1e9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f71.google.com (mail-pg0-f71.google.com [74.125.83.71]) by kanga.kvack.org (Postfix) with ESMTP id 72E7B6B02FD for ; Thu, 6 Jul 2017 18:01:44 -0400 (EDT) Received: by mail-pg0-f71.google.com with SMTP id 125so15644207pgi.2 for ; Thu, 06 Jul 2017 15:01:44 -0700 (PDT) Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com. [2607:f8b0:400e:c05::22a]) by mx.google.com with ESMTPS id n87si746237pfb.86.2017.07.06.15.01.43 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Jul 2017 15:01:43 -0700 (PDT) Received: by mail-pg0-x22a.google.com with SMTP id k14so7255224pgr.0 for ; Thu, 06 Jul 2017 15:01:43 -0700 (PDT) From: Greg Hackmann Subject: [PATCH 3/4] kasan: support LLVM-style asan parameters Date: Thu, 6 Jul 2017 15:01:13 -0700 Message-Id: <20170706220114.142438-4-ghackmann@google.com> In-Reply-To: <20170706220114.142438-1-ghackmann@google.com> References: <20170706220114.142438-1-ghackmann@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann Use cc-option to figure out whether the compiler's sanitizer uses LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters ("--param asan-foo=bar"). Signed-off-by: Greg Hackmann --- scripts/Makefile.kasan | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan index 9576775a86f6..b66ae4b4546b 100644 --- a/scripts/Makefile.kasan +++ b/scripts/Makefile.kasan @@ -9,11 +9,19 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET) CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address -CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \ +CFLAGS_KASAN_GCC := $(call cc-option, -fsanitize=kernel-address \ -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \ --param asan-stack=1 --param asan-globals=1 \ --param asan-instrumentation-with-call-threshold=$(call_threshold)) +CFLAGS_KASAN_LLVM := $(call cc-option, -fsanitize=kernel-address \ + -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET) \ + -mllvm -asan-stack=1 -mllvm -asan-globals=1 \ + -mllvm -asan-use-after-scope=1 \ + -mllvm -asan-instrumentation-with-call-threshold=$(call_threshold)) + +CFLAGS_KASAN := $(CFLAGS_KASAN_GCC) $(CFLAGS_KASAN_LLVM) + ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),) ifneq ($(CONFIG_COMPILE_TEST),y) $(warning Cannot use CONFIG_KASAN: \ -- 2.13.2.725.g09c95d1e9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f71.google.com (mail-pg0-f71.google.com [74.125.83.71]) by kanga.kvack.org (Postfix) with ESMTP id 721786B0311 for ; Thu, 6 Jul 2017 18:01:46 -0400 (EDT) Received: by mail-pg0-f71.google.com with SMTP id p10so15509346pgr.6 for ; Thu, 06 Jul 2017 15:01:46 -0700 (PDT) Received: from mail-pf0-x231.google.com (mail-pf0-x231.google.com. [2607:f8b0:400e:c00::231]) by mx.google.com with ESMTPS id n11si753373pfj.35.2017.07.06.15.01.45 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Jul 2017 15:01:45 -0700 (PDT) Received: by mail-pf0-x231.google.com with SMTP id c73so7205219pfk.2 for ; Thu, 06 Jul 2017 15:01:45 -0700 (PDT) From: Greg Hackmann Subject: [PATCH 4/4] kasan: add compiler support for clang Date: Thu, 6 Jul 2017 15:01:14 -0700 Message-Id: <20170706220114.142438-5-ghackmann@google.com> In-Reply-To: <20170706220114.142438-1-ghackmann@google.com> References: <20170706220114.142438-1-ghackmann@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann For now we can hard-code ASAN ABI level 5, since historical clang builds can't build the kernel anyway. We also need to emulate gcc's __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented. Signed-off-by: Greg Hackmann --- include/linux/compiler-clang.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h index d614c5ea1b5e..8153f793b22a 100644 --- a/include/linux/compiler-clang.h +++ b/include/linux/compiler-clang.h @@ -23,3 +23,13 @@ */ #undef inline #define inline inline __attribute__((unused)) notrace + +/* all clang versions usable with the kernel support KASAN ABI version 5 + */ +#define KASAN_ABI_VERSION 5 + +/* emulate gcc's __SANITIZE_ADDRESS__ flag + */ +#if __has_feature(address_sanitizer) +#define __SANITIZE_ADDRESS__ +#endif -- 2.13.2.725.g09c95d1e9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f69.google.com (mail-pg0-f69.google.com [74.125.83.69]) by kanga.kvack.org (Postfix) with ESMTP id 677096B0279 for ; Thu, 6 Jul 2017 20:09:34 -0400 (EDT) Received: by mail-pg0-f69.google.com with SMTP id j186so18028527pge.12 for ; Thu, 06 Jul 2017 17:09:34 -0700 (PDT) Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com. [2607:f8b0:400e:c00::22e]) by mx.google.com with ESMTPS id 72si266448ple.107.2017.07.06.17.09.33 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Jul 2017 17:09:33 -0700 (PDT) Received: by mail-pf0-x22e.google.com with SMTP id c73so8412583pfk.2 for ; Thu, 06 Jul 2017 17:09:33 -0700 (PDT) Subject: Re: [PATCH 1/4] kasan: support alloca() poisoning References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-2-ghackmann@google.com> From: Greg Hackmann Message-ID: <504eb5d1-d505-46fe-86aa-5b2d01497c15@google.com> Date: Thu, 6 Jul 2017 17:09:31 -0700 MIME-Version: 1.0 In-Reply-To: <20170706220114.142438-2-ghackmann@google.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson On 07/06/2017 03:01 PM, Greg Hackmann wrote: > @@ -101,6 +101,9 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info) > break; > case KASAN_USE_AFTER_SCOPE: > bug_type = "use-after-scope"; > + case KASAN_ALLOCA_LEFT: > + case KASAN_ALLOCA_RIGHT: > + bug_type = "alloca-out-of-bounds"; > break; > } There needs to be a "break" above the new case statements. I'll wait to see if there's any other feedback, then send out a V2 patch that fixes this. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f70.google.com (mail-oi0-f70.google.com [209.85.218.70]) by kanga.kvack.org (Postfix) with ESMTP id 55E6A6B0492 for ; Mon, 10 Jul 2017 04:44:37 -0400 (EDT) Received: by mail-oi0-f70.google.com with SMTP id f134so7517918oig.14 for ; Mon, 10 Jul 2017 01:44:37 -0700 (PDT) Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com. [2607:f8b0:4003:c06::22a]) by mx.google.com with ESMTPS id j6si7272597oib.318.2017.07.10.01.44.36 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jul 2017 01:44:36 -0700 (PDT) Received: by mail-oi0-x22a.google.com with SMTP id 191so68942004oii.2 for ; Mon, 10 Jul 2017 01:44:36 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20170706220114.142438-2-ghackmann@google.com> References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-2-ghackmann@google.com> From: Dmitry Vyukov Date: Mon, 10 Jul 2017 10:44:15 +0200 Message-ID: Subject: Re: [PATCH 1/4] kasan: support alloca() poisoning Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Greg Hackmann Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , "linux-mm@kvack.org" , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson On Fri, Jul 7, 2017 at 12:01 AM, Greg Hackmann wrote: > clang's AddressSanitizer implementation adds redzones on either side of > alloca()ed buffers. These redzones are 32-byte aligned and at least 32 > bytes long. > > __asan_alloca_poison() is passed the size and address of the allocated > buffer, *excluding* the redzones on either side. The left redzone will > always be to the immediate left of this buffer; but AddressSanitizer may > need to add padding between the end of the buffer and the right redzone. > If there are any 8-byte chunks inside this padding, we should poison > those too. > > __asan_allocas_unpoison() is just passed the top and bottom of the > dynamic stack area, so unpoisoning is simpler. > > Signed-off-by: Greg Hackmann > --- > lib/test_kasan.c | 22 ++++++++++++++++++++++ > mm/kasan/kasan.c | 26 ++++++++++++++++++++++++++ > mm/kasan/kasan.h | 8 ++++++++ > mm/kasan/report.c | 3 +++ > 4 files changed, 59 insertions(+) > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > index a25c9763fce1..f774fcafb696 100644 > --- a/lib/test_kasan.c > +++ b/lib/test_kasan.c > @@ -473,6 +473,26 @@ static noinline void __init use_after_scope_test(void) > p[1023] = 1; > } > > +static noinline void __init kasan_alloca_oob_left(void) > +{ > + volatile int i = 10; > + char alloca_array[i]; > + char *p = alloca_array - 1; > + > + pr_info("out-of-bounds to left on alloca\n"); > + *(volatile char *)p; > +} > + > +static noinline void __init kasan_alloca_oob_right(void) > +{ > + volatile int i = 10; > + char alloca_array[i]; > + char *p = alloca_array + round_up(i, 8); > + > + pr_info("out-of-bounds to right on alloca\n"); > + *(volatile char *)p; > +} > + > static int __init kmalloc_tests_init(void) > { > /* > @@ -503,6 +523,8 @@ static int __init kmalloc_tests_init(void) > memcg_accounted_kmem_cache(); > kasan_stack_oob(); > kasan_global_oob(); > + kasan_alloca_oob_left(); > + kasan_alloca_oob_right(); > ksize_unpoisons_memory(); > copy_user_test(); > use_after_scope_test(); > diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c > index c81549d5c833..892b626f564b 100644 > --- a/mm/kasan/kasan.c > +++ b/mm/kasan/kasan.c > @@ -802,6 +802,32 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size) > } > EXPORT_SYMBOL(__asan_unpoison_stack_memory); > > +/* Emitted by compiler to poison alloca()ed objects. */ > +void __asan_alloca_poison(unsigned long addr, size_t size) > +{ > + size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE); > + size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) - > + round_up(size, KASAN_SHADOW_SCALE_SIZE); Perhaps s/round_up(size, KASAN_SHADOW_SCALE_SIZE)/rounded_up_size/ because we already calculated that. > + > + const void *left_redzone = (const void *)(addr - > + KASAN_ALLOCA_REDZONE_SIZE); > + const void *right_redzone = (const void *)(addr + rounded_up_size); Please check that size is rounded to KASAN_ALLOCA_REDZONE_SIZE. That's the expectation, right? That can change is clang silently. > + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE, > + KASAN_ALLOCA_LEFT); > + kasan_poison_shadow(right_redzone, > + padding_size + KASAN_ALLOCA_REDZONE_SIZE, > + KASAN_ALLOCA_RIGHT); We also need to poison the unaligned part at the end of the object from size to rounded_up_size. You can see how we do it for heap objects. > +} > +EXPORT_SYMBOL(__asan_alloca_poison); > +/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */ > +void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) > +{ > + kasan_unpoison_shadow(stack_top, stack_bottom - stack_top); > +} > +EXPORT_SYMBOL(__asan_allocas_unpoison); > + > #ifdef CONFIG_MEMORY_HOTPLUG > static int kasan_mem_notifier(struct notifier_block *nb, > unsigned long action, void *data) > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index 1229298cce64..b857dc70d6a2 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -23,6 +23,14 @@ > #define KASAN_STACK_PARTIAL 0xF4 > #define KASAN_USE_AFTER_SCOPE 0xF8 > > +/* > + * alloca redzone shadow values > + */ > +#define KASAN_ALLOCA_LEFT 0xCA > +#define KASAN_ALLOCA_RIGHT 0xCB > + > +#define KASAN_ALLOCA_REDZONE_SIZE 32 > + > /* Don't break randconfig/all*config builds */ > #ifndef KASAN_ABI_VERSION > #define KASAN_ABI_VERSION 1 > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > index beee0e980e2d..c6a5b7ab9e3a 100644 > --- a/mm/kasan/report.c > +++ b/mm/kasan/report.c > @@ -101,6 +101,9 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info) > break; > case KASAN_USE_AFTER_SCOPE: > bug_type = "use-after-scope"; > + case KASAN_ALLOCA_LEFT: > + case KASAN_ALLOCA_RIGHT: > + bug_type = "alloca-out-of-bounds"; > break; > } > > -- > 2.13.2.725.g09c95d1e9-goog > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f71.google.com (mail-oi0-f71.google.com [209.85.218.71]) by kanga.kvack.org (Postfix) with ESMTP id 9FB186B0496 for ; Mon, 10 Jul 2017 04:46:34 -0400 (EDT) Received: by mail-oi0-f71.google.com with SMTP id t187so7529287oie.3 for ; Mon, 10 Jul 2017 01:46:34 -0700 (PDT) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com. [2607:f8b0:4003:c06::22d]) by mx.google.com with ESMTPS id d36si7725191oic.285.2017.07.10.01.46.33 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jul 2017 01:46:34 -0700 (PDT) Received: by mail-oi0-x22d.google.com with SMTP id x187so68853517oig.3 for ; Mon, 10 Jul 2017 01:46:33 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20170706220114.142438-3-ghackmann@google.com> References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-3-ghackmann@google.com> From: Dmitry Vyukov Date: Mon, 10 Jul 2017 10:46:13 +0200 Message-ID: Subject: Re: [PATCH 2/4] kasan: added functions for unpoisoning stack variables Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Greg Hackmann Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , "linux-mm@kvack.org" , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson On Fri, Jul 7, 2017 at 12:01 AM, Greg Hackmann wrote: > From: Alexander Potapenko > > As a code-size optimization, LLVM builds since r279383 may > bulk-manipulate the shadow region when (un)poisoning large memory > blocks. This requires new callbacks that simply do an uninstrumented > memset(). > > This fixes linking the Clang-built kernel when using KASAN. > > Signed-off-by: Alexander Potapenko > [ghackmann@google.com: fix memset() parameters, and tweak > commit message to describe new callbacks] > Signed-off-by: Greg Hackmann > --- > mm/kasan/kasan.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c > index 892b626f564b..89911e5c69f9 100644 > --- a/mm/kasan/kasan.c > +++ b/mm/kasan/kasan.c > @@ -828,6 +828,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) > } > EXPORT_SYMBOL(__asan_allocas_unpoison); > > +/* Emitted by the compiler to [un]poison local variables. */ > +#define DEFINE_ASAN_SET_SHADOW(byte) \ > + void __asan_set_shadow_##byte(const void *addr, size_t size) \ > + { \ > + __memset((void *)addr, 0x##byte, size); \ > + } \ > + EXPORT_SYMBOL(__asan_set_shadow_##byte) > + > +DEFINE_ASAN_SET_SHADOW(00); > +DEFINE_ASAN_SET_SHADOW(f1); > +DEFINE_ASAN_SET_SHADOW(f2); > +DEFINE_ASAN_SET_SHADOW(f3); > +DEFINE_ASAN_SET_SHADOW(f5); > +DEFINE_ASAN_SET_SHADOW(f8); > + > #ifdef CONFIG_MEMORY_HOTPLUG > static int kasan_mem_notifier(struct notifier_block *nb, > unsigned long action, void *data) Reviewed-by: Dmitry Vyukov -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f69.google.com (mail-oi0-f69.google.com [209.85.218.69]) by kanga.kvack.org (Postfix) with ESMTP id 164126B0498 for ; Mon, 10 Jul 2017 04:48:08 -0400 (EDT) Received: by mail-oi0-f69.google.com with SMTP id t194so7514770oif.8 for ; Mon, 10 Jul 2017 01:48:08 -0700 (PDT) Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com. [2607:f8b0:4003:c06::22b]) by mx.google.com with ESMTPS id u67si7747366oia.234.2017.07.10.01.48.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jul 2017 01:48:07 -0700 (PDT) Received: by mail-oi0-x22b.google.com with SMTP id p188so68854034oia.0 for ; Mon, 10 Jul 2017 01:48:07 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20170706220114.142438-4-ghackmann@google.com> References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-4-ghackmann@google.com> From: Dmitry Vyukov Date: Mon, 10 Jul 2017 10:47:46 +0200 Message-ID: Subject: Re: [PATCH 3/4] kasan: support LLVM-style asan parameters Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Greg Hackmann Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , "linux-mm@kvack.org" , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson On Fri, Jul 7, 2017 at 12:01 AM, Greg Hackmann wrote: > Use cc-option to figure out whether the compiler's sanitizer uses > LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters > ("--param asan-foo=bar"). > > Signed-off-by: Greg Hackmann > --- > scripts/Makefile.kasan | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan > index 9576775a86f6..b66ae4b4546b 100644 > --- a/scripts/Makefile.kasan > +++ b/scripts/Makefile.kasan > @@ -9,11 +9,19 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET) > > CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address > > -CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \ > +CFLAGS_KASAN_GCC := $(call cc-option, -fsanitize=kernel-address \ > -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \ > --param asan-stack=1 --param asan-globals=1 \ > --param asan-instrumentation-with-call-threshold=$(call_threshold)) > > +CFLAGS_KASAN_LLVM := $(call cc-option, -fsanitize=kernel-address \ > + -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET) \ > + -mllvm -asan-stack=1 -mllvm -asan-globals=1 \ > + -mllvm -asan-use-after-scope=1 \ > + -mllvm -asan-instrumentation-with-call-threshold=$(call_threshold)) > + > +CFLAGS_KASAN := $(CFLAGS_KASAN_GCC) $(CFLAGS_KASAN_LLVM) > + > ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),) > ifneq ($(CONFIG_COMPILE_TEST),y) > $(warning Cannot use CONFIG_KASAN: \ Reviewed-by: Dmitry Vyukov -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f71.google.com (mail-oi0-f71.google.com [209.85.218.71]) by kanga.kvack.org (Postfix) with ESMTP id 2DE85440844 for ; Mon, 10 Jul 2017 04:49:08 -0400 (EDT) Received: by mail-oi0-f71.google.com with SMTP id z82so7527923oiz.6 for ; Mon, 10 Jul 2017 01:49:08 -0700 (PDT) Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com. [2607:f8b0:4003:c06::22b]) by mx.google.com with ESMTPS id l79si7163211oih.301.2017.07.10.01.49.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jul 2017 01:49:07 -0700 (PDT) Received: by mail-oi0-x22b.google.com with SMTP id 191so69019128oii.2 for ; Mon, 10 Jul 2017 01:49:07 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20170706220114.142438-5-ghackmann@google.com> References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-5-ghackmann@google.com> From: Dmitry Vyukov Date: Mon, 10 Jul 2017 10:48:46 +0200 Message-ID: Subject: Re: [PATCH 4/4] kasan: add compiler support for clang Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Greg Hackmann Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , "linux-mm@kvack.org" , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson On Fri, Jul 7, 2017 at 12:01 AM, Greg Hackmann wrote: > For now we can hard-code ASAN ABI level 5, since historical clang builds > can't build the kernel anyway. We also need to emulate gcc's > __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented. > > Signed-off-by: Greg Hackmann > --- > include/linux/compiler-clang.h | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h > index d614c5ea1b5e..8153f793b22a 100644 > --- a/include/linux/compiler-clang.h > +++ b/include/linux/compiler-clang.h > @@ -23,3 +23,13 @@ > */ > #undef inline > #define inline inline __attribute__((unused)) notrace > + > +/* all clang versions usable with the kernel support KASAN ABI version 5 > + */ > +#define KASAN_ABI_VERSION 5 > + > +/* emulate gcc's __SANITIZE_ADDRESS__ flag > + */ > +#if __has_feature(address_sanitizer) > +#define __SANITIZE_ADDRESS__ > +#endif Reviewed-by: Dmitry Vyukov -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f197.google.com (mail-pf0-f197.google.com [209.85.192.197]) by kanga.kvack.org (Postfix) with ESMTP id DBBCB6B049C for ; Mon, 10 Jul 2017 06:28:15 -0400 (EDT) Received: by mail-pf0-f197.google.com with SMTP id e199so108216349pfh.7 for ; Mon, 10 Jul 2017 03:28:15 -0700 (PDT) Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20131.outbound.protection.outlook.com. [40.107.2.131]) by mx.google.com with ESMTPS id 65si5628194plb.307.2017.07.10.03.28.13 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 10 Jul 2017 03:28:13 -0700 (PDT) Subject: Re: [PATCH 1/4] kasan: support alloca() poisoning References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-2-ghackmann@google.com> From: Andrey Ryabinin Message-ID: <66645c53-de05-8371-ead8-d4e939af60a7@virtuozzo.com> Date: Mon, 10 Jul 2017 13:30:09 +0300 MIME-Version: 1.0 In-Reply-To: <20170706220114.142438-2-ghackmann@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Greg Hackmann , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson On 07/07/2017 01:01 AM, Greg Hackmann wrote: > clang's AddressSanitizer implementation adds redzones on either side of > alloca()ed buffers. These redzones are 32-byte aligned and at least 32 > bytes long. gcc now supports this too. So I think this patch should enable it. It's off by default so you'll have to add --param asan-instrument-allocas=1 into cflags to make it work > > __asan_alloca_poison() is passed the size and address of the allocated > buffer, *excluding* the redzones on either side. The left redzone will > always be to the immediate left of this buffer; but AddressSanitizer may > need to add padding between the end of the buffer and the right redzone. > If there are any 8-byte chunks inside this padding, we should poison > those too. > > __asan_allocas_unpoison() is just passed the top and bottom of the > dynamic stack area, so unpoisoning is simpler. > > Signed-off-by: Greg Hackmann > --- > lib/test_kasan.c | 22 ++++++++++++++++++++++ Tests would be better as a separate patch. > mm/kasan/kasan.c | 26 ++++++++++++++++++++++++++ > mm/kasan/kasan.h | 8 ++++++++ > mm/kasan/report.c | 3 +++ > 4 files changed, 59 insertions(+) > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > index a25c9763fce1..f774fcafb696 100644 > --- a/lib/test_kasan.c > +++ b/lib/test_kasan.c > @@ -473,6 +473,26 @@ static noinline void __init use_after_scope_test(void) > p[1023] = 1; > } > > +static noinline void __init kasan_alloca_oob_left(void) > +{ > + volatile int i = 10; > + char alloca_array[i]; > + char *p = alloca_array - 1; > + > + pr_info("out-of-bounds to left on alloca\n"); > + *(volatile char *)p; > +} > + > +static noinline void __init kasan_alloca_oob_right(void) > +{ > + volatile int i = 10; > + char alloca_array[i]; > + char *p = alloca_array + round_up(i, 8); Why round_up() ? > + > + pr_info("out-of-bounds to right on alloca\n"); > + *(volatile char *)p; > +} > + > static int __init kmalloc_tests_init(void) > { > /* > @@ -503,6 +523,8 @@ static int __init kmalloc_tests_init(void) > memcg_accounted_kmem_cache(); > kasan_stack_oob(); > kasan_global_oob(); > + kasan_alloca_oob_left(); > + kasan_alloca_oob_right(); > ksize_unpoisons_memory(); > copy_user_test(); > use_after_scope_test(); > diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c > index c81549d5c833..892b626f564b 100644 > --- a/mm/kasan/kasan.c > +++ b/mm/kasan/kasan.c > @@ -802,6 +802,32 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size) > } > EXPORT_SYMBOL(__asan_unpoison_stack_memory); > > +/* Emitted by compiler to poison alloca()ed objects. */ > +void __asan_alloca_poison(unsigned long addr, size_t size) > +{ > + size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE); > + size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) - > + round_up(size, KASAN_SHADOW_SCALE_SIZE); > + > + const void *left_redzone = (const void *)(addr - > + KASAN_ALLOCA_REDZONE_SIZE); > + const void *right_redzone = (const void *)(addr + rounded_up_size); > + > + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE, > + KASAN_ALLOCA_LEFT); > + kasan_poison_shadow(right_redzone, > + padding_size + KASAN_ALLOCA_REDZONE_SIZE, > + KASAN_ALLOCA_RIGHT); As Dmitry pointed out, the memory between [addr+size, addr+rounded_up_size) is left unpoisoned. kasan_alloca_oob_right() without round_up() would have caught this. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f70.google.com (mail-pg0-f70.google.com [74.125.83.70]) by kanga.kvack.org (Postfix) with ESMTP id 10B276B049F for ; Mon, 10 Jul 2017 06:29:15 -0400 (EDT) Received: by mail-pg0-f70.google.com with SMTP id 123so112160298pgj.4 for ; Mon, 10 Jul 2017 03:29:15 -0700 (PDT) Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0125.outbound.protection.outlook.com. [104.47.1.125]) by mx.google.com with ESMTPS id i62si1746535pli.511.2017.07.10.03.29.13 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 10 Jul 2017 03:29:14 -0700 (PDT) Subject: Re: [PATCH 2/4] kasan: added functions for unpoisoning stack variables References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-3-ghackmann@google.com> From: Andrey Ryabinin Message-ID: Date: Mon, 10 Jul 2017 13:31:05 +0300 MIME-Version: 1.0 In-Reply-To: <20170706220114.142438-3-ghackmann@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Greg Hackmann , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson On 07/07/2017 01:01 AM, Greg Hackmann wrote: > From: Alexander Potapenko > > As a code-size optimization, LLVM builds since r279383 may > bulk-manipulate the shadow region when (un)poisoning large memory > blocks. This requires new callbacks that simply do an uninstrumented > memset(). > > This fixes linking the Clang-built kernel when using KASAN. > > Signed-off-by: Alexander Potapenko > [ghackmann@google.com: fix memset() parameters, and tweak > commit message to describe new callbacks] > Signed-off-by: Greg Hackmann > --- > mm/kasan/kasan.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c > index 892b626f564b..89911e5c69f9 100644 > --- a/mm/kasan/kasan.c > +++ b/mm/kasan/kasan.c > @@ -828,6 +828,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) > } > EXPORT_SYMBOL(__asan_allocas_unpoison); > > +/* Emitted by the compiler to [un]poison local variables. */ > +#define DEFINE_ASAN_SET_SHADOW(byte) \ > + void __asan_set_shadow_##byte(const void *addr, size_t size) \ > + { \ > + __memset((void *)addr, 0x##byte, size); \ > + } \ > + EXPORT_SYMBOL(__asan_set_shadow_##byte) > + > +DEFINE_ASAN_SET_SHADOW(00); > +DEFINE_ASAN_SET_SHADOW(f1); > +DEFINE_ASAN_SET_SHADOW(f2); > +DEFINE_ASAN_SET_SHADOW(f3); > +DEFINE_ASAN_SET_SHADOW(f5); > +DEFINE_ASAN_SET_SHADOW(f8); I think we can remove f8 as it should be used only by use-after-return instrumentation. We don't use it in the kernel > + > #ifdef CONFIG_MEMORY_HOTPLUG > static int kasan_mem_notifier(struct notifier_block *nb, > unsigned long action, void *data) > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f198.google.com (mail-pf0-f198.google.com [209.85.192.198]) by kanga.kvack.org (Postfix) with ESMTP id 1484E6B049E for ; Mon, 10 Jul 2017 06:32:27 -0400 (EDT) Received: by mail-pf0-f198.google.com with SMTP id v62so109528694pfd.10 for ; Mon, 10 Jul 2017 03:32:27 -0700 (PDT) Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00102.outbound.protection.outlook.com. [40.107.0.102]) by mx.google.com with ESMTPS id t3si8627536plj.365.2017.07.10.03.32.25 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 10 Jul 2017 03:32:26 -0700 (PDT) Subject: Re: [PATCH 4/4] kasan: add compiler support for clang References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-5-ghackmann@google.com> From: Andrey Ryabinin Message-ID: <34230d2e-c134-6cbc-2a59-c78c78782526@virtuozzo.com> Date: Mon, 10 Jul 2017 13:34:24 +0300 MIME-Version: 1.0 In-Reply-To: <20170706220114.142438-5-ghackmann@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Greg Hackmann , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson On 07/07/2017 01:01 AM, Greg Hackmann wrote: > For now we can hard-code ASAN ABI level 5, since historical clang builds > can't build the kernel anyway. We also need to emulate gcc's > __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented. > > Signed-off-by: Greg Hackmann > --- > include/linux/compiler-clang.h | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h > index d614c5ea1b5e..8153f793b22a 100644 > --- a/include/linux/compiler-clang.h > +++ b/include/linux/compiler-clang.h > @@ -23,3 +23,13 @@ > */ > #undef inline > #define inline inline __attribute__((unused)) notrace > + > +/* all clang versions usable with the kernel support KASAN ABI version 5 > + */ Enclosing */ should be on the same line for single-line comments. > +#define KASAN_ABI_VERSION 5 > + > +/* emulate gcc's __SANITIZE_ADDRESS__ flag > + */ Ditto. > +#if __has_feature(address_sanitizer) > +#define __SANITIZE_ADDRESS__ > +#endif > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f200.google.com (mail-pf0-f200.google.com [209.85.192.200]) by kanga.kvack.org (Postfix) with ESMTP id 0E56B4408E5 for ; Thu, 13 Jul 2017 18:40:04 -0400 (EDT) Received: by mail-pf0-f200.google.com with SMTP id d62so69919438pfb.13 for ; Thu, 13 Jul 2017 15:40:04 -0700 (PDT) Received: from mail-pg0-x22e.google.com (mail-pg0-x22e.google.com. [2607:f8b0:400e:c05::22e]) by mx.google.com with ESMTPS id s59si5362159plb.319.2017.07.13.15.40.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jul 2017 15:40:03 -0700 (PDT) Received: by mail-pg0-x22e.google.com with SMTP id u62so36116792pgb.3 for ; Thu, 13 Jul 2017 15:40:02 -0700 (PDT) Subject: Re: [PATCH 1/4] kasan: support alloca() poisoning References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-2-ghackmann@google.com> From: Greg Hackmann Message-ID: Date: Thu, 13 Jul 2017 15:40:00 -0700 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Dmitry Vyukov Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , "linux-mm@kvack.org" , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson Hi, Thanks for taking a look at this patchstack. I apologize for the delay in responding. On 07/10/2017 01:44 AM, Dmitry Vyukov wrote: >> + >> + const void *left_redzone = (const void *)(addr - >> + KASAN_ALLOCA_REDZONE_SIZE); >> + const void *right_redzone = (const void *)(addr + rounded_up_size); > > Please check that size is rounded to KASAN_ALLOCA_REDZONE_SIZE. That's > the expectation, right? That can change is clang silently. > >> + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE, >> + KASAN_ALLOCA_LEFT); >> + kasan_poison_shadow(right_redzone, >> + padding_size + KASAN_ALLOCA_REDZONE_SIZE, >> + KASAN_ALLOCA_RIGHT); > > We also need to poison the unaligned part at the end of the object > from size to rounded_up_size. You can see how we do it for heap > objects. The expectation is that `size' is the exact size of the alloca()ed object. `rounded_up_size' then adds the 0-7 bytes needed to adjust the size to the ASAN shadow scale. So `addr + rounded_up_size' should be the correct place to start poisoning. In retrospect this part of the code was pretty confusing. How about this? I think its intent is clearer, plus it's a closer match for the description in my commit message: unsigned long left_redzone_start; unsigned long object_end; unsigned long right_redzone_start, right_redzone_end; left_redzone_start = addr - KASAN_ALLOCA_REDZONE_SIZE; kasan_poison_shadow((const void *)left_redzone_start, KASAN_ALLOCA_REDZONE_SIZE, KASAN_ALLOCA_LEFT); object_end = round_up(addr + size, KASAN_SHADOW_SCALE_SIZE); right_redzone_start = round_up(object_end, KASAN_ALLOCA_REDZONE_SIZE); right_redzone_end = right_redzone_start + KASAN_ALLOCA_REDZONE_SIZE; kasan_poison_shadow((const void *)object_end, right_redzone_end - object_end, KASAN_ALLOCA_RIGHT); -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id 47CD34408E5 for ; Thu, 13 Jul 2017 18:50:01 -0400 (EDT) Received: by mail-pf0-f199.google.com with SMTP id e3so70065789pfc.4 for ; Thu, 13 Jul 2017 15:50:01 -0700 (PDT) Received: from mail-pg0-x230.google.com (mail-pg0-x230.google.com. [2607:f8b0:400e:c05::230]) by mx.google.com with ESMTPS id t4si5368239plb.601.2017.07.13.15.50.00 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jul 2017 15:50:00 -0700 (PDT) Received: by mail-pg0-x230.google.com with SMTP id j186so36223815pge.2 for ; Thu, 13 Jul 2017 15:50:00 -0700 (PDT) Subject: Re: [PATCH 1/4] kasan: support alloca() poisoning References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-2-ghackmann@google.com> <66645c53-de05-8371-ead8-d4e939af60a7@virtuozzo.com> From: Greg Hackmann Message-ID: <39dd8c5c-e606-486a-bcef-b8481c5203a1@google.com> Date: Thu, 13 Jul 2017 15:49:58 -0700 MIME-Version: 1.0 In-Reply-To: <66645c53-de05-8371-ead8-d4e939af60a7@virtuozzo.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson On 07/10/2017 03:30 AM, Andrey Ryabinin wrote: > gcc now supports this too. So I think this patch should enable it. > It's off by default so you'll have to add --param asan-instrument-allocas=1 into cflags > to make it work Thanks, will fix. For now, it looks like I'll need to build gcc from git to test this? >> lib/test_kasan.c | 22 ++++++++++++++++++++++ > > Tests would be better as a separate patch. I was following the precedent in 828347f8f9a5 ("kasan: support use-after-scope detection") which added both at the same time. But I can split the test off into a separate patch if you feel really strongly about it. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f72.google.com (mail-oi0-f72.google.com [209.85.218.72]) by kanga.kvack.org (Postfix) with ESMTP id B36264408E5 for ; Fri, 14 Jul 2017 02:13:55 -0400 (EDT) Received: by mail-oi0-f72.google.com with SMTP id r74so6049413oie.1 for ; Thu, 13 Jul 2017 23:13:55 -0700 (PDT) Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com. [2607:f8b0:4003:c06::22f]) by mx.google.com with ESMTPS id a22si5632099oib.276.2017.07.13.23.13.54 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jul 2017 23:13:54 -0700 (PDT) Received: by mail-oi0-x22f.google.com with SMTP id x187so63944430oig.3 for ; Thu, 13 Jul 2017 23:13:54 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-2-ghackmann@google.com>

From: Dmitry Vyukov Date: Fri, 14 Jul 2017 08:13:33 +0200 Message-ID: Subject: Re: [PATCH 1/4] kasan: support alloca() poisoning Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Greg Hackmann Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , "linux-mm@kvack.org" , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson On Fri, Jul 14, 2017 at 12:40 AM, Greg Hackmann wrote: > Hi, > > Thanks for taking a look at this patchstack. I apologize for the delay in > responding. > > On 07/10/2017 01:44 AM, Dmitry Vyukov wrote: >>> >>> + >>> + const void *left_redzone = (const void *)(addr - >>> + KASAN_ALLOCA_REDZONE_SIZE); >>> + const void *right_redzone = (const void *)(addr + >>> rounded_up_size); >> >> >> Please check that size is rounded to KASAN_ALLOCA_REDZONE_SIZE. That's >> the expectation, right? That can change is clang silently. >> >>> + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE, >>> + KASAN_ALLOCA_LEFT); >>> + kasan_poison_shadow(right_redzone, >>> + padding_size + KASAN_ALLOCA_REDZONE_SIZE, >>> + KASAN_ALLOCA_RIGHT); >> >> >> We also need to poison the unaligned part at the end of the object >> from size to rounded_up_size. You can see how we do it for heap >> objects. > > > The expectation is that `size' is the exact size of the alloca()ed object. > `rounded_up_size' then adds the 0-7 bytes needed to adjust the size to the > ASAN shadow scale. So `addr + rounded_up_size' should be the correct place > to start poisoning. We need to start poisoning at addr+size exactly. Asan shadow scheme supports this. It's not possible to poison beginning of an aligned 8-byte block, but leave tail unpoisoned. But it is possible to poison tail of an aligned 8-byte block and leave beginning unpoisoned. Look at what we do for kmalloc. > In retrospect this part of the code was pretty confusing. How about this? > I think its intent is clearer, plus it's a closer match for the description > in my commit message: > > unsigned long left_redzone_start; > unsigned long object_end; > unsigned long right_redzone_start, right_redzone_end; > > left_redzone_start = addr - KASAN_ALLOCA_REDZONE_SIZE; > kasan_poison_shadow((const void *)left_redzone_start, > KASAN_ALLOCA_REDZONE_SIZE, > KASAN_ALLOCA_LEFT); > > object_end = round_up(addr + size, KASAN_SHADOW_SCALE_SIZE); > right_redzone_start = round_up(object_end, > KASAN_ALLOCA_REDZONE_SIZE); > right_redzone_end = right_redzone_start + KASAN_ALLOCA_REDZONE_SIZE; > kasan_poison_shadow((const void *)object_end, > right_redzone_end - object_end, > KASAN_ALLOCA_RIGHT); -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id 31F8E440905 for ; Fri, 14 Jul 2017 12:49:51 -0400 (EDT) Received: by mail-pf0-f199.google.com with SMTP id z10so92531692pff.1 for ; Fri, 14 Jul 2017 09:49:51 -0700 (PDT) Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30104.outbound.protection.outlook.com. [40.107.3.104]) by mx.google.com with ESMTPS id m39si1392083plg.149.2017.07.14.09.49.49 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 14 Jul 2017 09:49:50 -0700 (PDT) Subject: Re: [PATCH 1/4] kasan: support alloca() poisoning References: <20170706220114.142438-1-ghackmann@google.com> <20170706220114.142438-2-ghackmann@google.com> <66645c53-de05-8371-ead8-d4e939af60a7@virtuozzo.com> <39dd8c5c-e606-486a-bcef-b8481c5203a1@google.com> From: Andrey Ryabinin Message-ID: <0e51dc15-1c93-2326-444d-8257b61af54f@virtuozzo.com> Date: Fri, 14 Jul 2017 19:52:05 +0300 MIME-Version: 1.0 In-Reply-To: <39dd8c5c-e606-486a-bcef-b8481c5203a1@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Greg Hackmann , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson On 07/14/2017 01:49 AM, Greg Hackmann wrote: > On 07/10/2017 03:30 AM, Andrey Ryabinin wrote: >> gcc now supports this too. So I think this patch should enable it. >> It's off by default so you'll have to add --param asan-instrument-allocas=1 into cflags >> to make it work > > Thanks, will fix. For now, it looks like I'll need to build gcc from git to test this? > Right, you'll need quite fresh revision >= 250032 >>> lib/test_kasan.c | 22 ++++++++++++++++++++++ >> >> Tests would be better as a separate patch. > > I was following the precedent in 828347f8f9a5 ("kasan: support use-after-scope detection") which added both at the same time. But I can split the test off into a separate patch if you feel really strongly about it. Please, do the split. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org