[PATCH v2 0/5] kasan: support alloca, LLVM

[PATCH v2 0/5] kasan: support alloca, LLVM

[Paul Lawrence]

Adding kasan alloca support using clang
Also adding support for clang, since needed for this feature
gcc has kasan alloca support, but only post 7.2

[Patch v2 1/5] kasan: support alloca() poisoning
  Tests moved to patch 2/5
  __asan_alloca_unpoison():
    Use precalculated rounded-up-size
    Warning added if bottom is not aligned as expected
    Parameter check added to make sure gcc builds don't fail
    Now unpoisons partial chunks
  get_shadow_bug_type():
    Missing break added

[PATCH v2 2/5] kasan: Add tests for alloca poisonong
  Tests moved here
  kasan_alloca_oob_right():
    No longer rounding up

[PATCH v2 3/5] kasan: added functions for unpoisoning stack variables
  No change from v1. clang builds need f8

[PATCH v2 4/5] kasan: support LLVM-style asan parameters
  Rejigged whole file. Old approach would not work except with ToT gcc
  or clang. All parameters would be rejected if one was not known.
  Also if both were empty, CFLAGS_KASAN would be " " which mostly
  disabled kasan on older compilers.
  Added support for gcc, tested on ToT compiler

[PATCH v2 5/5] kasan: add compiler support for clang
  Made comments single line

Paul Lawrence (5):
  kasan: support alloca() poisoning
  kasan: Add tests for alloca poisonong
  kasan: added functions for unpoisoning stack variables
  kasan: support LLVM-style asan parameters
  kasan: add compiler support for clang

 include/linux/compiler-clang.h |  8 +++++++
 lib/test_kasan.c               | 22 ++++++++++++++++++++
 mm/kasan/kasan.c               | 47 ++++++++++++++++++++++++++++++++++++++++++
 mm/kasan/kasan.h               |  8 +++++++
 mm/kasan/report.c              |  4 ++++
 scripts/Makefile.kasan         | 39 ++++++++++++++++++++++++-----------
 6 files changed, 116 insertions(+), 12 deletions(-)

--
2.15.0.531.g2ccb3012c9-goog

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

[PATCH v2 1/5] kasan: support alloca() poisoning

[Paul Lawrence]

clang's AddressSanitizer implementation adds redzones on either side of
alloca()ed buffers.  These redzones are 32-byte aligned and at least 32
bytes long.

__asan_alloca_poison() is passed the size and address of the allocated
buffer, *excluding* the redzones on either side.  The left redzone will
always be to the immediate left of this buffer; but AddressSanitizer may
need to add padding between the end of the buffer and the right redzone.
If there are any 8-byte chunks inside this padding, we should poison
those too.

__asan_allocas_unpoison() is just passed the top and bottom of the
dynamic stack area, so unpoisoning is simpler.

Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>

 mm/kasan/kasan.c  | 32 ++++++++++++++++++++++++++++++++
 mm/kasan/kasan.h  |  8 ++++++++
 mm/kasan/report.c |  4 ++++
 3 files changed, 44 insertions(+)

diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 405bba487df5..f86f862f41f8 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -736,6 +736,38 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size)
 }
 EXPORT_SYMBOL(__asan_unpoison_stack_memory);
 
+/* Emitted by compiler to poison alloca()ed objects. */
+void __asan_alloca_poison(unsigned long addr, size_t size)
+{
+	size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);
+	size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) -
+			rounded_up_size;
+
+	const void *left_redzone = (const void *)(addr -
+			KASAN_ALLOCA_REDZONE_SIZE);
+	const void *right_redzone = (const void *)(addr + rounded_up_size);
+
+	WARN_ON(!IS_ALIGNED(addr, KASAN_ALLOCA_REDZONE_SIZE));
+
+	kasan_unpoison_shadow((const void *)addr, size);
+	kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,
+			KASAN_ALLOCA_LEFT);
+	kasan_poison_shadow(right_redzone,
+			padding_size + KASAN_ALLOCA_REDZONE_SIZE,
+			KASAN_ALLOCA_RIGHT);
+}
+EXPORT_SYMBOL(__asan_alloca_poison);
+
+/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */
+void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
+{
+	if (unlikely(!stack_top || stack_top > stack_bottom))
+		return;
+
+	kasan_unpoison_shadow(stack_top, stack_bottom - stack_top);
+}
+EXPORT_SYMBOL(__asan_allocas_unpoison);
+
 #ifdef CONFIG_MEMORY_HOTPLUG
 static int __meminit kasan_mem_notifier(struct notifier_block *nb,
 			unsigned long action, void *data)
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index c70851a9a6a4..7c0bcd1f4c0d 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -24,6 +24,14 @@
 #define KASAN_STACK_PARTIAL     0xF4
 #define KASAN_USE_AFTER_SCOPE   0xF8
 
+/*
+ * alloca redzone shadow values
+ */
+#define KASAN_ALLOCA_LEFT	0xCA
+#define KASAN_ALLOCA_RIGHT	0xCB
+
+#define KASAN_ALLOCA_REDZONE_SIZE	32
+
 /* Don't break randconfig/all*config builds */
 #ifndef KASAN_ABI_VERSION
 #define KASAN_ABI_VERSION 1
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 6bcfb01ba038..25419d426426 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -102,6 +102,10 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
 	case KASAN_USE_AFTER_SCOPE:
 		bug_type = "use-after-scope";
 		break;
+	case KASAN_ALLOCA_LEFT:
+	case KASAN_ALLOCA_RIGHT:
+		bug_type = "alloca-out-of-bounds";
+		break;
 	}
 
 	return bug_type;
-- 
2.15.0.531.g2ccb3012c9-goog

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

[PATCH v2 2/5] kasan: Add tests for alloca poisonong

[Paul Lawrence]

Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>

 lib/test_kasan.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index ef1a3ac1397e..2724f86c4cef 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -472,6 +472,26 @@ static noinline void __init use_after_scope_test(void)
 	p[1023] = 1;
 }
 
+static noinline void __init kasan_alloca_oob_left(void)
+{
+	volatile int i = 10;
+	char alloca_array[i];
+	char *p = alloca_array - 1;
+
+	pr_info("out-of-bounds to left on alloca\n");
+	*(volatile char *)p;
+}
+
+static noinline void __init kasan_alloca_oob_right(void)
+{
+	volatile int i = 10;
+	char alloca_array[i];
+	char *p = alloca_array + i;
+
+	pr_info("out-of-bounds to right on alloca\n");
+	*(volatile char *)p;
+}
+
 static int __init kmalloc_tests_init(void)
 {
 	/*
@@ -502,6 +522,8 @@ static int __init kmalloc_tests_init(void)
 	memcg_accounted_kmem_cache();
 	kasan_stack_oob();
 	kasan_global_oob();
+	kasan_alloca_oob_left();
+	kasan_alloca_oob_right();
 	ksize_unpoisons_memory();
 	copy_user_test();
 	use_after_scope_test();
-- 
2.15.0.531.g2ccb3012c9-goog

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

[PATCH v2 3/5] kasan: added functions for unpoisoning stack variables

[Paul Lawrence]

From: Alexander Potapenko <glider@google.com>

As a code-size optimization, LLVM builds since r279383 may
bulk-manipulate the shadow region when (un)poisoning large memory
blocks.  This requires new callbacks that simply do an uninstrumented
memset().

This fixes linking the Clang-built kernel when using KASAN.

Signed-off-by: Alexander Potapenko <glider@google.com>
[ghackmann@google.com: fix memset() parameters, and tweak
 commit message to describe new callbacks]
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>

---
 mm/kasan/kasan.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index f86f862f41f8..89565a1ec417 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -768,6 +768,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
 }
 EXPORT_SYMBOL(__asan_allocas_unpoison);
 
+/* Emitted by the compiler to [un]poison local variables. */
+#define DEFINE_ASAN_SET_SHADOW(byte) \
+	void __asan_set_shadow_##byte(const void *addr, size_t size)	\
+	{								\
+		__memset((void *)addr, 0x##byte, size);			\
+	}								\
+	EXPORT_SYMBOL(__asan_set_shadow_##byte)
+
+DEFINE_ASAN_SET_SHADOW(00);
+DEFINE_ASAN_SET_SHADOW(f1);
+DEFINE_ASAN_SET_SHADOW(f2);
+DEFINE_ASAN_SET_SHADOW(f3);
+DEFINE_ASAN_SET_SHADOW(f5);
+DEFINE_ASAN_SET_SHADOW(f8);
+
 #ifdef CONFIG_MEMORY_HOTPLUG
 static int __meminit kasan_mem_notifier(struct notifier_block *nb,
 			unsigned long action, void *data)
-- 
2.15.0.531.g2ccb3012c9-goog

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

[PATCH v2 4/5] kasan: support LLVM-style asan parameters

[Paul Lawrence]

Use cc-option to figure out whether the compiler's sanitizer uses
LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters
("--param asan-foo=bar").

Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>

---
 scripts/Makefile.kasan | 39 +++++++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
index 1ce7115aa499..89c5b166adec 100644
--- a/scripts/Makefile.kasan
+++ b/scripts/Makefile.kasan
@@ -10,24 +10,39 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET)
 
 CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address
 
-CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \
-		-fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \
-		--param asan-stack=1 --param asan-globals=1 \
-		--param asan-instrumentation-with-call-threshold=$(call_threshold))
-
 ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),)
    ifneq ($(CONFIG_COMPILE_TEST),y)
         $(warning Cannot use CONFIG_KASAN: \
             -fsanitize=kernel-address is not supported by compiler)
    endif
 else
-    ifeq ($(CFLAGS_KASAN),)
-        ifneq ($(CONFIG_COMPILE_TEST),y)
-            $(warning CONFIG_KASAN: compiler does not support all options.\
-                Trying minimal configuration)
-        endif
-        CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL)
-    endif
+   # -fasan-shadow-offset fails without -fsanitize
+   CFLAGS_KASAN_SHADOW := \
+		$(call cc-option, -fsanitize=kernel-address \
+			-fasan-shadow-offset=$(KASAN_SHADOW_OFFSET))
+   ifeq ($(CFLAGS_KASAN_SHADOW),)
+      CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL)
+   else
+      CFLAGS_KASAN := $(CFLAGS_KASAN_SHADOW)
+   endif
+
+   # Now add all the compiler specific options that are valid standalone
+   CFLAGS_KASAN := $(CFLAGS_KASAN) \
+	$(call cc-option, --param asan-globals=1) \
+	$(call cc-option, --param asan-instrument-allocas=1) \
+	$(call cc-option, --param asan-instrumentation-with-call-threshold=$(call_threshold)) \
+	$(call cc-option, -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET)) \
+	$(call cc-option, -mllvm -asan-stack=1) \
+	$(call cc-option, -mllvm -asan-globals=1) \
+	$(call cc-option, -mllvm -asan-use-after-scope=1) \
+	$(call cc-option, -mllvm -asan-instrumentation-with-call-threshold=$(call_threshold))
+
+
+   # This option crashes on gcc 4.9, and is not available on clang
+   ifeq ($(call cc-ifversion, -ge, 0500, y), y)
+        CFLAGS_KASAN := $(CFLAGS_KASAN) $(call cc-option, --param asan-stack=1)
+   endif
+
 endif
 
 CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope)
-- 
2.15.0.531.g2ccb3012c9-goog

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

[PATCH v2 5/5] kasan: add compiler support for clang

[Paul Lawrence]

For now we can hard-code ASAN ABI level 5, since historical clang builds
can't build the kernel anyway.  We also need to emulate gcc's
__SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented.

Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>

---
 include/linux/compiler-clang.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index 3b609edffa8f..d02a4df3f473 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -19,3 +19,11 @@
 
 #define randomized_struct_fields_start	struct {
 #define randomized_struct_fields_end	};
+
+/* all clang versions usable with the kernel support KASAN ABI version 5 */
+#define KASAN_ABI_VERSION 5
+
+/* emulate gcc's __SANITIZE_ADDRESS__ flag */
+#if __has_feature(address_sanitizer)
+#define __SANITIZE_ADDRESS__
+#endif
-- 
2.15.0.531.g2ccb3012c9-goog

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH v2 1/5] kasan: support alloca() poisoning

[Dmitry Vyukov]

/\/\/\/\/\/\On Wed, Nov 29, 2017 at 10:50 PM, Paul Lawrence
<paullawrence@google.com> wrote:
> clang's AddressSanitizer implementation adds redzones on either side of
> alloca()ed buffers.  These redzones are 32-byte aligned and at least 32
> bytes long.
>
> __asan_alloca_poison() is passed the size and address of the allocated
> buffer, *excluding* the redzones on either side.  The left redzone will
> always be to the immediate left of this buffer; but AddressSanitizer may
> need to add padding between the end of the buffer and the right redzone.
> If there are any 8-byte chunks inside this padding, we should poison
> those too.
>
> __asan_allocas_unpoison() is just passed the top and bottom of the
> dynamic stack area, so unpoisoning is simpler.
>
> Signed-off-by: Greg Hackmann <ghackmann@google.com>
> Signed-off-by: Paul Lawrence <paullawrence@google.com>
>
>  mm/kasan/kasan.c  | 32 ++++++++++++++++++++++++++++++++
>  mm/kasan/kasan.h  |  8 ++++++++
>  mm/kasan/report.c |  4 ++++
>  3 files changed, 44 insertions(+)
>
> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
> index 405bba487df5..f86f862f41f8 100644
> --- a/mm/kasan/kasan.c
> +++ b/mm/kasan/kasan.c
> @@ -736,6 +736,38 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size)
>  }
>  EXPORT_SYMBOL(__asan_unpoison_stack_memory);
>
> +/* Emitted by compiler to poison alloca()ed objects. */
> +void __asan_alloca_poison(unsigned long addr, size_t size)
> +{
> +       size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);
> +       size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) -
> +                       rounded_up_size;
> +
> +       const void *left_redzone = (const void *)(addr -
> +                       KASAN_ALLOCA_REDZONE_SIZE);
> +       const void *right_redzone = (const void *)(addr + rounded_up_size);
> +
> +       WARN_ON(!IS_ALIGNED(addr, KASAN_ALLOCA_REDZONE_SIZE));
> +
> +       kasan_unpoison_shadow((const void *)addr, size);

/\/\/\/\/\/\

Why do we need this? Stack must be clean. Compiler instrumentation
does not clear shadow for objects in function prologue, if stack is
dirty KASAN would explode.


> +       kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,
> +                       KASAN_ALLOCA_LEFT);
> +       kasan_poison_shadow(right_redzone,
> +                       padding_size + KASAN_ALLOCA_REDZONE_SIZE,
> +                       KASAN_ALLOCA_RIGHT);

We also need to poison [size, rounded_up_size) with partial value if
the range is not empty. I.e. we can poison exactly, say, 3 bytes
there.


> +}
> +EXPORT_SYMBOL(__asan_alloca_poison);
> +
> +/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */
> +void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
> +{
> +       if (unlikely(!stack_top || stack_top > stack_bottom))
> +               return;
> +
> +       kasan_unpoison_shadow(stack_top, stack_bottom - stack_top);
> +}
> +EXPORT_SYMBOL(__asan_allocas_unpoison);
> +
>  #ifdef CONFIG_MEMORY_HOTPLUG
>  static int __meminit kasan_mem_notifier(struct notifier_block *nb,
>                         unsigned long action, void *data)
> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
> index c70851a9a6a4..7c0bcd1f4c0d 100644
> --- a/mm/kasan/kasan.h
> +++ b/mm/kasan/kasan.h
> @@ -24,6 +24,14 @@
>  #define KASAN_STACK_PARTIAL     0xF4
>  #define KASAN_USE_AFTER_SCOPE   0xF8
>
> +/*
> + * alloca redzone shadow values
> + */
> +#define KASAN_ALLOCA_LEFT      0xCA
> +#define KASAN_ALLOCA_RIGHT     0xCB
> +
> +#define KASAN_ALLOCA_REDZONE_SIZE      32
> +
>  /* Don't break randconfig/all*config builds */
>  #ifndef KASAN_ABI_VERSION
>  #define KASAN_ABI_VERSION 1
> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
> index 6bcfb01ba038..25419d426426 100644
> --- a/mm/kasan/report.c
> +++ b/mm/kasan/report.c
> @@ -102,6 +102,10 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
>         case KASAN_USE_AFTER_SCOPE:
>                 bug_type = "use-after-scope";
>                 break;
> +       case KASAN_ALLOCA_LEFT:
> +       case KASAN_ALLOCA_RIGHT:
> +               bug_type = "alloca-out-of-bounds";
> +               break;
>         }
>
>         return bug_type;
> --
> 2.15.0.531.g2ccb3012c9-goog
>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH v2 1/5] kasan: support alloca() poisoning

[Dmitry Vyukov]

On Thu, Nov 30, 2017 at 9:26 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> /\/\/\/\/\/\On Wed, Nov 29, 2017 at 10:50 PM, Paul Lawrence
> <paullawrence@google.com> wrote:
>> clang's AddressSanitizer implementation adds redzones on either side of
>> alloca()ed buffers.  These redzones are 32-byte aligned and at least 32
>> bytes long.
>>
>> __asan_alloca_poison() is passed the size and address of the allocated
>> buffer, *excluding* the redzones on either side.  The left redzone will
>> always be to the immediate left of this buffer; but AddressSanitizer may
>> need to add padding between the end of the buffer and the right redzone.
>> If there are any 8-byte chunks inside this padding, we should poison
>> those too.
>>
>> __asan_allocas_unpoison() is just passed the top and bottom of the
>> dynamic stack area, so unpoisoning is simpler.
>>
>> Signed-off-by: Greg Hackmann <ghackmann@google.com>
>> Signed-off-by: Paul Lawrence <paullawrence@google.com>
>>
>>  mm/kasan/kasan.c  | 32 ++++++++++++++++++++++++++++++++
>>  mm/kasan/kasan.h  |  8 ++++++++
>>  mm/kasan/report.c |  4 ++++
>>  3 files changed, 44 insertions(+)
>>
>> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
>> index 405bba487df5..f86f862f41f8 100644
>> --- a/mm/kasan/kasan.c
>> +++ b/mm/kasan/kasan.c
>> @@ -736,6 +736,38 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size)
>>  }
>>  EXPORT_SYMBOL(__asan_unpoison_stack_memory);
>>
>> +/* Emitted by compiler to poison alloca()ed objects. */
>> +void __asan_alloca_poison(unsigned long addr, size_t size)
>> +{
>> +       size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);
>> +       size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) -
>> +                       rounded_up_size;
>> +
>> +       const void *left_redzone = (const void *)(addr -
>> +                       KASAN_ALLOCA_REDZONE_SIZE);
>> +       const void *right_redzone = (const void *)(addr + rounded_up_size);
>> +
>> +       WARN_ON(!IS_ALIGNED(addr, KASAN_ALLOCA_REDZONE_SIZE));
>> +
>> +       kasan_unpoison_shadow((const void *)addr, size);
>
> /\/\/\/\/\/\
>
> Why do we need this? Stack must be clean. Compiler instrumentation
> does not clear shadow for objects in function prologue, if stack is
> dirty KASAN would explode.
>
>
>> +       kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,
>> +                       KASAN_ALLOCA_LEFT);
>> +       kasan_poison_shadow(right_redzone,
>> +                       padding_size + KASAN_ALLOCA_REDZONE_SIZE,
>> +                       KASAN_ALLOCA_RIGHT);
>
> We also need to poison [size, rounded_up_size) with partial value if
> the range is not empty. I.e. we can poison exactly, say, 3 bytes
> there.

Wait, kasan_unpoison_shadow does this, right?
Somewhat counter-intuitive and more expensive than needed. Let's
poison only the last byte.



>> +}
>> +EXPORT_SYMBOL(__asan_alloca_poison);
>> +
>> +/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */
>> +void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
>> +{
>> +       if (unlikely(!stack_top || stack_top > stack_bottom))
>> +               return;
>> +
>> +       kasan_unpoison_shadow(stack_top, stack_bottom - stack_top);
>> +}
>> +EXPORT_SYMBOL(__asan_allocas_unpoison);
>> +
>>  #ifdef CONFIG_MEMORY_HOTPLUG
>>  static int __meminit kasan_mem_notifier(struct notifier_block *nb,
>>                         unsigned long action, void *data)
>> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
>> index c70851a9a6a4..7c0bcd1f4c0d 100644
>> --- a/mm/kasan/kasan.h
>> +++ b/mm/kasan/kasan.h
>> @@ -24,6 +24,14 @@
>>  #define KASAN_STACK_PARTIAL     0xF4
>>  #define KASAN_USE_AFTER_SCOPE   0xF8
>>
>> +/*
>> + * alloca redzone shadow values
>> + */
>> +#define KASAN_ALLOCA_LEFT      0xCA
>> +#define KASAN_ALLOCA_RIGHT     0xCB
>> +
>> +#define KASAN_ALLOCA_REDZONE_SIZE      32
>> +
>>  /* Don't break randconfig/all*config builds */
>>  #ifndef KASAN_ABI_VERSION
>>  #define KASAN_ABI_VERSION 1
>> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
>> index 6bcfb01ba038..25419d426426 100644
>> --- a/mm/kasan/report.c
>> +++ b/mm/kasan/report.c
>> @@ -102,6 +102,10 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
>>         case KASAN_USE_AFTER_SCOPE:
>>                 bug_type = "use-after-scope";
>>                 break;
>> +       case KASAN_ALLOCA_LEFT:
>> +       case KASAN_ALLOCA_RIGHT:
>> +               bug_type = "alloca-out-of-bounds";
>> +               break;
>>         }
>>
>>         return bug_type;
>> --
>> 2.15.0.531.g2ccb3012c9-goog
>>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH v2 2/5] kasan: Add tests for alloca poisonong

[Dmitry Vyukov]

On Wed, Nov 29, 2017 at 10:50 PM, 'Paul Lawrence' via kasan-dev
<kasan-dev@googlegroups.com> wrote:
> Signed-off-by: Greg Hackmann <ghackmann@google.com>
> Signed-off-by: Paul Lawrence <paullawrence@google.com>
>
>  lib/test_kasan.c | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index ef1a3ac1397e..2724f86c4cef 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -472,6 +472,26 @@ static noinline void __init use_after_scope_test(void)
>         p[1023] = 1;
>  }
>
> +static noinline void __init kasan_alloca_oob_left(void)
> +{
> +       volatile int i = 10;
> +       char alloca_array[i];
> +       char *p = alloca_array - 1;
> +
> +       pr_info("out-of-bounds to left on alloca\n");
> +       *(volatile char *)p;
> +}
> +
> +static noinline void __init kasan_alloca_oob_right(void)
> +{
> +       volatile int i = 10;
> +       char alloca_array[i];
> +       char *p = alloca_array + i;
> +
> +       pr_info("out-of-bounds to right on alloca\n");
> +       *(volatile char *)p;
> +}
> +
>  static int __init kmalloc_tests_init(void)
>  {
>         /*
> @@ -502,6 +522,8 @@ static int __init kmalloc_tests_init(void)
>         memcg_accounted_kmem_cache();
>         kasan_stack_oob();
>         kasan_global_oob();
> +       kasan_alloca_oob_left();
> +       kasan_alloca_oob_right();
>         ksize_unpoisons_memory();
>         copy_user_test();
>         use_after_scope_test();


Reviewed-by: Dmitry Vyukov <dvyukov@google.com>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH v2 3/5] kasan: added functions for unpoisoning stack variables

[Dmitry Vyukov]

On Wed, Nov 29, 2017 at 10:50 PM, 'Paul Lawrence' via kasan-dev
<kasan-dev@googlegroups.com> wrote:
> From: Alexander Potapenko <glider@google.com>
>
> As a code-size optimization, LLVM builds since r279383 may
> bulk-manipulate the shadow region when (un)poisoning large memory
> blocks.  This requires new callbacks that simply do an uninstrumented
> memset().
>
> This fixes linking the Clang-built kernel when using KASAN.
>
> Signed-off-by: Alexander Potapenko <glider@google.com>
> [ghackmann@google.com: fix memset() parameters, and tweak
>  commit message to describe new callbacks]
> Signed-off-by: Greg Hackmann <ghackmann@google.com>
> Signed-off-by: Paul Lawrence <paullawrence@google.com>
>
> ---
>  mm/kasan/kasan.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
> index f86f862f41f8..89565a1ec417 100644
> --- a/mm/kasan/kasan.c
> +++ b/mm/kasan/kasan.c
> @@ -768,6 +768,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
>  }
>  EXPORT_SYMBOL(__asan_allocas_unpoison);
>
> +/* Emitted by the compiler to [un]poison local variables. */
> +#define DEFINE_ASAN_SET_SHADOW(byte) \
> +       void __asan_set_shadow_##byte(const void *addr, size_t size)    \
> +       {                                                               \
> +               __memset((void *)addr, 0x##byte, size);                 \
> +       }                                                               \
> +       EXPORT_SYMBOL(__asan_set_shadow_##byte)
> +
> +DEFINE_ASAN_SET_SHADOW(00);
> +DEFINE_ASAN_SET_SHADOW(f1);
> +DEFINE_ASAN_SET_SHADOW(f2);
> +DEFINE_ASAN_SET_SHADOW(f3);
> +DEFINE_ASAN_SET_SHADOW(f5);
> +DEFINE_ASAN_SET_SHADOW(f8);
> +
>  #ifdef CONFIG_MEMORY_HOTPLUG
>  static int __meminit kasan_mem_notifier(struct notifier_block *nb,
>                         unsigned long action, void *data)


Reviewed-by: Dmitry Vyukov <dvyukov@google.com>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH v2 4/5] kasan: support LLVM-style asan parameters

[Dmitry Vyukov]

On Wed, Nov 29, 2017 at 10:50 PM, 'Paul Lawrence' via kasan-dev
<kasan-dev@googlegroups.com> wrote:
> Use cc-option to figure out whether the compiler's sanitizer uses
> LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters
> ("--param asan-foo=bar").
>
> Signed-off-by: Greg Hackmann <ghackmann@google.com>
> Signed-off-by: Paul Lawrence <paullawrence@google.com>
>
> ---
>  scripts/Makefile.kasan | 39 +++++++++++++++++++++++++++------------
>  1 file changed, 27 insertions(+), 12 deletions(-)
>
> diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
> index 1ce7115aa499..89c5b166adec 100644
> --- a/scripts/Makefile.kasan
> +++ b/scripts/Makefile.kasan
> @@ -10,24 +10,39 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET)
>
>  CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address
>
> -CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \
> -               -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \
> -               --param asan-stack=1 --param asan-globals=1 \
> -               --param asan-instrumentation-with-call-threshold=$(call_threshold))
> -
>  ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),)
>     ifneq ($(CONFIG_COMPILE_TEST),y)
>          $(warning Cannot use CONFIG_KASAN: \
>              -fsanitize=kernel-address is not supported by compiler)
>     endif
>  else
> -    ifeq ($(CFLAGS_KASAN),)
> -        ifneq ($(CONFIG_COMPILE_TEST),y)
> -            $(warning CONFIG_KASAN: compiler does not support all options.\
> -                Trying minimal configuration)
> -        endif
> -        CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL)
> -    endif
> +   # -fasan-shadow-offset fails without -fsanitize
> +   CFLAGS_KASAN_SHADOW := \
> +               $(call cc-option, -fsanitize=kernel-address \
> +                       -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET))
> +   ifeq ($(CFLAGS_KASAN_SHADOW),)
> +      CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL)
> +   else
> +      CFLAGS_KASAN := $(CFLAGS_KASAN_SHADOW)
> +   endif
> +
> +   # Now add all the compiler specific options that are valid standalone
> +   CFLAGS_KASAN := $(CFLAGS_KASAN) \
> +       $(call cc-option, --param asan-globals=1) \
> +       $(call cc-option, --param asan-instrument-allocas=1) \
> +       $(call cc-option, --param asan-instrumentation-with-call-threshold=$(call_threshold)) \
> +       $(call cc-option, -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET)) \
> +       $(call cc-option, -mllvm -asan-stack=1) \
> +       $(call cc-option, -mllvm -asan-globals=1) \
> +       $(call cc-option, -mllvm -asan-use-after-scope=1) \
> +       $(call cc-option, -mllvm -asan-instrumentation-with-call-threshold=$(call_threshold))
> +
> +
> +   # This option crashes on gcc 4.9, and is not available on clang
> +   ifeq ($(call cc-ifversion, -ge, 0500, y), y)
> +        CFLAGS_KASAN := $(CFLAGS_KASAN) $(call cc-option, --param asan-stack=1)
> +   endif
> +
>  endif
>
>  CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope)


Acked-by: Dmitry Vyukov <dvyukov@google.com>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH v2 5/5] kasan: add compiler support for clang

[Dmitry Vyukov]

On Wed, Nov 29, 2017 at 10:50 PM, 'Paul Lawrence' via kasan-dev
<kasan-dev@googlegroups.com> wrote:
> For now we can hard-code ASAN ABI level 5, since historical clang builds
> can't build the kernel anyway.  We also need to emulate gcc's
> __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented.
>
> Signed-off-by: Greg Hackmann <ghackmann@google.com>
> Signed-off-by: Paul Lawrence <paullawrence@google.com>
>
> ---
>  include/linux/compiler-clang.h | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
> index 3b609edffa8f..d02a4df3f473 100644
> --- a/include/linux/compiler-clang.h
> +++ b/include/linux/compiler-clang.h
> @@ -19,3 +19,11 @@
>
>  #define randomized_struct_fields_start struct {
>  #define randomized_struct_fields_end   };
> +
> +/* all clang versions usable with the kernel support KASAN ABI version 5 */
> +#define KASAN_ABI_VERSION 5
> +
> +/* emulate gcc's __SANITIZE_ADDRESS__ flag */
> +#if __has_feature(address_sanitizer)
> +#define __SANITIZE_ADDRESS__
> +#endif

Reviewed-by: Dmitry Vyukov <dvyukov@google.com>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH v2 4/5] kasan: support LLVM-style asan parameters

[Andrey Ryabinin]

On 11/30/2017 12:50 AM, Paul Lawrence wrote:
> Use cc-option to figure out whether the compiler's sanitizer uses
> LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters
> ("--param asan-foo=bar").
> 
> Signed-off-by: Greg Hackmann <ghackmann@google.com>
> Signed-off-by: Paul Lawrence <paullawrence@google.com>
> 
> ---
>  scripts/Makefile.kasan | 39 +++++++++++++++++++++++++++------------
>  1 file changed, 27 insertions(+), 12 deletions(-)
> 

It looks rather messy. Try the following patch.
Note, that I didn't add asan-instrument-allocas=1 because it has nothing to do
with LLVM-style params support.
asan-instrument-allocas should probably be in the patch that adds alloca() support.


From: Andrey Ryabinin <aryabinin@virtuozzo.com>
Subject: [PATCH] kasan/Makefile: Support LLVM style asan parameters.

LLVM doesn't understand GCC-style paramters ("--param asan-foo=bar"),
thus we currently we don't use inline/globals/stack instrumentation
when building the kernel with clang.

Add support for LLVM-style parameters ("-mllvm -asan-foo=bar") to
enable all KASAN features.

Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 scripts/Makefile.kasan | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
index 1ce7115aa499..2af5977c394d 100644
--- a/scripts/Makefile.kasan
+++ b/scripts/Makefile.kasan
@@ -10,10 +10,7 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET)
 
 CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address
 
-CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \
-		-fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \
-		--param asan-stack=1 --param asan-globals=1 \
-		--param asan-instrumentation-with-call-threshold=$(call_threshold))
+cc-param = $(call cc-option, --param $(1)) $(call cc-option, -mllvm -$(1))
 
 ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),)
    ifneq ($(CONFIG_COMPILE_TEST),y)
@@ -21,13 +18,23 @@ ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),)
             -fsanitize=kernel-address is not supported by compiler)
    endif
 else
-    ifeq ($(CFLAGS_KASAN),)
-        ifneq ($(CONFIG_COMPILE_TEST),y)
-            $(warning CONFIG_KASAN: compiler does not support all options.\
-                Trying minimal configuration)
-        endif
-        CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL)
-    endif
+   # -fasan-shadow-offset fails without -fsanitize
+   CFLAGS_KASAN_SHADOW := $(call cc-option, -fsanitize=kernel-address \
+			-fasan-shadow-offset=$(KASAN_SHADOW_OFFSET), \
+			$(call cc-option, -fsanitize=kernel-address \
+			-mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET)))
+
+   ifeq ($(CFLAGS_KASAN_SHADOW),)
+      CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL)
+   else
+      # Now add all the compiler specific options that are valid standalone
+      CFLAGS_KASAN := $(CFLAGS_KASAN_SHADOW) \
+	$(call cc-param,asan-globals=1) \
+	$(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \
+	$(call cc-param,asan-stack=1) \
+	$(call cc-param,asan-use-after-scope=1)
+   endif
+
 endif
 
 CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope)
-- 
2.13.6

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH v2 5/5] kasan: add compiler support for clang

[Andrey Ryabinin]

On 11/30/2017 12:50 AM, Paul Lawrence wrote:
> For now we can hard-code ASAN ABI level 5, since historical clang builds
> can't build the kernel anyway.  We also need to emulate gcc's
> __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented.
> 
> Signed-off-by: Greg Hackmann <ghackmann@google.com>
> Signed-off-by: Paul Lawrence <paullawrence@google.com>
> 
> ---
>  include/linux/compiler-clang.h | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
> index 3b609edffa8f..d02a4df3f473 100644
> --- a/include/linux/compiler-clang.h
> +++ b/include/linux/compiler-clang.h
> @@ -19,3 +19,11 @@
>  
>  #define randomized_struct_fields_start	struct {
>  #define randomized_struct_fields_end	};
> +
> +/* all clang versions usable with the kernel support KASAN ABI version 5 */
> +#define KASAN_ABI_VERSION 5
> +

This patch should be earlier in this series. Patch 4/5 breaks clang-built kernel, because
we start using globals instrumentation with wrong KASAN_ABI_VERSION.

> +/* emulate gcc's __SANITIZE_ADDRESS__ flag */
> +#if __has_feature(address_sanitizer)
> +#define __SANITIZE_ADDRESS__
> +#endif
> 

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>