From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-f199.google.com (mail-io0-f199.google.com [209.85.223.199]) by kanga.kvack.org (Postfix) with ESMTP id E93616B0038 for ; Wed, 29 Nov 2017 16:51:10 -0500 (EST) Received: by mail-io0-f199.google.com with SMTP id r22so4038612iod.7 for ; Wed, 29 Nov 2017 13:51:10 -0800 (PST) Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41]) by mx.google.com with SMTPS id k36sor1414075ioi.71.2017.11.29.13.51.10 for (Google Transport Security); Wed, 29 Nov 2017 13:51:10 -0800 (PST) From: Paul Lawrence Subject: [PATCH v2 0/5] kasan: support alloca, LLVM Date: Wed, 29 Nov 2017 13:50:45 -0800 Message-Id: <20171129215050.158653-1-paullawrence@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann , Paul Lawrence Adding kasan alloca support using clang Also adding support for clang, since needed for this feature gcc has kasan alloca support, but only post 7.2 [Patch v2 1/5] kasan: support alloca() poisoning Tests moved to patch 2/5 __asan_alloca_unpoison(): Use precalculated rounded-up-size Warning added if bottom is not aligned as expected Parameter check added to make sure gcc builds don't fail Now unpoisons partial chunks get_shadow_bug_type(): Missing break added [PATCH v2 2/5] kasan: Add tests for alloca poisonong Tests moved here kasan_alloca_oob_right(): No longer rounding up [PATCH v2 3/5] kasan: added functions for unpoisoning stack variables No change from v1. clang builds need f8 [PATCH v2 4/5] kasan: support LLVM-style asan parameters Rejigged whole file. Old approach would not work except with ToT gcc or clang. All parameters would be rejected if one was not known. Also if both were empty, CFLAGS_KASAN would be " " which mostly disabled kasan on older compilers. Added support for gcc, tested on ToT compiler [PATCH v2 5/5] kasan: add compiler support for clang Made comments single line Paul Lawrence (5): kasan: support alloca() poisoning kasan: Add tests for alloca poisonong kasan: added functions for unpoisoning stack variables kasan: support LLVM-style asan parameters kasan: add compiler support for clang include/linux/compiler-clang.h | 8 +++++++ lib/test_kasan.c | 22 ++++++++++++++++++++ mm/kasan/kasan.c | 47 ++++++++++++++++++++++++++++++++++++++++++ mm/kasan/kasan.h | 8 +++++++ mm/kasan/report.c | 4 ++++ scripts/Makefile.kasan | 39 ++++++++++++++++++++++++----------- 6 files changed, 116 insertions(+), 12 deletions(-) -- 2.15.0.531.g2ccb3012c9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-f200.google.com (mail-io0-f200.google.com [209.85.223.200]) by kanga.kvack.org (Postfix) with ESMTP id 388516B0253 for ; Wed, 29 Nov 2017 16:51:14 -0500 (EST) Received: by mail-io0-f200.google.com with SMTP id b80so4008975iob.23 for ; Wed, 29 Nov 2017 13:51:14 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id w11sor1739465ith.3.2017.11.29.13.51.13 for (Google Transport Security); Wed, 29 Nov 2017 13:51:13 -0800 (PST) From: Paul Lawrence Subject: [PATCH v2 1/5] kasan: support alloca() poisoning Date: Wed, 29 Nov 2017 13:50:46 -0800 Message-Id: <20171129215050.158653-2-paullawrence@google.com> In-Reply-To: <20171129215050.158653-1-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann , Paul Lawrence clang's AddressSanitizer implementation adds redzones on either side of alloca()ed buffers. These redzones are 32-byte aligned and at least 32 bytes long. __asan_alloca_poison() is passed the size and address of the allocated buffer, *excluding* the redzones on either side. The left redzone will always be to the immediate left of this buffer; but AddressSanitizer may need to add padding between the end of the buffer and the right redzone. If there are any 8-byte chunks inside this padding, we should poison those too. __asan_allocas_unpoison() is just passed the top and bottom of the dynamic stack area, so unpoisoning is simpler. Signed-off-by: Greg Hackmann Signed-off-by: Paul Lawrence mm/kasan/kasan.c | 32 ++++++++++++++++++++++++++++++++ mm/kasan/kasan.h | 8 ++++++++ mm/kasan/report.c | 4 ++++ 3 files changed, 44 insertions(+) diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 405bba487df5..f86f862f41f8 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -736,6 +736,38 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size) } EXPORT_SYMBOL(__asan_unpoison_stack_memory); +/* Emitted by compiler to poison alloca()ed objects. */ +void __asan_alloca_poison(unsigned long addr, size_t size) +{ + size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE); + size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) - + rounded_up_size; + + const void *left_redzone = (const void *)(addr - + KASAN_ALLOCA_REDZONE_SIZE); + const void *right_redzone = (const void *)(addr + rounded_up_size); + + WARN_ON(!IS_ALIGNED(addr, KASAN_ALLOCA_REDZONE_SIZE)); + + kasan_unpoison_shadow((const void *)addr, size); + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE, + KASAN_ALLOCA_LEFT); + kasan_poison_shadow(right_redzone, + padding_size + KASAN_ALLOCA_REDZONE_SIZE, + KASAN_ALLOCA_RIGHT); +} +EXPORT_SYMBOL(__asan_alloca_poison); + +/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */ +void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) +{ + if (unlikely(!stack_top || stack_top > stack_bottom)) + return; + + kasan_unpoison_shadow(stack_top, stack_bottom - stack_top); +} +EXPORT_SYMBOL(__asan_allocas_unpoison); + #ifdef CONFIG_MEMORY_HOTPLUG static int __meminit kasan_mem_notifier(struct notifier_block *nb, unsigned long action, void *data) diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index c70851a9a6a4..7c0bcd1f4c0d 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -24,6 +24,14 @@ #define KASAN_STACK_PARTIAL 0xF4 #define KASAN_USE_AFTER_SCOPE 0xF8 +/* + * alloca redzone shadow values + */ +#define KASAN_ALLOCA_LEFT 0xCA +#define KASAN_ALLOCA_RIGHT 0xCB + +#define KASAN_ALLOCA_REDZONE_SIZE 32 + /* Don't break randconfig/all*config builds */ #ifndef KASAN_ABI_VERSION #define KASAN_ABI_VERSION 1 diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 6bcfb01ba038..25419d426426 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -102,6 +102,10 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info) case KASAN_USE_AFTER_SCOPE: bug_type = "use-after-scope"; break; + case KASAN_ALLOCA_LEFT: + case KASAN_ALLOCA_RIGHT: + bug_type = "alloca-out-of-bounds"; + break; } return bug_type; -- 2.15.0.531.g2ccb3012c9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-f72.google.com (mail-it0-f72.google.com [209.85.214.72]) by kanga.kvack.org (Postfix) with ESMTP id B44E86B0260 for ; Wed, 29 Nov 2017 16:51:16 -0500 (EST) Received: by mail-it0-f72.google.com with SMTP id b11so4259352itj.0 for ; Wed, 29 Nov 2017 13:51:16 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id e134sor1783008ita.93.2017.11.29.13.51.15 for (Google Transport Security); Wed, 29 Nov 2017 13:51:15 -0800 (PST) From: Paul Lawrence Subject: [PATCH v2 2/5] kasan: Add tests for alloca poisonong Date: Wed, 29 Nov 2017 13:50:47 -0800 Message-Id: <20171129215050.158653-3-paullawrence@google.com> In-Reply-To: <20171129215050.158653-1-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann , Paul Lawrence Signed-off-by: Greg Hackmann Signed-off-by: Paul Lawrence lib/test_kasan.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/lib/test_kasan.c b/lib/test_kasan.c index ef1a3ac1397e..2724f86c4cef 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -472,6 +472,26 @@ static noinline void __init use_after_scope_test(void) p[1023] = 1; } +static noinline void __init kasan_alloca_oob_left(void) +{ + volatile int i = 10; + char alloca_array[i]; + char *p = alloca_array - 1; + + pr_info("out-of-bounds to left on alloca\n"); + *(volatile char *)p; +} + +static noinline void __init kasan_alloca_oob_right(void) +{ + volatile int i = 10; + char alloca_array[i]; + char *p = alloca_array + i; + + pr_info("out-of-bounds to right on alloca\n"); + *(volatile char *)p; +} + static int __init kmalloc_tests_init(void) { /* @@ -502,6 +522,8 @@ static int __init kmalloc_tests_init(void) memcg_accounted_kmem_cache(); kasan_stack_oob(); kasan_global_oob(); + kasan_alloca_oob_left(); + kasan_alloca_oob_right(); ksize_unpoisons_memory(); copy_user_test(); use_after_scope_test(); -- 2.15.0.531.g2ccb3012c9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-f199.google.com (mail-io0-f199.google.com [209.85.223.199]) by kanga.kvack.org (Postfix) with ESMTP id CC6566B0268 for ; Wed, 29 Nov 2017 16:51:19 -0500 (EST) Received: by mail-io0-f199.google.com with SMTP id c196so4119113ioc.3 for ; Wed, 29 Nov 2017 13:51:19 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id c184sor1801788itg.7.2017.11.29.13.51.18 for (Google Transport Security); Wed, 29 Nov 2017 13:51:19 -0800 (PST) From: Paul Lawrence Subject: [PATCH v2 3/5] kasan: added functions for unpoisoning stack variables Date: Wed, 29 Nov 2017 13:50:48 -0800 Message-Id: <20171129215050.158653-4-paullawrence@google.com> In-Reply-To: <20171129215050.158653-1-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann , Paul Lawrence From: Alexander Potapenko As a code-size optimization, LLVM builds since r279383 may bulk-manipulate the shadow region when (un)poisoning large memory blocks. This requires new callbacks that simply do an uninstrumented memset(). This fixes linking the Clang-built kernel when using KASAN. Signed-off-by: Alexander Potapenko [ghackmann@google.com: fix memset() parameters, and tweak commit message to describe new callbacks] Signed-off-by: Greg Hackmann Signed-off-by: Paul Lawrence --- mm/kasan/kasan.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index f86f862f41f8..89565a1ec417 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -768,6 +768,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) } EXPORT_SYMBOL(__asan_allocas_unpoison); +/* Emitted by the compiler to [un]poison local variables. */ +#define DEFINE_ASAN_SET_SHADOW(byte) \ + void __asan_set_shadow_##byte(const void *addr, size_t size) \ + { \ + __memset((void *)addr, 0x##byte, size); \ + } \ + EXPORT_SYMBOL(__asan_set_shadow_##byte) + +DEFINE_ASAN_SET_SHADOW(00); +DEFINE_ASAN_SET_SHADOW(f1); +DEFINE_ASAN_SET_SHADOW(f2); +DEFINE_ASAN_SET_SHADOW(f3); +DEFINE_ASAN_SET_SHADOW(f5); +DEFINE_ASAN_SET_SHADOW(f8); + #ifdef CONFIG_MEMORY_HOTPLUG static int __meminit kasan_mem_notifier(struct notifier_block *nb, unsigned long action, void *data) -- 2.15.0.531.g2ccb3012c9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) by kanga.kvack.org (Postfix) with ESMTP id 2CA8F6B026C for ; Wed, 29 Nov 2017 16:51:22 -0500 (EST) Received: by mail-io0-f198.google.com with SMTP id s2so4021447ioa.17 for ; Wed, 29 Nov 2017 13:51:22 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id a195sor1782150itd.29.2017.11.29.13.51.21 for (Google Transport Security); Wed, 29 Nov 2017 13:51:21 -0800 (PST) From: Paul Lawrence Subject: [PATCH v2 4/5] kasan: support LLVM-style asan parameters Date: Wed, 29 Nov 2017 13:50:49 -0800 Message-Id: <20171129215050.158653-5-paullawrence@google.com> In-Reply-To: <20171129215050.158653-1-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann , Paul Lawrence Use cc-option to figure out whether the compiler's sanitizer uses LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters ("--param asan-foo=bar"). Signed-off-by: Greg Hackmann Signed-off-by: Paul Lawrence --- scripts/Makefile.kasan | 39 +++++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan index 1ce7115aa499..89c5b166adec 100644 --- a/scripts/Makefile.kasan +++ b/scripts/Makefile.kasan @@ -10,24 +10,39 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET) CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address -CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \ - -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \ - --param asan-stack=1 --param asan-globals=1 \ - --param asan-instrumentation-with-call-threshold=$(call_threshold)) - ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),) ifneq ($(CONFIG_COMPILE_TEST),y) $(warning Cannot use CONFIG_KASAN: \ -fsanitize=kernel-address is not supported by compiler) endif else - ifeq ($(CFLAGS_KASAN),) - ifneq ($(CONFIG_COMPILE_TEST),y) - $(warning CONFIG_KASAN: compiler does not support all options.\ - Trying minimal configuration) - endif - CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL) - endif + # -fasan-shadow-offset fails without -fsanitize + CFLAGS_KASAN_SHADOW := \ + $(call cc-option, -fsanitize=kernel-address \ + -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET)) + ifeq ($(CFLAGS_KASAN_SHADOW),) + CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL) + else + CFLAGS_KASAN := $(CFLAGS_KASAN_SHADOW) + endif + + # Now add all the compiler specific options that are valid standalone + CFLAGS_KASAN := $(CFLAGS_KASAN) \ + $(call cc-option, --param asan-globals=1) \ + $(call cc-option, --param asan-instrument-allocas=1) \ + $(call cc-option, --param asan-instrumentation-with-call-threshold=$(call_threshold)) \ + $(call cc-option, -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET)) \ + $(call cc-option, -mllvm -asan-stack=1) \ + $(call cc-option, -mllvm -asan-globals=1) \ + $(call cc-option, -mllvm -asan-use-after-scope=1) \ + $(call cc-option, -mllvm -asan-instrumentation-with-call-threshold=$(call_threshold)) + + + # This option crashes on gcc 4.9, and is not available on clang + ifeq ($(call cc-ifversion, -ge, 0500, y), y) + CFLAGS_KASAN := $(CFLAGS_KASAN) $(call cc-option, --param asan-stack=1) + endif + endif CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope) -- 2.15.0.531.g2ccb3012c9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-f69.google.com (mail-it0-f69.google.com [209.85.214.69]) by kanga.kvack.org (Postfix) with ESMTP id 8F3806B026D for ; Wed, 29 Nov 2017 16:51:24 -0500 (EST) Received: by mail-it0-f69.google.com with SMTP id t184so4247750itf.2 for ; Wed, 29 Nov 2017 13:51:24 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id i73sor1399586itb.82.2017.11.29.13.51.23 for (Google Transport Security); Wed, 29 Nov 2017 13:51:23 -0800 (PST) From: Paul Lawrence Subject: [PATCH v2 5/5] kasan: add compiler support for clang Date: Wed, 29 Nov 2017 13:50:50 -0800 Message-Id: <20171129215050.158653-6-paullawrence@google.com> In-Reply-To: <20171129215050.158653-1-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann , Paul Lawrence For now we can hard-code ASAN ABI level 5, since historical clang builds can't build the kernel anyway. We also need to emulate gcc's __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented. Signed-off-by: Greg Hackmann Signed-off-by: Paul Lawrence --- include/linux/compiler-clang.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h index 3b609edffa8f..d02a4df3f473 100644 --- a/include/linux/compiler-clang.h +++ b/include/linux/compiler-clang.h @@ -19,3 +19,11 @@ #define randomized_struct_fields_start struct { #define randomized_struct_fields_end }; + +/* all clang versions usable with the kernel support KASAN ABI version 5 */ +#define KASAN_ABI_VERSION 5 + +/* emulate gcc's __SANITIZE_ADDRESS__ flag */ +#if __has_feature(address_sanitizer) +#define __SANITIZE_ADDRESS__ +#endif -- 2.15.0.531.g2ccb3012c9-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f198.google.com (mail-pf0-f198.google.com [209.85.192.198]) by kanga.kvack.org (Postfix) with ESMTP id 82AF76B0038 for ; Thu, 30 Nov 2017 03:27:12 -0500 (EST) Received: by mail-pf0-f198.google.com with SMTP id 8so4419868pfv.12 for ; Thu, 30 Nov 2017 00:27:12 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id h1sor1458515pld.13.2017.11.30.00.27.11 for (Google Transport Security); Thu, 30 Nov 2017 00:27:11 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20171129215050.158653-2-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> <20171129215050.158653-2-paullawrence@google.com> From: Dmitry Vyukov Date: Thu, 30 Nov 2017 09:26:50 +0100 Message-ID: Subject: Re: [PATCH v2 1/5] kasan: support alloca() poisoning Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Paul Lawrence Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , Linux-MM , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson , Greg Hackmann /\/\/\/\/\/\On Wed, Nov 29, 2017 at 10:50 PM, Paul Lawrence wrote: > clang's AddressSanitizer implementation adds redzones on either side of > alloca()ed buffers. These redzones are 32-byte aligned and at least 32 > bytes long. > > __asan_alloca_poison() is passed the size and address of the allocated > buffer, *excluding* the redzones on either side. The left redzone will > always be to the immediate left of this buffer; but AddressSanitizer may > need to add padding between the end of the buffer and the right redzone. > If there are any 8-byte chunks inside this padding, we should poison > those too. > > __asan_allocas_unpoison() is just passed the top and bottom of the > dynamic stack area, so unpoisoning is simpler. > > Signed-off-by: Greg Hackmann > Signed-off-by: Paul Lawrence > > mm/kasan/kasan.c | 32 ++++++++++++++++++++++++++++++++ > mm/kasan/kasan.h | 8 ++++++++ > mm/kasan/report.c | 4 ++++ > 3 files changed, 44 insertions(+) > > diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c > index 405bba487df5..f86f862f41f8 100644 > --- a/mm/kasan/kasan.c > +++ b/mm/kasan/kasan.c > @@ -736,6 +736,38 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size) > } > EXPORT_SYMBOL(__asan_unpoison_stack_memory); > > +/* Emitted by compiler to poison alloca()ed objects. */ > +void __asan_alloca_poison(unsigned long addr, size_t size) > +{ > + size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE); > + size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) - > + rounded_up_size; > + > + const void *left_redzone = (const void *)(addr - > + KASAN_ALLOCA_REDZONE_SIZE); > + const void *right_redzone = (const void *)(addr + rounded_up_size); > + > + WARN_ON(!IS_ALIGNED(addr, KASAN_ALLOCA_REDZONE_SIZE)); > + > + kasan_unpoison_shadow((const void *)addr, size); /\/\/\/\/\/\ Why do we need this? Stack must be clean. Compiler instrumentation does not clear shadow for objects in function prologue, if stack is dirty KASAN would explode. > + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE, > + KASAN_ALLOCA_LEFT); > + kasan_poison_shadow(right_redzone, > + padding_size + KASAN_ALLOCA_REDZONE_SIZE, > + KASAN_ALLOCA_RIGHT); We also need to poison [size, rounded_up_size) with partial value if the range is not empty. I.e. we can poison exactly, say, 3 bytes there. > +} > +EXPORT_SYMBOL(__asan_alloca_poison); > + > +/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */ > +void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) > +{ > + if (unlikely(!stack_top || stack_top > stack_bottom)) > + return; > + > + kasan_unpoison_shadow(stack_top, stack_bottom - stack_top); > +} > +EXPORT_SYMBOL(__asan_allocas_unpoison); > + > #ifdef CONFIG_MEMORY_HOTPLUG > static int __meminit kasan_mem_notifier(struct notifier_block *nb, > unsigned long action, void *data) > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index c70851a9a6a4..7c0bcd1f4c0d 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -24,6 +24,14 @@ > #define KASAN_STACK_PARTIAL 0xF4 > #define KASAN_USE_AFTER_SCOPE 0xF8 > > +/* > + * alloca redzone shadow values > + */ > +#define KASAN_ALLOCA_LEFT 0xCA > +#define KASAN_ALLOCA_RIGHT 0xCB > + > +#define KASAN_ALLOCA_REDZONE_SIZE 32 > + > /* Don't break randconfig/all*config builds */ > #ifndef KASAN_ABI_VERSION > #define KASAN_ABI_VERSION 1 > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > index 6bcfb01ba038..25419d426426 100644 > --- a/mm/kasan/report.c > +++ b/mm/kasan/report.c > @@ -102,6 +102,10 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info) > case KASAN_USE_AFTER_SCOPE: > bug_type = "use-after-scope"; > break; > + case KASAN_ALLOCA_LEFT: > + case KASAN_ALLOCA_RIGHT: > + bug_type = "alloca-out-of-bounds"; > + break; > } > > return bug_type; > -- > 2.15.0.531.g2ccb3012c9-goog > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f197.google.com (mail-pf0-f197.google.com [209.85.192.197]) by kanga.kvack.org (Postfix) with ESMTP id 3728C6B0038 for ; Thu, 30 Nov 2017 03:29:48 -0500 (EST) Received: by mail-pf0-f197.google.com with SMTP id r88so4413921pfi.23 for ; Thu, 30 Nov 2017 00:29:48 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id y73sor1015527pff.7.2017.11.30.00.29.47 for (Google Transport Security); Thu, 30 Nov 2017 00:29:47 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: <20171129215050.158653-1-paullawrence@google.com> <20171129215050.158653-2-paullawrence@google.com> From: Dmitry Vyukov Date: Thu, 30 Nov 2017 09:29:26 +0100 Message-ID: Subject: Re: [PATCH v2 1/5] kasan: support alloca() poisoning Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Paul Lawrence Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , Linux-MM , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson , Greg Hackmann On Thu, Nov 30, 2017 at 9:26 AM, Dmitry Vyukov wrote: > /\/\/\/\/\/\On Wed, Nov 29, 2017 at 10:50 PM, Paul Lawrence > wrote: >> clang's AddressSanitizer implementation adds redzones on either side of >> alloca()ed buffers. These redzones are 32-byte aligned and at least 32 >> bytes long. >> >> __asan_alloca_poison() is passed the size and address of the allocated >> buffer, *excluding* the redzones on either side. The left redzone will >> always be to the immediate left of this buffer; but AddressSanitizer may >> need to add padding between the end of the buffer and the right redzone. >> If there are any 8-byte chunks inside this padding, we should poison >> those too. >> >> __asan_allocas_unpoison() is just passed the top and bottom of the >> dynamic stack area, so unpoisoning is simpler. >> >> Signed-off-by: Greg Hackmann >> Signed-off-by: Paul Lawrence >> >> mm/kasan/kasan.c | 32 ++++++++++++++++++++++++++++++++ >> mm/kasan/kasan.h | 8 ++++++++ >> mm/kasan/report.c | 4 ++++ >> 3 files changed, 44 insertions(+) >> >> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c >> index 405bba487df5..f86f862f41f8 100644 >> --- a/mm/kasan/kasan.c >> +++ b/mm/kasan/kasan.c >> @@ -736,6 +736,38 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size) >> } >> EXPORT_SYMBOL(__asan_unpoison_stack_memory); >> >> +/* Emitted by compiler to poison alloca()ed objects. */ >> +void __asan_alloca_poison(unsigned long addr, size_t size) >> +{ >> + size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE); >> + size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) - >> + rounded_up_size; >> + >> + const void *left_redzone = (const void *)(addr - >> + KASAN_ALLOCA_REDZONE_SIZE); >> + const void *right_redzone = (const void *)(addr + rounded_up_size); >> + >> + WARN_ON(!IS_ALIGNED(addr, KASAN_ALLOCA_REDZONE_SIZE)); >> + >> + kasan_unpoison_shadow((const void *)addr, size); > > /\/\/\/\/\/\ > > Why do we need this? Stack must be clean. Compiler instrumentation > does not clear shadow for objects in function prologue, if stack is > dirty KASAN would explode. > > >> + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE, >> + KASAN_ALLOCA_LEFT); >> + kasan_poison_shadow(right_redzone, >> + padding_size + KASAN_ALLOCA_REDZONE_SIZE, >> + KASAN_ALLOCA_RIGHT); > > We also need to poison [size, rounded_up_size) with partial value if > the range is not empty. I.e. we can poison exactly, say, 3 bytes > there. Wait, kasan_unpoison_shadow does this, right? Somewhat counter-intuitive and more expensive than needed. Let's poison only the last byte. >> +} >> +EXPORT_SYMBOL(__asan_alloca_poison); >> + >> +/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */ >> +void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) >> +{ >> + if (unlikely(!stack_top || stack_top > stack_bottom)) >> + return; >> + >> + kasan_unpoison_shadow(stack_top, stack_bottom - stack_top); >> +} >> +EXPORT_SYMBOL(__asan_allocas_unpoison); >> + >> #ifdef CONFIG_MEMORY_HOTPLUG >> static int __meminit kasan_mem_notifier(struct notifier_block *nb, >> unsigned long action, void *data) >> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h >> index c70851a9a6a4..7c0bcd1f4c0d 100644 >> --- a/mm/kasan/kasan.h >> +++ b/mm/kasan/kasan.h >> @@ -24,6 +24,14 @@ >> #define KASAN_STACK_PARTIAL 0xF4 >> #define KASAN_USE_AFTER_SCOPE 0xF8 >> >> +/* >> + * alloca redzone shadow values >> + */ >> +#define KASAN_ALLOCA_LEFT 0xCA >> +#define KASAN_ALLOCA_RIGHT 0xCB >> + >> +#define KASAN_ALLOCA_REDZONE_SIZE 32 >> + >> /* Don't break randconfig/all*config builds */ >> #ifndef KASAN_ABI_VERSION >> #define KASAN_ABI_VERSION 1 >> diff --git a/mm/kasan/report.c b/mm/kasan/report.c >> index 6bcfb01ba038..25419d426426 100644 >> --- a/mm/kasan/report.c >> +++ b/mm/kasan/report.c >> @@ -102,6 +102,10 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info) >> case KASAN_USE_AFTER_SCOPE: >> bug_type = "use-after-scope"; >> break; >> + case KASAN_ALLOCA_LEFT: >> + case KASAN_ALLOCA_RIGHT: >> + bug_type = "alloca-out-of-bounds"; >> + break; >> } >> >> return bug_type; >> -- >> 2.15.0.531.g2ccb3012c9-goog >> -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f200.google.com (mail-pf0-f200.google.com [209.85.192.200]) by kanga.kvack.org (Postfix) with ESMTP id B817A6B0038 for ; Thu, 30 Nov 2017 03:31:03 -0500 (EST) Received: by mail-pf0-f200.google.com with SMTP id n187so4453633pfn.10 for ; Thu, 30 Nov 2017 00:31:03 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id t65sor959850pgc.61.2017.11.30.00.31.02 for (Google Transport Security); Thu, 30 Nov 2017 00:31:02 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20171129215050.158653-3-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> <20171129215050.158653-3-paullawrence@google.com> From: Dmitry Vyukov Date: Thu, 30 Nov 2017 09:30:41 +0100 Message-ID: Subject: Re: [PATCH v2 2/5] kasan: Add tests for alloca poisonong Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Paul Lawrence Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , Linux-MM , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson , Greg Hackmann On Wed, Nov 29, 2017 at 10:50 PM, 'Paul Lawrence' via kasan-dev wrote: > Signed-off-by: Greg Hackmann > Signed-off-by: Paul Lawrence > > lib/test_kasan.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > index ef1a3ac1397e..2724f86c4cef 100644 > --- a/lib/test_kasan.c > +++ b/lib/test_kasan.c > @@ -472,6 +472,26 @@ static noinline void __init use_after_scope_test(void) > p[1023] = 1; > } > > +static noinline void __init kasan_alloca_oob_left(void) > +{ > + volatile int i = 10; > + char alloca_array[i]; > + char *p = alloca_array - 1; > + > + pr_info("out-of-bounds to left on alloca\n"); > + *(volatile char *)p; > +} > + > +static noinline void __init kasan_alloca_oob_right(void) > +{ > + volatile int i = 10; > + char alloca_array[i]; > + char *p = alloca_array + i; > + > + pr_info("out-of-bounds to right on alloca\n"); > + *(volatile char *)p; > +} > + > static int __init kmalloc_tests_init(void) > { > /* > @@ -502,6 +522,8 @@ static int __init kmalloc_tests_init(void) > memcg_accounted_kmem_cache(); > kasan_stack_oob(); > kasan_global_oob(); > + kasan_alloca_oob_left(); > + kasan_alloca_oob_right(); > ksize_unpoisons_memory(); > copy_user_test(); > use_after_scope_test(); Reviewed-by: Dmitry Vyukov -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f200.google.com (mail-pf0-f200.google.com [209.85.192.200]) by kanga.kvack.org (Postfix) with ESMTP id 939A46B0253 for ; Thu, 30 Nov 2017 03:31:49 -0500 (EST) Received: by mail-pf0-f200.google.com with SMTP id f64so4462988pfd.6 for ; Thu, 30 Nov 2017 00:31:49 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id 64sor1114146pfj.8.2017.11.30.00.31.48 for (Google Transport Security); Thu, 30 Nov 2017 00:31:48 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20171129215050.158653-4-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> <20171129215050.158653-4-paullawrence@google.com> From: Dmitry Vyukov Date: Thu, 30 Nov 2017 09:31:27 +0100 Message-ID: Subject: Re: [PATCH v2 3/5] kasan: added functions for unpoisoning stack variables Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Paul Lawrence Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , Linux-MM , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson , Greg Hackmann On Wed, Nov 29, 2017 at 10:50 PM, 'Paul Lawrence' via kasan-dev wrote: > From: Alexander Potapenko > > As a code-size optimization, LLVM builds since r279383 may > bulk-manipulate the shadow region when (un)poisoning large memory > blocks. This requires new callbacks that simply do an uninstrumented > memset(). > > This fixes linking the Clang-built kernel when using KASAN. > > Signed-off-by: Alexander Potapenko > [ghackmann@google.com: fix memset() parameters, and tweak > commit message to describe new callbacks] > Signed-off-by: Greg Hackmann > Signed-off-by: Paul Lawrence > > --- > mm/kasan/kasan.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c > index f86f862f41f8..89565a1ec417 100644 > --- a/mm/kasan/kasan.c > +++ b/mm/kasan/kasan.c > @@ -768,6 +768,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) > } > EXPORT_SYMBOL(__asan_allocas_unpoison); > > +/* Emitted by the compiler to [un]poison local variables. */ > +#define DEFINE_ASAN_SET_SHADOW(byte) \ > + void __asan_set_shadow_##byte(const void *addr, size_t size) \ > + { \ > + __memset((void *)addr, 0x##byte, size); \ > + } \ > + EXPORT_SYMBOL(__asan_set_shadow_##byte) > + > +DEFINE_ASAN_SET_SHADOW(00); > +DEFINE_ASAN_SET_SHADOW(f1); > +DEFINE_ASAN_SET_SHADOW(f2); > +DEFINE_ASAN_SET_SHADOW(f3); > +DEFINE_ASAN_SET_SHADOW(f5); > +DEFINE_ASAN_SET_SHADOW(f8); > + > #ifdef CONFIG_MEMORY_HOTPLUG > static int __meminit kasan_mem_notifier(struct notifier_block *nb, > unsigned long action, void *data) Reviewed-by: Dmitry Vyukov -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl0-f69.google.com (mail-pl0-f69.google.com [209.85.160.69]) by kanga.kvack.org (Postfix) with ESMTP id 41C996B0038 for ; Thu, 30 Nov 2017 03:33:46 -0500 (EST) Received: by mail-pl0-f69.google.com with SMTP id d3so2484996plj.22 for ; Thu, 30 Nov 2017 00:33:46 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id 12sor1440504pld.115.2017.11.30.00.33.45 for (Google Transport Security); Thu, 30 Nov 2017 00:33:45 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20171129215050.158653-5-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> <20171129215050.158653-5-paullawrence@google.com> From: Dmitry Vyukov Date: Thu, 30 Nov 2017 09:33:23 +0100 Message-ID: Subject: Re: [PATCH v2 4/5] kasan: support LLVM-style asan parameters Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Paul Lawrence Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , Linux-MM , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson , Greg Hackmann On Wed, Nov 29, 2017 at 10:50 PM, 'Paul Lawrence' via kasan-dev wrote: > Use cc-option to figure out whether the compiler's sanitizer uses > LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters > ("--param asan-foo=bar"). > > Signed-off-by: Greg Hackmann > Signed-off-by: Paul Lawrence > > --- > scripts/Makefile.kasan | 39 +++++++++++++++++++++++++++------------ > 1 file changed, 27 insertions(+), 12 deletions(-) > > diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan > index 1ce7115aa499..89c5b166adec 100644 > --- a/scripts/Makefile.kasan > +++ b/scripts/Makefile.kasan > @@ -10,24 +10,39 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET) > > CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address > > -CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \ > - -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \ > - --param asan-stack=1 --param asan-globals=1 \ > - --param asan-instrumentation-with-call-threshold=$(call_threshold)) > - > ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),) > ifneq ($(CONFIG_COMPILE_TEST),y) > $(warning Cannot use CONFIG_KASAN: \ > -fsanitize=kernel-address is not supported by compiler) > endif > else > - ifeq ($(CFLAGS_KASAN),) > - ifneq ($(CONFIG_COMPILE_TEST),y) > - $(warning CONFIG_KASAN: compiler does not support all options.\ > - Trying minimal configuration) > - endif > - CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL) > - endif > + # -fasan-shadow-offset fails without -fsanitize > + CFLAGS_KASAN_SHADOW := \ > + $(call cc-option, -fsanitize=kernel-address \ > + -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET)) > + ifeq ($(CFLAGS_KASAN_SHADOW),) > + CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL) > + else > + CFLAGS_KASAN := $(CFLAGS_KASAN_SHADOW) > + endif > + > + # Now add all the compiler specific options that are valid standalone > + CFLAGS_KASAN := $(CFLAGS_KASAN) \ > + $(call cc-option, --param asan-globals=1) \ > + $(call cc-option, --param asan-instrument-allocas=1) \ > + $(call cc-option, --param asan-instrumentation-with-call-threshold=$(call_threshold)) \ > + $(call cc-option, -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET)) \ > + $(call cc-option, -mllvm -asan-stack=1) \ > + $(call cc-option, -mllvm -asan-globals=1) \ > + $(call cc-option, -mllvm -asan-use-after-scope=1) \ > + $(call cc-option, -mllvm -asan-instrumentation-with-call-threshold=$(call_threshold)) > + > + > + # This option crashes on gcc 4.9, and is not available on clang > + ifeq ($(call cc-ifversion, -ge, 0500, y), y) > + CFLAGS_KASAN := $(CFLAGS_KASAN) $(call cc-option, --param asan-stack=1) > + endif > + > endif > > CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope) Acked-by: Dmitry Vyukov -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f197.google.com (mail-pf0-f197.google.com [209.85.192.197]) by kanga.kvack.org (Postfix) with ESMTP id B156A6B0253 for ; Thu, 30 Nov 2017 03:34:40 -0500 (EST) Received: by mail-pf0-f197.google.com with SMTP id a6so4453796pff.17 for ; Thu, 30 Nov 2017 00:34:40 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id bc11sor1344042plb.71.2017.11.30.00.34.39 for (Google Transport Security); Thu, 30 Nov 2017 00:34:39 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20171129215050.158653-6-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> <20171129215050.158653-6-paullawrence@google.com> From: Dmitry Vyukov Date: Thu, 30 Nov 2017 09:34:18 +0100 Message-ID: Subject: Re: [PATCH v2 5/5] kasan: add compiler support for clang Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Paul Lawrence Cc: Andrey Ryabinin , Alexander Potapenko , Masahiro Yamada , Michal Marek , LKML , kasan-dev , Linux-MM , "open list:KERNEL BUILD + fi..." , Matthias Kaehlcke , Michael Davidson , Greg Hackmann On Wed, Nov 29, 2017 at 10:50 PM, 'Paul Lawrence' via kasan-dev wrote: > For now we can hard-code ASAN ABI level 5, since historical clang builds > can't build the kernel anyway. We also need to emulate gcc's > __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented. > > Signed-off-by: Greg Hackmann > Signed-off-by: Paul Lawrence > > --- > include/linux/compiler-clang.h | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h > index 3b609edffa8f..d02a4df3f473 100644 > --- a/include/linux/compiler-clang.h > +++ b/include/linux/compiler-clang.h > @@ -19,3 +19,11 @@ > > #define randomized_struct_fields_start struct { > #define randomized_struct_fields_end }; > + > +/* all clang versions usable with the kernel support KASAN ABI version 5 */ > +#define KASAN_ABI_VERSION 5 > + > +/* emulate gcc's __SANITIZE_ADDRESS__ flag */ > +#if __has_feature(address_sanitizer) > +#define __SANITIZE_ADDRESS__ > +#endif Reviewed-by: Dmitry Vyukov -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id 1DC186B0261 for ; Thu, 30 Nov 2017 11:33:29 -0500 (EST) Received: by mail-pf0-f199.google.com with SMTP id r88so5196952pfi.23 for ; Thu, 30 Nov 2017 08:33:29 -0800 (PST) Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40112.outbound.protection.outlook.com. [40.107.4.112]) by mx.google.com with ESMTPS id s78si3507991pfj.225.2017.11.30.08.33.27 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 30 Nov 2017 08:33:27 -0800 (PST) Subject: Re: [PATCH v2 4/5] kasan: support LLVM-style asan parameters References: <20171129215050.158653-1-paullawrence@google.com> <20171129215050.158653-5-paullawrence@google.com> From: Andrey Ryabinin Message-ID: <7e9f3194-17c1-9dc5-9392-748801c831bd@virtuozzo.com> Date: Thu, 30 Nov 2017 19:36:54 +0300 MIME-Version: 1.0 In-Reply-To: <20171129215050.158653-5-paullawrence@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Paul Lawrence , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann On 11/30/2017 12:50 AM, Paul Lawrence wrote: > Use cc-option to figure out whether the compiler's sanitizer uses > LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters > ("--param asan-foo=bar"). > > Signed-off-by: Greg Hackmann > Signed-off-by: Paul Lawrence > > --- > scripts/Makefile.kasan | 39 +++++++++++++++++++++++++++------------ > 1 file changed, 27 insertions(+), 12 deletions(-) > It looks rather messy. Try the following patch. Note, that I didn't add asan-instrument-allocas=1 because it has nothing to do with LLVM-style params support. asan-instrument-allocas should probably be in the patch that adds alloca() support. From: Andrey Ryabinin Subject: [PATCH] kasan/Makefile: Support LLVM style asan parameters. LLVM doesn't understand GCC-style paramters ("--param asan-foo=bar"), thus we currently we don't use inline/globals/stack instrumentation when building the kernel with clang. Add support for LLVM-style parameters ("-mllvm -asan-foo=bar") to enable all KASAN features. Signed-off-by: Andrey Ryabinin --- scripts/Makefile.kasan | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan index 1ce7115aa499..2af5977c394d 100644 --- a/scripts/Makefile.kasan +++ b/scripts/Makefile.kasan @@ -10,10 +10,7 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET) CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address -CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \ - -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \ - --param asan-stack=1 --param asan-globals=1 \ - --param asan-instrumentation-with-call-threshold=$(call_threshold)) +cc-param = $(call cc-option, --param $(1)) $(call cc-option, -mllvm -$(1)) ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),) ifneq ($(CONFIG_COMPILE_TEST),y) @@ -21,13 +18,23 @@ ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),) -fsanitize=kernel-address is not supported by compiler) endif else - ifeq ($(CFLAGS_KASAN),) - ifneq ($(CONFIG_COMPILE_TEST),y) - $(warning CONFIG_KASAN: compiler does not support all options.\ - Trying minimal configuration) - endif - CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL) - endif + # -fasan-shadow-offset fails without -fsanitize + CFLAGS_KASAN_SHADOW := $(call cc-option, -fsanitize=kernel-address \ + -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET), \ + $(call cc-option, -fsanitize=kernel-address \ + -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET))) + + ifeq ($(CFLAGS_KASAN_SHADOW),) + CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL) + else + # Now add all the compiler specific options that are valid standalone + CFLAGS_KASAN := $(CFLAGS_KASAN_SHADOW) \ + $(call cc-param,asan-globals=1) \ + $(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \ + $(call cc-param,asan-stack=1) \ + $(call cc-param,asan-use-after-scope=1) + endif + endif CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope) -- 2.13.6 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id DDE366B026B for ; Thu, 30 Nov 2017 11:41:44 -0500 (EST) Received: by mail-pf0-f199.google.com with SMTP id u3so5263675pfl.5 for ; Thu, 30 Nov 2017 08:41:44 -0800 (PST) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0130.outbound.protection.outlook.com. [104.47.2.130]) by mx.google.com with ESMTPS id x22si3279462pgc.53.2017.11.30.08.41.43 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 30 Nov 2017 08:41:43 -0800 (PST) Subject: Re: [PATCH v2 5/5] kasan: add compiler support for clang References: <20171129215050.158653-1-paullawrence@google.com> <20171129215050.158653-6-paullawrence@google.com> From: Andrey Ryabinin Message-ID: <8b1a30b7-9c16-ac0a-3cc1-6fb70247add0@virtuozzo.com> Date: Thu, 30 Nov 2017 19:45:10 +0300 MIME-Version: 1.0 In-Reply-To: <20171129215050.158653-6-paullawrence@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Paul Lawrence , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann On 11/30/2017 12:50 AM, Paul Lawrence wrote: > For now we can hard-code ASAN ABI level 5, since historical clang builds > can't build the kernel anyway. We also need to emulate gcc's > __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented. > > Signed-off-by: Greg Hackmann > Signed-off-by: Paul Lawrence > > --- > include/linux/compiler-clang.h | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h > index 3b609edffa8f..d02a4df3f473 100644 > --- a/include/linux/compiler-clang.h > +++ b/include/linux/compiler-clang.h > @@ -19,3 +19,11 @@ > > #define randomized_struct_fields_start struct { > #define randomized_struct_fields_end }; > + > +/* all clang versions usable with the kernel support KASAN ABI version 5 */ > +#define KASAN_ABI_VERSION 5 > + This patch should be earlier in this series. Patch 4/5 breaks clang-built kernel, because we start using globals instrumentation with wrong KASAN_ABI_VERSION. > +/* emulate gcc's __SANITIZE_ADDRESS__ flag */ > +#if __has_feature(address_sanitizer) > +#define __SANITIZE_ADDRESS__ > +#endif > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org