From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758667AbcFAPX0 (ORCPT ); Wed, 1 Jun 2016 11:23:26 -0400 Received: from mail-am1on0132.outbound.protection.outlook.com ([157.56.112.132]:19632 "EHLO emea01-am1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1758629AbcFAPXX (ORCPT ); Wed, 1 Jun 2016 11:23:23 -0400 Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=virtuozzo.com; Subject: Re: [PATCH] mm, kasan: introduce a special shadow value for allocator metadata To: Alexander Potapenko References: <1464691466-59010-1-git-send-email-glider@google.com> <574D7B11.8090709@virtuozzo.com> CC: Andrey Konovalov , Christoph Lameter , Dmitriy Vyukov , Andrew Morton , Steven Rostedt , Joonsoo Kim , Joonsoo Kim , Kostya Serebryany , kasan-dev , Linux Memory Management List , LKML From: Andrey Ryabinin Message-ID: <574EFE0F.2000404@virtuozzo.com> Date: Wed, 1 Jun 2016 18:23:59 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [195.214.232.10] X-ClientProxiedBy: HE1PR01CA0065.eurprd01.prod.exchangelabs.com (10.165.170.161) To DB6PR0801MB1303.eurprd08.prod.outlook.com (10.168.11.21) X-MS-Office365-Filtering-Correlation-Id: 22f09b61-d929-4083-ada7-08d38a30a979 X-Microsoft-Exchange-Diagnostics: 1;DB6PR0801MB1303;2:xrzDjEm2NaKKgAYlbaeXpluWGnSFD1Fuw9ALR2GgdjKhBQXBWDOzYTymDm6tgSrIhallPXfKDpeBWFeHg4KxTakkdmj6+PERCaowHj0qzEJD2GxQCUvF2hqhWMoISx8dgAwqJhH6ZPtVRUaKDc8oN16eW+GhDvZZRZpjnopGLeaM5u6vGqvzlP5BnSBdfYmU;3:fbR54uNpn+DAZYu1ujjL/IJdI7Z6t8Tfq7kvjxssmyqjM8xtU4nvqGVD60+4ZhCjiTuzp/8FwCdMLJwswywh8SzV+YNGFAkfuP/0vJruhxl6PNGPW1FK7q1y8Tpg4iA0 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0801MB1303; X-Microsoft-Exchange-Diagnostics: 1;DB6PR0801MB1303;25:qQiSY62LwQV7ieG9/lHkWmHELjZ+Q74sT6Djb6BdS5n23FOHz5fWDOLDtCVs6d8lJx25ugFNYvJwimRiQXmZpZFkkOmqDrJpkWNKlql6GQU4QbDABzSUJXyo/MMp/mz8cVw8Yt/R8c299h/KOuX94uwqXwZfuZwrO+DW4a2EMCzUzI20179VkpuFOxEqs5x02op/TDUzAV8y/kKyKbztxIHBsSf2eWnmBTCaRgjJ4GjcnMB+JzlfTTE2ibKzz1hjDXKujjrtqB6bBFkxD5uAazp/xEld41wy94Icptkk+rEzBiuSSrCC/luckChD0ZdZbYNOSGXeDAnEEE7Z+lp2xgLiNR/mv3HNvav+nap10KFb1RoW5ys1pCSDXYERo2PyhQcHME7D/XpetWCTzmfSTJ4p8n3TIcDc+xWRavyziu41gF6Oi+awBBrivLX9gsg4LLlHY4G97S7B2yeOWwwzWR1bzJkevO9a6tv6ogdict1CzkR0efGRHeTrcCt6TVvJjeYHLXHdHEp/a0YEo2hOGCjq8yPXB7EfKVBvikBRRaVoPPUTEAO9mbzv12cUvMDhOu6dpgP00YXpmTPh77YVvQe13YqH6IIV6hVb5lr5FnmMVyx0WyXUp5bCYEWAEJ9UawDFxU/pfDyCc1mUyXCjByAk7qNmL2OFjyALWNOaq0v45mnhvS4rZvxZ0KpoAknpqsQJytz5t4BkxOkBNyiBrQ== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(20558992708506)(211171220733660); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040130)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041072)(6043046);SRVR:DB6PR0801MB1303;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0801MB1303; X-Microsoft-Exchange-Diagnostics: 1;DB6PR0801MB1303;4:kUKhnFmZ0jb6PRi6EQ0q5oBEK9cNDZZgpXbGdjOYQIZ/usglMhOkf06QQT9JRXjH5tJ103Nt1sITRjt0tfmfMqOyWx73YlsAYBsYaqouHBlW2Zm99cspccU8lZf0d37Qy7gPbRNYx4+bnr6IDhaMSlsoCeu9eqyuBbFI4akNba6cwKV0kL56nLVOXg/Kisuw7lQJ9Xf4gImXeLaw60mgE4+aMWlqPd2FNLa9pEwSpUb6f8N0v30mHVYWPIDCP8OsSYAKbweuweilEYYaJOIGgqQQhUzc/iTMNdnUFlslkACYv3F5mRTwwdDRdiJS+4k6EbqpGoQ7b74e3f69tTrqRBkplgaYN38odmilY1PaiILE3w6iu8mksH5bnsuMZt+zZruuXGH543O6AWX84PbR6TevwzOZ2ahSMViE6x+5wgg/l7441QO5G6MtLPU42GIZj/A26dDsvfTnSIpVV0qopmDAuDLWZEWc6spAnguSkvpXXxK65vu8PLJakbgWEN57 X-Forefront-PRVS: 096029FF66 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6049001)(6009001)(24454002)(377454003)(5008740100001)(86362001)(230700001)(8676002)(92566002)(189998001)(59896002)(2906002)(50466002)(4001350100001)(42186005)(6116002)(81166006)(586003)(3846002)(110136002)(47776003)(2950100001)(77096005)(19580395003)(36756003)(54356999)(76176999)(65956001)(87266999)(65806001)(80316001)(66066001)(50986999)(5004730100002)(65816999)(33656002)(4326007)(23676002)(83506001)(19580405001);DIR:OUT;SFP:1102;SCL:1;SRVR:DB6PR0801MB1303;H:[10.30.19.223];FPR:;SPF:None;MLV:sfv;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjZQUjA4MDFNQjEzMDM7MjM6dHFDTWl1V1d6U3pNSWxKZE1wZ0Y0R3NB?= =?utf-8?B?WlZ3QUordW9NbERmeFBtRW41cmpkU3ZFYmRqT3ROL0FobE9vbnZ4N0I5WTFs?= =?utf-8?B?L2VhTGZBRHRKZXJXMkNRZ0YzbmRWcUpqMkJnU0twNjh4VjhDVlBOeTVJanU5?= =?utf-8?B?ZUJPbXNKeWJEVXBSell5NUVhVGxWaStHTlIxcGpXYkozZisrdjdkUVZ2dEFV?= =?utf-8?B?K1A1QjhhZU1LOFFCa2NJUjEvR251SGxvUjRUeXFBbHg5WWl0MlFvRTBaL1dK?= =?utf-8?B?QXdGV0pXSXlPdEkycjRwL3RBRDNqRmsvbVBiT0hTcjd4SmIrQldYbHF6UjlB?= =?utf-8?B?MFFpYTFZWnNzbFlnaDQwNGVaTWRSZ1QxbzFaT3VlOEpWdmJJeEFjNVJaZTdP?= =?utf-8?B?UkJqQ3p3OHZlNnpmZGU3TUJUbTh4Z3pHMGw3ZmtHUnZ1MWQwcCszNE9kNHFQ?= =?utf-8?B?NlU4NTVlV21oU1pxY0dheWQ1L3dqQU5QR1R0ZHIvY2pTeXlyTVpYUm1ESmtP?= =?utf-8?B?L2Z1aUt3SGwrUXpYUTBLdm9wNGs5dzNXODZQc1ZrT3FweitNMk9lRDhXaU43?= =?utf-8?B?LzFQREhYbWVrZEFnaXlWNWhkUWNKbmU5NUZLbWROQzBvNXJyZTljREpLVG5Q?= =?utf-8?B?bzNyczkyaWpRemkzcVpiR1d6b2tJUmZRakc5TEdLL3BDNm5TRmpzKy85N2sv?= =?utf-8?B?YitPcVNCWjB1ekJNUGw5Lzg2ZG9IZ1FBUUdtSXFNWE02aG1vbG9mWXNHOEVK?= =?utf-8?B?b1ZTUjJDREtkZ2xHY1hoNVVSalljWGs2MnBEQ2cyTWdGdmV1ZUNnejZmZ0ZS?= =?utf-8?B?VmJZWTFHQlBrM0xEWldTbFhub2wzVkpWOWp2YUdUdTJDYVV2VFpOOGRtUzVS?= =?utf-8?B?dkc1VTNzaTZKM2NhazhtM3hYTlBhd2h4VUFISHZ2Yks4cmZTZU0vVGVVckNu?= =?utf-8?B?ZTl0cVBmcGpENi9nUGozdjZ3Y0tQVTlVQXIzQ3VXT0NqcG9ZN21WWUluVFhp?= =?utf-8?B?VmR2b3ZrUUJmNy83UHhpNDlYbTVZQXhING9CYmJzd2JCU3BrUzBQUUxBTkNR?= =?utf-8?B?MGJvVkxxQUJ3R29iRWQxdFYxZVdaR0IwYVZ2bEIwODJCRlFZL01JejZreTRr?= =?utf-8?B?RnFMUXAvSzZtbGJrbm1NVWU2dVpGNmdOL0hiMWxhdS9tZUZzbEd1OWN0VC9h?= =?utf-8?B?QTNxeGNqbTNGbHdLNVlpYUdjT1ROMjA0UUFPZk94MGpVMjhzUjJ0ZjdNeHNX?= =?utf-8?B?QXJ1VlhFL2VnZWNtaWJIRVdmSEdHL011VnpoMVhhUnVNVnlaREFEL3d6MWtO?= =?utf-8?B?WjBndFdETlFjeTM0QXNLZ3ZOUjRIOFVJb3RZNE9OdnZDUC9hc0pYQm1yVHFH?= =?utf-8?B?V0xJMFBXL1c4eWltWlZVUDdwbGNrdG93UVBSenRhVVcrM2d6ckJQenk3T2RN?= =?utf-8?Q?SWdsiOPSEQk5HXrUcClrdwv+EwZmX?= X-Microsoft-Exchange-Diagnostics: 1;DB6PR0801MB1303;5:QpqesbF/jX4ystG9DxJygOI19mGzImxyI6sXaS3U4wJpqz4dUrNvhOTLqKHMtetLOjm2HBbswGdrstn4hZ8FPNCRXH4M9ejwS/Pczx+hQ70ox5T/CfT9iwAHnSSoYBkjZTYyWdo7QN99CQ9kZcgKAw==;24:kGfl63G7fEjYXGw7NB22aMdixD451gtwjSG0jChR7a/LmdX3GlPUnexTXabRj6Oyk7xGtJrAMS/ZCBcXorg7l0mevLuZO6uCEVbv51Ac0Go=;7:vwncnGcoEKgl6jCSle/WjFpPhKTOqI9Zkh3bAgzwL2y/LuJsrn0XfTFMe0LE35RMNF+/xV16CRRTRNN7Wr1bOv4ZgeKsORPMsqXu7Qx1k4MBKh6LkIjwl3qDCtuzU8Rhpu4bBzY3gOCkOa2I3fj3uShgEH6qvv8+ZNfyFTeVzaUWK2YJRxYuvyfOfG76I4+3;20:4rWgf99uQuxzzWPA6TecrGnYQW1nZAkryWcHytuD60KEv0SfVTdKcKhNoHEEkuPX3EqgpnlcbXQX5uXJFIlM9WCh1oV8Wh2Zppz+Q5/mXrYdY0gwPdw2ZDhRn0atsp7fmmIC3ic1znYFEK4ARX50TOgzd9DCxZx7AlxHrmKXwas= SpamDiagnosticOutput: 1:23 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2016 15:23:17.7164 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1303 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/31/2016 08:49 PM, Alexander Potapenko wrote: > On Tue, May 31, 2016 at 1:52 PM, Andrey Ryabinin > wrote: >> >> >> On 05/31/2016 01:44 PM, Alexander Potapenko wrote: >>> Add a special shadow value to distinguish accesses to KASAN-specific >>> allocator metadata. >>> >>> Unlike AddressSanitizer in the userspace, KASAN lets the kernel proceed >>> after a memory error. However a write to the kmalloc metadata may cause >>> memory corruptions that will make the tool itself unreliable and induce >>> crashes later on. Warning about such corruptions will ease the >>> debugging. >> >> It will not. Whether out-of-bounds hits metadata or not is absolutely irrelevant >> to the bug itself. This information doesn't help to understand, analyze or fix the bug. >> > Here's the example that made me think the opposite. > > I've been reworking KASAN hooks for mempool and added a test that did > a write-after-free to an object allocated from a mempool. > This resulted in flaky kernel crashes somewhere in quarantine > shrinking after several attempts to `insmod test_kasan.ko`. > Because there already were numerous KASAN errors in the test, it > wasn't evident that the crashes were related to the new test, so I > thought the problem was in the buggy quarantine implementation. > However the problem was indeed in the new test, which corrupted the > quarantine pointer in the object and caused a crash while traversing > the quarantine list. > > My previous experience with userspace ASan shows that crashes in the > tool code itself puzzle the developers. > As a result, the users think that the tool is broken and don't believe > its reports. > > I first thought about hardening the quarantine list by checksumming > the pointers and validating them on each traversal. > This prevents the crashes, but doesn't give the users any idea about > what went wrong. > On the other hand, reporting the pointer corruption right when it happens does. > Distinguishing between a regular UAF and a quarantine corruption > (which is what the patch in question is about) helps to prioritize the > KASAN reports and give the developers better understanding of the > consequences. > After the first report we have memory in a corrupted state, so we are done here. Anything that happens after the first report can't be trusted since it can be an after-effect, just like in your case. Such crashes are not worthy to look at. Out-of-bounds that doesn't hit metadata as any other memory corruption also can lead to after-effects crashes, thus distinguishing such bugs doesn't make a lot of sense. test_kasan module is just a quick hack, made only to make sure that KASAN works. It does some crappy thing, and may lead to crash as well. So I would recommend an immediate reboot even after single attempt to load it.