[PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN

[PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN

[Walter Wu]

Syzbot reports many UAF issues for workqueue or timer, see [1] and [2].
In some of these access/allocation happened in process_one_work(),
we see the free stack is useless in KASAN report, it doesn't help
programmers to solve UAF on workqueue. The same may stand for times.

This patchset improves KASAN reports by making them to have workqueue
queueing stack and timer stack information. It is useful for programmers
to solve use-after-free or double-free memory issue.

Generic KASAN also records the last two workqueue and timer stacks and
prints them in KASAN report. It is only suitable for generic KASAN.

[1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work
[2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers
[3]https://bugzilla.kernel.org/show_bug.cgi?id=198437

Walter Wu (6):
timer: kasan: record timer stack
workqueue: kasan: record workqueue stack
kasan: print timer and workqueue stack
lib/test_kasan.c: add timer test case
lib/test_kasan.c: add workqueue test case
kasan: update documentation for generic kasan

---

Changes since v2:
- modify kasan document to be more readable.
  Thanks for Marco suggestion.

Changes since v1:
- Thanks for Marco and Thomas suggestion.
- Remove unnecessary code and fix commit log
- reuse kasan_record_aux_stack() and aux_stack
  to record timer and workqueue stack.
- change the aux stack title for common name.

---

Documentation/dev-tools/kasan.rst |  4 ++--
kernel/time/timer.c               |  3 +++
kernel/workqueue.c                |  3 +++
lib/test_kasan.c                  | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
mm/kasan/report.c                 |  4 ++--
5 files changed, 64 insertions(+), 4 deletions(-)

Re: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN

[Marco Elver]

On Tue, 25 Aug 2020 at 03:57, Walter Wu <walter-zh.wu@mediatek.com> wrote:
>
> Syzbot reports many UAF issues for workqueue or timer, see [1] and [2].
> In some of these access/allocation happened in process_one_work(),
> we see the free stack is useless in KASAN report, it doesn't help
> programmers to solve UAF on workqueue. The same may stand for times.
>
> This patchset improves KASAN reports by making them to have workqueue
> queueing stack and timer stack information. It is useful for programmers
> to solve use-after-free or double-free memory issue.
>
> Generic KASAN also records the last two workqueue and timer stacks and
> prints them in KASAN report. It is only suitable for generic KASAN.
>
> [1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work
> [2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers
> [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437
>
> Walter Wu (6):
> timer: kasan: record timer stack
> workqueue: kasan: record workqueue stack
> kasan: print timer and workqueue stack
> lib/test_kasan.c: add timer test case
> lib/test_kasan.c: add workqueue test case
> kasan: update documentation for generic kasan

Acked-by: Marco Elver <elver@google.com>



> ---
>
> Changes since v2:
> - modify kasan document to be more readable.
>   Thanks for Marco suggestion.
>
> Changes since v1:
> - Thanks for Marco and Thomas suggestion.
> - Remove unnecessary code and fix commit log
> - reuse kasan_record_aux_stack() and aux_stack
>   to record timer and workqueue stack.
> - change the aux stack title for common name.
>
> ---
>
> Documentation/dev-tools/kasan.rst |  4 ++--
> kernel/time/timer.c               |  3 +++
> kernel/workqueue.c                |  3 +++
> lib/test_kasan.c                  | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> mm/kasan/report.c                 |  4 ++--
> 5 files changed, 64 insertions(+), 4 deletions(-)
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200825015654.27781-1-walter-zh.wu%40mediatek.com.

Re: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN

[Andrey Konovalov]

On Tue, Aug 25, 2020 at 10:26 AM 'Marco Elver' via kasan-dev
<kasan-dev@googlegroups.com> wrote:
>
> On Tue, 25 Aug 2020 at 03:57, Walter Wu <walter-zh.wu@mediatek.com> wrote:
> >
> > Syzbot reports many UAF issues for workqueue or timer, see [1] and [2].
> > In some of these access/allocation happened in process_one_work(),
> > we see the free stack is useless in KASAN report, it doesn't help
> > programmers to solve UAF on workqueue. The same may stand for times.
> >
> > This patchset improves KASAN reports by making them to have workqueue
> > queueing stack and timer stack information. It is useful for programmers
> > to solve use-after-free or double-free memory issue.
> >
> > Generic KASAN also records the last two workqueue and timer stacks and
> > prints them in KASAN report. It is only suitable for generic KASAN.
> >
> > [1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work
> > [2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers
> > [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437
> >
> > Walter Wu (6):
> > timer: kasan: record timer stack
> > workqueue: kasan: record workqueue stack
> > kasan: print timer and workqueue stack
> > lib/test_kasan.c: add timer test case
> > lib/test_kasan.c: add workqueue test case
> > kasan: update documentation for generic kasan
>
> Acked-by: Marco Elver <elver@google.com>

Reviewed-by: Andrey Konovalov <andreyknvl@google.com>

>
>
>
> > ---
> >
> > Changes since v2:
> > - modify kasan document to be more readable.
> >   Thanks for Marco suggestion.
> >
> > Changes since v1:
> > - Thanks for Marco and Thomas suggestion.
> > - Remove unnecessary code and fix commit log
> > - reuse kasan_record_aux_stack() and aux_stack
> >   to record timer and workqueue stack.
> > - change the aux stack title for common name.
> >
> > ---
> >
> > Documentation/dev-tools/kasan.rst |  4 ++--
> > kernel/time/timer.c               |  3 +++
> > kernel/workqueue.c                |  3 +++
> > lib/test_kasan.c                  | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > mm/kasan/report.c                 |  4 ++--
> > 5 files changed, 64 insertions(+), 4 deletions(-)
> >
> > --
> > You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200825015654.27781-1-walter-zh.wu%40mediatek.com.
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/CANpmjNOvj%2B%3Dv7VDVDXpsUNZ9o0%2BKoJVJs0MjLhwr0XpYcYQZ5g%40mail.gmail.com.

Re: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN

[Dmitry Vyukov]

On Wed, Aug 26, 2020 at 2:30 PM 'Andrey Konovalov' via kasan-dev
<kasan-dev@googlegroups.com> wrote:
>
> On Tue, Aug 25, 2020 at 10:26 AM 'Marco Elver' via kasan-dev
> <kasan-dev@googlegroups.com> wrote:
> >
> > On Tue, 25 Aug 2020 at 03:57, Walter Wu <walter-zh.wu@mediatek.com> wrote:
> > >
> > > Syzbot reports many UAF issues for workqueue or timer, see [1] and [2].
> > > In some of these access/allocation happened in process_one_work(),
> > > we see the free stack is useless in KASAN report, it doesn't help
> > > programmers to solve UAF on workqueue. The same may stand for times.
> > >
> > > This patchset improves KASAN reports by making them to have workqueue
> > > queueing stack and timer stack information. It is useful for programmers
> > > to solve use-after-free or double-free memory issue.
> > >
> > > Generic KASAN also records the last two workqueue and timer stacks and
> > > prints them in KASAN report. It is only suitable for generic KASAN.
> > >
> > > [1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work
> > > [2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers
> > > [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437
> > >
> > > Walter Wu (6):
> > > timer: kasan: record timer stack
> > > workqueue: kasan: record workqueue stack
> > > kasan: print timer and workqueue stack
> > > lib/test_kasan.c: add timer test case
> > > lib/test_kasan.c: add workqueue test case
> > > kasan: update documentation for generic kasan
> >
> > Acked-by: Marco Elver <elver@google.com>
>
> Reviewed-by: Andrey Konovalov <andreyknvl@google.com>

Reviewed-by: Dmitry Vyukov <dvyukov@google.com>

Thanks! The UAF reports with RCU stacks that I see now are just 🔥🔥🔥

> > > ---
> > >
> > > Changes since v2:
> > > - modify kasan document to be more readable.
> > >   Thanks for Marco suggestion.
> > >
> > > Changes since v1:
> > > - Thanks for Marco and Thomas suggestion.
> > > - Remove unnecessary code and fix commit log
> > > - reuse kasan_record_aux_stack() and aux_stack
> > >   to record timer and workqueue stack.
> > > - change the aux stack title for common name.
> > >
> > > ---
> > >
> > > Documentation/dev-tools/kasan.rst |  4 ++--
> > > kernel/time/timer.c               |  3 +++
> > > kernel/workqueue.c                |  3 +++
> > > lib/test_kasan.c                  | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > mm/kasan/report.c                 |  4 ++--
> > > 5 files changed, 64 insertions(+), 4 deletions(-)
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200825015654.27781-1-walter-zh.wu%40mediatek.com.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/CANpmjNOvj%2B%3Dv7VDVDXpsUNZ9o0%2BKoJVJs0MjLhwr0XpYcYQZ5g%40mail.gmail.com.
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/CAAeHK%2ByVShDPCxVKDsO_5SwoM2ZG7x7byUJ74PtB7ekY61L2YQ%40mail.gmail.com.

Re: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN

[Walter Wu]

On Mon, 2020-09-14 at 14:25 +0200, Andrey Konovalov wrote:
> On Sun, Sep 13, 2020 at 12:17 PM Dmitry Vyukov <dvyukov@google.com>
> wrote:
> 
>         On Wed, Aug 26, 2020 at 2:30 PM 'Andrey Konovalov' via
>         kasan-dev
>         <kasan-dev@googlegroups.com> wrote:
>         >
>         > On Tue, Aug 25, 2020 at 10:26 AM 'Marco Elver' via kasan-dev
>         > <kasan-dev@googlegroups.com> wrote:
>         > >
>         > > On Tue, 25 Aug 2020 at 03:57, Walter Wu
>         <walter-zh.wu@mediatek.com> wrote:
>         > > >
>         > > > Syzbot reports many UAF issues for workqueue or timer,
>         see [1] and [2].
>         > > > In some of these access/allocation happened in
>         process_one_work(),
>         > > > we see the free stack is useless in KASAN report, it
>         doesn't help
>         > > > programmers to solve UAF on workqueue. The same may
>         stand for times.
>         > > >
>         > > > This patchset improves KASAN reports by making them to
>         have workqueue
>         > > > queueing stack and timer stack information. It is useful
>         for programmers
>         > > > to solve use-after-free or double-free memory issue.
>         > > >
>         > > > Generic KASAN also records the last two workqueue and
>         timer stacks and
>         > > > prints them in KASAN report. It is only suitable for
>         generic KASAN.
>         > > >
>         > > > [1]https://groups.google.com/g/syzkaller-bugs/search?q=%
>         22use-after-free%22+process_one_work
>         > > > [2]https://groups.google.com/g/syzkaller-bugs/search?q=%
>         22use-after-free%22%20expire_timers
>         > > > [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437
>         > > >
>         > > > Walter Wu (6):
>         > > > timer: kasan: record timer stack
>         > > > workqueue: kasan: record workqueue stack
>         > > > kasan: print timer and workqueue stack
>         > > > lib/test_kasan.c: add timer test case
>         > > > lib/test_kasan.c: add workqueue test case
>         > > > kasan: update documentation for generic kasan
>         > >
>         > > Acked-by: Marco Elver <elver@google.com>
>         >
>         > Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
>         
>         Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
>         
>         Thanks! The UAF reports with RCU stacks that I see now are
>         just 🔥🔥🔥
> 
> 
> Hi Walter,
> 
> 
> This patchset needs to be rebased onto the KASAN-KUNIT patches, which
> just recently went into the mm tree.
> 
> 
> Thanks!

Hi Dmitry, Andrey,

Got it. 

Thanks for your review and reminder.

Walter