Re: [PATCH v6 13/18] khwasan: add bug reporting routines
From: Dmitry Vyukov
Date: Wed Sep 12 2018 - 13:50:35 EST
On Wed, Aug 29, 2018 at 1:35 PM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote:
> This commit adds rountines, that print KHWASAN error reports. Those are
> quite similar to KASAN, the difference is:
>
> 1. The way KHWASAN finds the first bad shadow cell (with a mismatching
> tag). KHWASAN compares memory tags from the shadow memory to the pointer
> tag.
>
> 2. KHWASAN reports all bugs with the "KASAN: invalid-access" header. This
> is done, so various external tools that already parse the kernel logs
> looking for KASAN reports wouldn't need to be changed.
>
> Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
> ---
> include/linux/kasan.h | 3 +++
> mm/kasan/kasan.h | 7 +++++
> mm/kasan/kasan_report.c | 7 ++---
> mm/kasan/khwasan_report.c | 21 +++++++++++++++
> mm/kasan/report.c | 57 +++++++++++++++++++++------------------
> 5 files changed, 64 insertions(+), 31 deletions(-)
>
> diff --git a/include/linux/kasan.h b/include/linux/kasan.h
> index 1f852244e739..4424359a9dfa 100644
> --- a/include/linux/kasan.h
> +++ b/include/linux/kasan.h
> @@ -174,6 +174,9 @@ void *khwasan_preset_slub_tag(struct kmem_cache *cache, const void *addr);
> void *khwasan_preset_slab_tag(struct kmem_cache *cache, unsigned int idx,
> const void *addr);
>
> +void kasan_report(unsigned long addr, size_t size,
> + bool write, unsigned long ip);
> +
> #else /* CONFIG_KASAN_HW */
>
> static inline void khwasan_init(void) { }
> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
> index 82672473740c..d60859d26be7 100644
> --- a/mm/kasan/kasan.h
> +++ b/mm/kasan/kasan.h
> @@ -119,8 +119,15 @@ void kasan_poison_shadow(const void *address, size_t size, u8 value);
> void check_memory_region(unsigned long addr, size_t size, bool write,
> unsigned long ret_ip);
>
> +void *find_first_bad_addr(void *addr, size_t size);
> const char *get_bug_type(struct kasan_access_info *info);
>
> +#ifdef CONFIG_KASAN_HW
We already have #ifdef CONFIG_KASAN_HW section below with additional
functions for KASAN_HW and empty stubs otherwise. I would add this one
there as well.
> +void print_tags(u8 addr_tag, const void *addr);
> +#else
> +static inline void print_tags(u8 addr_tag, const void *addr) { }
> +#endif
> +
> void kasan_report(unsigned long addr, size_t size,
> bool is_write, unsigned long ip);
> void kasan_report_invalid_free(void *object, unsigned long ip);
> diff --git a/mm/kasan/kasan_report.c b/mm/kasan/kasan_report.c
> index 2d8decbecbd5..fdf2d77e3125 100644
> --- a/mm/kasan/kasan_report.c
> +++ b/mm/kasan/kasan_report.c
> @@ -33,10 +33,10 @@
> #include "kasan.h"
> #include "../slab.h"
>
> -static const void *find_first_bad_addr(const void *addr, size_t size)
> +void *find_first_bad_addr(void *addr, size_t size)
> {
> u8 shadow_val = *(u8 *)kasan_mem_to_shadow(addr);
> - const void *first_bad_addr = addr;
> + void *first_bad_addr = addr;
>
> while (!shadow_val && first_bad_addr < addr + size) {
> first_bad_addr += KASAN_SHADOW_SCALE_SIZE;
> @@ -50,9 +50,6 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
> const char *bug_type = "unknown-crash";
> u8 *shadow_addr;
>
> - info->first_bad_addr = find_first_bad_addr(info->access_addr,
> - info->access_size);
> -
> shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);
>
> /*
> diff --git a/mm/kasan/khwasan_report.c b/mm/kasan/khwasan_report.c
> index 2edbc3c76be5..51238b404b08 100644
> --- a/mm/kasan/khwasan_report.c
> +++ b/mm/kasan/khwasan_report.c
> @@ -37,3 +37,24 @@ const char *get_bug_type(struct kasan_access_info *info)
> {
> return "invalid-access";
> }
> +
> +void *find_first_bad_addr(void *addr, size_t size)
> +{
> + u8 tag = get_tag(addr);
> + void *untagged_addr = reset_tag(addr);
> + u8 *shadow = (u8 *)kasan_mem_to_shadow(untagged_addr);
> + void *first_bad_addr = untagged_addr;
> +
> + while (*shadow == tag && first_bad_addr < untagged_addr + size) {
I think it's better to check that are within bounds before accessing
shadow. Otherwise it's kinda potential out-of-bounds access ;)
I know that we _should_ not do an oob here, but still.
Also feels that this function can be shortened to something like:
u8 tag = get_tag(addr);
void *p = reset_tag(addr);
void *end = p + size;
while (p < end && tag == *(u8 *)kasan_mem_to_shadow(p))
p += KASAN_SHADOW_SCALE_SIZE;
return p;
> + first_bad_addr += KASAN_SHADOW_SCALE_SIZE;
> + shadow = (u8 *)kasan_mem_to_shadow(first_bad_addr);
> + }
> + return first_bad_addr;
> +}
> +
> +void print_tags(u8 addr_tag, const void *addr)
> +{
> + u8 *shadow = (u8 *)kasan_mem_to_shadow(addr);
> +
> + pr_err("Pointer tag: [%02x], memory tag: [%02x]\n", addr_tag, *shadow);
> +}
> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
> index 155247a6f8a8..e031c78f2e52 100644
> --- a/mm/kasan/report.c
> +++ b/mm/kasan/report.c
> @@ -64,11 +64,10 @@ static int __init kasan_set_multi_shot(char *str)
> }
> __setup("kasan_multi_shot", kasan_set_multi_shot);
>
> -static void print_error_description(struct kasan_access_info *info,
> - const char *bug_type)
> +static void print_error_description(struct kasan_access_info *info)
> {
> pr_err("BUG: KASAN: %s in %pS\n",
> - bug_type, (void *)info->ip);
> + get_bug_type(info), (void *)info->ip);
> pr_err("%s of size %zu at addr %px by task %s/%d\n",
> info->is_write ? "Write" : "Read", info->access_size,
> info->access_addr, current->comm, task_pid_nr(current));
> @@ -272,6 +271,8 @@ void kasan_report_invalid_free(void *object, unsigned long ip)
>
> start_report(&flags);
> pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip);
> + print_tags(get_tag(object), reset_tag(object));
> + object = reset_tag(object);
> pr_err("\n");
> print_address_description(object);
> pr_err("\n");
> @@ -279,41 +280,45 @@ void kasan_report_invalid_free(void *object, unsigned long ip)
> end_report(&flags);
> }
>
> -static void kasan_report_error(struct kasan_access_info *info)
> -{
> - unsigned long flags;
> -
> - start_report(&flags);
> -
> - print_error_description(info, get_bug_type(info));
> - pr_err("\n");
> -
> - if (!addr_has_shadow(info->access_addr)) {
> - dump_stack();
> - } else {
> - print_address_description((void *)info->access_addr);
> - pr_err("\n");
> - print_shadow_for_address(info->first_bad_addr);
> - }
> -
> - end_report(&flags);
> -}
> -
> void kasan_report(unsigned long addr, size_t size,
> bool is_write, unsigned long ip)
> {
> struct kasan_access_info info;
> + void *tagged_addr;
> + void *untagged_addr;
> + unsigned long flags;
>
> if (likely(!report_enabled()))
> return;
>
> disable_trace_on_warning();
>
> - info.access_addr = (void *)addr;
> - info.first_bad_addr = (void *)addr;
> + tagged_addr = (void *)addr;
> + untagged_addr = reset_tag(tagged_addr);
> +
> + info.access_addr = tagged_addr;
> + if (addr_has_shadow(untagged_addr))
> + info.first_bad_addr = find_first_bad_addr(tagged_addr, size);
> + else
> + info.first_bad_addr = untagged_addr;
> info.access_size = size;
> info.is_write = is_write;
> info.ip = ip;
>
> - kasan_report_error(&info);
> + start_report(&flags);
> +
> + print_error_description(&info);
> + if (addr_has_shadow(untagged_addr))
> + print_tags(get_tag(tagged_addr), info.first_bad_addr);
> + pr_err("\n");
> +
> + if (addr_has_shadow(untagged_addr)) {
> + print_address_description(untagged_addr);
> + pr_err("\n");
> + print_shadow_for_address(info.first_bad_addr);
> + } else {
> + dump_stack();
> + }
> +
> + end_report(&flags);
> }
> --
> 2.19.0.rc0.228.g281dcd1b4d0-goog
>