Re: [PATCH 3/3] x86/kasan: Print original address on #GP
From: Jann Horn
Date: Thu Nov 14 2019 - 10:09:51 EST
On Wed, Nov 13, 2019 at 11:11 AM Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
> On Tue, Nov 12, 2019 at 10:10 PM 'Jann Horn' via kasan-dev
> <kasan-dev@xxxxxxxxxxxxxxxx> wrote:
> > Make #GP exceptions caused by out-of-bounds KASAN shadow accesses easier
> > to understand by computing the address of the original access and
> > printing that. More details are in the comments in the patch.
[...]
> +Andrey, do you see any issues for TAGS mode? Or, Jann, did you test
> it by any chance?
No, I didn't - I don't have anything set up for upstream arm64 testing here.
> > +void kasan_general_protection_hook(unsigned long addr)
> > {
> > - if (val == DIE_GPF) {
> > - pr_emerg("CONFIG_KASAN_INLINE enabled\n");
> > - pr_emerg("GPF could be caused by NULL-ptr deref or user memory access\n");
> > - }
> > - return NOTIFY_OK;
> > -}
> > + unsigned long orig_addr;
> > + const char *addr_type;
> > +
> > + if (addr < KASAN_SHADOW_OFFSET)
> > + return;
>
> Thinking how much sense it makes to compare addr with KASAN_SHADOW_END...
> If the addr is > KASAN_SHADOW_END, we know it's not a KASAN access,
> but do we ever get GP on canonical addresses?
#GP can occur for various reasons, but on x86-64, if it occurs because
of an invalid address, as far as I know it's always non-canonical. The
#GP handler I wrote will check the address and only call the KASAN
hook if the address is noncanonical (because otherwise the #GP
occurred for some other reason).
> > -static struct notifier_block kasan_die_notifier = {
> > - .notifier_call = kasan_die_handler,
> > -};
> > + orig_addr = (addr - KASAN_SHADOW_OFFSET) << KASAN_SHADOW_SCALE_SHIFT;
> > + /*
> > + * For faults near the shadow address for NULL, we can be fairly certain
> > + * that this is a KASAN shadow memory access.
> > + * For faults that correspond to shadow for low canonical addresses, we
> > + * can still be pretty sure - that shadow region is a fairly narrow
> > + * chunk of the non-canonical address space.
> > + * But faults that look like shadow for non-canonical addresses are a
> > + * really large chunk of the address space. In that case, we still
> > + * print the decoded address, but make it clear that this is not
> > + * necessarily what's actually going on.
> > + */
> > + if (orig_addr < PAGE_SIZE)
> > + addr_type = "dereferencing kernel NULL pointer";
> > + else if (orig_addr < TASK_SIZE_MAX)
> > + addr_type = "probably dereferencing invalid pointer";
>
> This is access to user memory, right? In outline mode we call it
> "user-memory-access". We could say about "user" part here as well.
Okay, I'll copy that naming.
> > + else
> > + addr_type = "maybe dereferencing invalid pointer";
> > + pr_alert("%s in range [0x%016lx-0x%016lx]\n", addr_type,
> > + orig_addr, orig_addr + (1 << KASAN_SHADOW_SCALE_SHIFT) - 1);
>
> "(1 << KASAN_SHADOW_SCALE_SHIFT) - 1)" part may be replaced with
> KASAN_SHADOW_MASK.
> Overall it can make sense to move this mm/kasan/report.c b/c we are
> open-coding a number of things here (e.g. reverse address mapping). If
> another arch will do the same, it will need all of this code too (?).
Alright, I'll try to move it over.