Re: [PATCH] kfence: introduce burst mode
From: Alexander Potapenko
Date: Wed Aug 07 2024 - 04:28:33 EST
On Mon, Aug 5, 2024 at 2:43 PM Marco Elver <elver@xxxxxxxxxx> wrote:
>
> Introduce burst mode, which can be configured with kfence.burst=$count,
> where the burst count denotes the additional successive slab allocations
> to be allocated through KFENCE for each sample interval.
>
> The idea is that this can give developers an additional knob to make
> KFENCE more aggressive when debugging specific issues of systems where
> either rebooting or recompiling the kernel with KASAN is not possible.
>
> Experiment: To assess the effectiveness of the new option, we randomly
> picked a recent out-of-bounds [1] and use-after-free bug [2], each with
> a reproducer provided by syzbot, that initially detected these bugs with
> KASAN. We then tried to reproduce the bugs with KFENCE below.
>
> [1] Fixed by: 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr")
> https://syzkaller.appspot.com/bug?id=9d1b59d4718239da6f6069d3891863c25f9f24a2
> [2] Fixed by: f8ad00f3fb2a ("l2tp: fix possible UAF when cleaning up tunnels")
> https://syzkaller.appspot.com/bug?id=4f34adc84f4a3b080187c390eeef60611fd450e1
>
> The following KFENCE configs were compared. A pool size of 1023 objects
> was used for all configurations.
>
> Baseline
> kfence.sample_interval=100
> kfence.skip_covered_thresh=75
> kfence.burst=0
>
> Aggressive
> kfence.sample_interval=1
> kfence.skip_covered_thresh=10
> kfence.burst=0
>
> AggressiveBurst
> kfence.sample_interval=1
> kfence.skip_covered_thresh=10
> kfence.burst=1000
>
> Each reproducer was run 10 times (after a fresh reboot), with the
> following detection counts for each KFENCE config:
>
> | Detection Count out of 10 |
> | OOB [1] | UAF [2] |
> ------------------+-------------+-------------+
> Default | 0/10 | 0/10 |
> Aggressive | 0/10 | 0/10 |
> AggressiveBurst | 8/10 | 8/10 |
>
> With the Default and even the Aggressive configs the results are
> unsurprising, given KFENCE has not been designed for deterministic bug
> detection of small test cases.
>
> However, when enabling burst mode with relatively large burst count,
> KFENCE can start to detect heap memory-safety bugs even in simpler test
> cases with high probability (in the above cases with ~80% probability).
>
> Signed-off-by: Marco Elver <elver@xxxxxxxxxx>
Reviewed-by: Alexander Potapenko <glider@xxxxxxxxxx>