Re: [PATCH 15/15] kasan: Add mititgation and debug modes

From: Andrey Konovalov
Date: Wed Feb 05 2025 - 18:46:46 EST

Next message: Paul E. McKenney: "Re: [PATCH rcu v2] 4/5] rcu-tasks: Move RCU Tasks self-tests to core_initcall()"
Previous message: Andrey Konovalov: "Re: [PATCH 10/15] x86: KASAN raw shadow memory PTE init"
In reply to: Maciej Wieczor-Retman: "[PATCH 15/15] kasan: Add mititgation and debug modes"
Next in thread: Christoph Lameter (Ampere): "Re: [PATCH 00/15] kasan: x86: arm64: risc-v: KASAN tag-based mode for x86"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 4, 2025 at 6:37 PM Maciej Wieczor-Retman
<maciej.wieczor-retman@xxxxxxxxx> wrote:
>
> With smaller memory footprint KASAN could be used in production systems.
> One problem is that saving stacktraces slowes memory allocation
> substantially - with KASAN enabled up to 90% of time spent on kmalloc()
> is spent on saving the stacktrace.
>
> Add mitigation mode to allow the option for running KASAN focused on
> performance and security. In mitigation mode disable saving stacktraces
> and set fault mode to always panic on KASAN error as a security
> mechanism.
>
> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@xxxxxxxxx>
> ---
> lib/Kconfig.kasan | 28 ++++++++++++++++++++++++++++
> mm/kasan/report.c | 4 ++++
> mm/kasan/tags.c | 5 +++++
> 3 files changed, 37 insertions(+)
>
> diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
> index d08b4e9bf477..6daa62b40dea 100644
> --- a/lib/Kconfig.kasan
> +++ b/lib/Kconfig.kasan
> @@ -244,4 +244,32 @@ config KASAN_SW_TAGS_DENSE
> ARCH_HAS_KASAN_SW_TAGS_DENSE is needed for this option since the
> special tag macros need to be properly set for 4-bit wide tags.
>
> +choice
> + prompt "KASAN operation mode"
> + default KASAN_OPERATION_DEBUG
> + help
> + Choose between the mitigation or debug operation modes.
> +
> + The first one disables stacktrace saving and enables panic on error.
> + Faster memory allocation but less information. The second one is the
> + default where KASAN operates with full functionality.

This is something that I thought about before and I think we should
_not_ add configuration options like these. The distinction between
debug and mitigation modes is something that's specific to a
particular user of the feature. Some might prefer to take the impact
of having stack traces enabled in a production environment to allow
debugging in-the-wild exploitation attempts. Also at some point in the
future, we will hopefully have production-grade stack traces [1], and
this would thus change the desired behavior of
KASAN_OPERATION_MITIGATION.

We already have the kasan.stacktrace command-line parameter for
disabling stack trace collection. On top of that, if you prefer, we
could add a configuration option that changes the default value of
kasan_flag_stacktrace (but can still be overridden via the
kasan.stacktrace command-line parameter). Note though that by default,
stack traces should be turned on.

[1] https://bugzilla.kernel.org/show_bug.cgi?id=211785

> +
> +config KASAN_OPERATION_DEBUG
> + bool "Debug operation mode"
> + depends on KASAN
> + help
> + The default mode. Full functionality and all boot parameters
> + available.
> +
> +config KASAN_OPERATION_MITIGATION
> + bool "Mitigation operation mode"
> + depends on KASAN
> + help
> + Operation mode dedicated at faster operation at the cost of less
> + information collection. Disables stacktrace saving for faster
> + allocations and forces panic on KASAN error to mitigate malicious
> + attacks.
> +
> +endchoice
> +
> endif # KASAN
> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
> index ee9e406b0cdb..ae989d3bd919 100644
> --- a/mm/kasan/report.c
> +++ b/mm/kasan/report.c
> @@ -47,7 +47,11 @@ enum kasan_arg_fault {
> KASAN_ARG_FAULT_PANIC_ON_WRITE,
> };
>
> +#ifdef CONFIG_KASAN_OPERATION_MITIGATION
> +static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_PANIC;
> +#else
> static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_DEFAULT;
> +#endif
>
> /* kasan.fault=report/panic */
> static int __init early_kasan_fault(char *arg)
> diff --git a/mm/kasan/tags.c b/mm/kasan/tags.c
> index c111d98961ed..2414cddeaaf3 100644
> --- a/mm/kasan/tags.c
> +++ b/mm/kasan/tags.c
> @@ -78,6 +78,11 @@ early_param("kasan.stack_ring_size", early_kasan_flag_stack_ring_size);
>
> void __init kasan_init_tags(void)
> {
> + if (IS_ENABLED(CONFIG_KASAN_OPERATION_MITIGATION)) {
> + static_branch_disable(&kasan_flag_stacktrace);
> + return;
> + }
> +
> switch (kasan_arg_stacktrace) {
> case KASAN_ARG_STACKTRACE_DEFAULT:
> /* Default is specified by kasan_flag_stacktrace definition. */
> --
> 2.47.1
>

Next message: Paul E. McKenney: "Re: [PATCH rcu v2] 4/5] rcu-tasks: Move RCU Tasks self-tests to core_initcall()"
Previous message: Andrey Konovalov: "Re: [PATCH 10/15] x86: KASAN raw shadow memory PTE init"
In reply to: Maciej Wieczor-Retman: "[PATCH 15/15] kasan: Add mititgation and debug modes"
Next in thread: Christoph Lameter (Ampere): "Re: [PATCH 00/15] kasan: x86: arm64: risc-v: KASAN tag-based mode for x86"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]