mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-15 23:25:07 +00:00
e4b7818b9a
Move free track from kasan_alloc_meta to kasan_free_meta in order to make struct kasan_alloc_meta and kasan_free_meta size are both 16 bytes. It is a good size because it is the minimal redzone size and a good number of alignment. For free track, we make some modifications as shown below: 1) Remove the free_track from struct kasan_alloc_meta. 2) Add the free_track into struct kasan_free_meta. 3) Add a macro KASAN_KMALLOC_FREETRACK in order to check whether it can print free stack in KASAN report. [1]https://bugzilla.kernel.org/show_bug.cgi?id=198437 [walter-zh.wu@mediatek.com: build fix] Link: http://lkml.kernel.org/r/20200710162440.23887-1-walter-zh.wu@mediatek.com Suggested-by: Dmitry Vyukov <dvyukov@google.com> Co-developed-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Walter Wu <walter-zh.wu@mediatek.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Tested-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Andrey Konovalov <andreyknvl@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Joel Fernandes <joel@joelfernandes.org> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Josh Triplett <josh@joshtriplett.org> Cc: Lai Jiangshan <jiangshanlai@gmail.com> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Matthias Brugger <matthias.bgg@gmail.com> Cc: "Paul E . McKenney" <paulmck@kernel.org> Link: http://lkml.kernel.org/r/20200601051022.1230-1-walter-zh.wu@mediatek.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
165 lines
4.5 KiB
C
165 lines
4.5 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* This file contains generic KASAN specific error reporting code.
|
|
*
|
|
* Copyright (c) 2014 Samsung Electronics Co., Ltd.
|
|
* Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
|
|
*
|
|
* Some code borrowed from https://github.com/xairy/kasan-prototype by
|
|
* Andrey Konovalov <andreyknvl@gmail.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
*/
|
|
|
|
#include <linux/bitops.h>
|
|
#include <linux/ftrace.h>
|
|
#include <linux/init.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/printk.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/stackdepot.h>
|
|
#include <linux/stacktrace.h>
|
|
#include <linux/string.h>
|
|
#include <linux/types.h>
|
|
#include <linux/kasan.h>
|
|
#include <linux/module.h>
|
|
|
|
#include <asm/sections.h>
|
|
|
|
#include "kasan.h"
|
|
#include "../slab.h"
|
|
|
|
void *find_first_bad_addr(void *addr, size_t size)
|
|
{
|
|
void *p = addr;
|
|
|
|
while (p < addr + size && !(*(u8 *)kasan_mem_to_shadow(p)))
|
|
p += KASAN_SHADOW_SCALE_SIZE;
|
|
return p;
|
|
}
|
|
|
|
static const char *get_shadow_bug_type(struct kasan_access_info *info)
|
|
{
|
|
const char *bug_type = "unknown-crash";
|
|
u8 *shadow_addr;
|
|
|
|
shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);
|
|
|
|
/*
|
|
* If shadow byte value is in [0, KASAN_SHADOW_SCALE_SIZE) we can look
|
|
* at the next shadow byte to determine the type of the bad access.
|
|
*/
|
|
if (*shadow_addr > 0 && *shadow_addr <= KASAN_SHADOW_SCALE_SIZE - 1)
|
|
shadow_addr++;
|
|
|
|
switch (*shadow_addr) {
|
|
case 0 ... KASAN_SHADOW_SCALE_SIZE - 1:
|
|
/*
|
|
* In theory it's still possible to see these shadow values
|
|
* due to a data race in the kernel code.
|
|
*/
|
|
bug_type = "out-of-bounds";
|
|
break;
|
|
case KASAN_PAGE_REDZONE:
|
|
case KASAN_KMALLOC_REDZONE:
|
|
bug_type = "slab-out-of-bounds";
|
|
break;
|
|
case KASAN_GLOBAL_REDZONE:
|
|
bug_type = "global-out-of-bounds";
|
|
break;
|
|
case KASAN_STACK_LEFT:
|
|
case KASAN_STACK_MID:
|
|
case KASAN_STACK_RIGHT:
|
|
case KASAN_STACK_PARTIAL:
|
|
bug_type = "stack-out-of-bounds";
|
|
break;
|
|
case KASAN_FREE_PAGE:
|
|
case KASAN_KMALLOC_FREE:
|
|
case KASAN_KMALLOC_FREETRACK:
|
|
bug_type = "use-after-free";
|
|
break;
|
|
case KASAN_ALLOCA_LEFT:
|
|
case KASAN_ALLOCA_RIGHT:
|
|
bug_type = "alloca-out-of-bounds";
|
|
break;
|
|
case KASAN_VMALLOC_INVALID:
|
|
bug_type = "vmalloc-out-of-bounds";
|
|
break;
|
|
}
|
|
|
|
return bug_type;
|
|
}
|
|
|
|
static const char *get_wild_bug_type(struct kasan_access_info *info)
|
|
{
|
|
const char *bug_type = "unknown-crash";
|
|
|
|
if ((unsigned long)info->access_addr < PAGE_SIZE)
|
|
bug_type = "null-ptr-deref";
|
|
else if ((unsigned long)info->access_addr < TASK_SIZE)
|
|
bug_type = "user-memory-access";
|
|
else
|
|
bug_type = "wild-memory-access";
|
|
|
|
return bug_type;
|
|
}
|
|
|
|
const char *get_bug_type(struct kasan_access_info *info)
|
|
{
|
|
/*
|
|
* If access_size is a negative number, then it has reason to be
|
|
* defined as out-of-bounds bug type.
|
|
*
|
|
* Casting negative numbers to size_t would indeed turn up as
|
|
* a large size_t and its value will be larger than ULONG_MAX/2,
|
|
* so that this can qualify as out-of-bounds.
|
|
*/
|
|
if (info->access_addr + info->access_size < info->access_addr)
|
|
return "out-of-bounds";
|
|
|
|
if (addr_has_shadow(info->access_addr))
|
|
return get_shadow_bug_type(info);
|
|
return get_wild_bug_type(info);
|
|
}
|
|
|
|
#define DEFINE_ASAN_REPORT_LOAD(size) \
|
|
void __asan_report_load##size##_noabort(unsigned long addr) \
|
|
{ \
|
|
kasan_report(addr, size, false, _RET_IP_); \
|
|
} \
|
|
EXPORT_SYMBOL(__asan_report_load##size##_noabort)
|
|
|
|
#define DEFINE_ASAN_REPORT_STORE(size) \
|
|
void __asan_report_store##size##_noabort(unsigned long addr) \
|
|
{ \
|
|
kasan_report(addr, size, true, _RET_IP_); \
|
|
} \
|
|
EXPORT_SYMBOL(__asan_report_store##size##_noabort)
|
|
|
|
DEFINE_ASAN_REPORT_LOAD(1);
|
|
DEFINE_ASAN_REPORT_LOAD(2);
|
|
DEFINE_ASAN_REPORT_LOAD(4);
|
|
DEFINE_ASAN_REPORT_LOAD(8);
|
|
DEFINE_ASAN_REPORT_LOAD(16);
|
|
DEFINE_ASAN_REPORT_STORE(1);
|
|
DEFINE_ASAN_REPORT_STORE(2);
|
|
DEFINE_ASAN_REPORT_STORE(4);
|
|
DEFINE_ASAN_REPORT_STORE(8);
|
|
DEFINE_ASAN_REPORT_STORE(16);
|
|
|
|
void __asan_report_load_n_noabort(unsigned long addr, size_t size)
|
|
{
|
|
kasan_report(addr, size, false, _RET_IP_);
|
|
}
|
|
EXPORT_SYMBOL(__asan_report_load_n_noabort);
|
|
|
|
void __asan_report_store_n_noabort(unsigned long addr, size_t size)
|
|
{
|
|
kasan_report(addr, size, true, _RET_IP_);
|
|
}
|
|
EXPORT_SYMBOL(__asan_report_store_n_noabort);
|