| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jun 2019 01:46:39 +0800
From: Walter Wu <walter-zh.wu@...iatek.com>
To: Andrey Ryabinin <aryabinin@...tuozzo.com>
CC: Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Christoph Lameter <cl@...ux.com>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Matthias Brugger <matthias.bgg@...il.com>,
"Martin Schwidefsky" <schwidefsky@...ibm.com>,
Arnd Bergmann <arnd@...db.de>,
"Vasily Gorbik" <gor@...ux.ibm.com>,
Andrey Konovalov <andreyknvl@...gle.com>,
"Jason A . Donenfeld" <Jason@...c4.com>,
Miles Chen <miles.chen@...iatek.com>,
<kasan-dev@...glegroups.com>, <linux-kernel@...r.kernel.org>,
<linux-mm@...ck.org>, <linux-arm-kernel@...ts.infradead.org>,
<linux-mediatek@...ts.infradead.org>, <wsd_upstream@...iatek.com>
Subject: Re: [PATCH v3] kasan: add memory corruption identification for
software tag-based mode
On Thu, 2019-06-13 at 15:27 +0300, Andrey Ryabinin wrote:
>
> On 6/13/19 11:13 AM, Walter Wu wrote:
> > This patch adds memory corruption identification at bug report for
> > software tag-based mode, the report show whether it is "use-after-free"
> > or "out-of-bound" error instead of "invalid-access" error.This will make
> > it easier for programmers to see the memory corruption problem.
> >
> > Now we extend the quarantine to support both generic and tag-based kasan.
> > For tag-based kasan, the quarantine stores only freed object information
> > to check if an object is freed recently. When tag-based kasan reports an
> > error, we can check if the tagged addr is in the quarantine and make a
> > good guess if the object is more like "use-after-free" or "out-of-bound".
> >
>
>
> We already have all the information and don't need the quarantine to make such guess.
> Basically if shadow of the first byte of object has the same tag as tag in pointer than it's out-of-bounds,
> otherwise it's use-after-free.
>
> In pseudo-code it's something like this:
>
> u8 object_tag = *(u8 *)kasan_mem_to_shadow(nearest_object(cacche, page, access_addr));
>
> if (access_addr_tag == object_tag && object_tag != KASAN_TAG_INVALID)
> // out-of-bounds
> else
> // use-after-free
Thanks your explanation.
I see, we can use it to decide corruption type.
But some use-after-free issues, it may not have accurate free-backtrace.
Unfortunately in that situation, free-backtrace is the most important.
please see below example
In generic KASAN, it gets accurate free-backrace(ptr1).
In tag-based KASAN, it gets wrong free-backtrace(ptr2). It will make
programmer misjudge, so they may not believe tag-based KASAN.
So We provide this patch, we hope tag-based KASAN bug report is the same
accurate with generic KASAN.
---
ptr1 = kmalloc(size, GFP_KERNEL);
ptr1_free(ptr1);
ptr2 = kmalloc(size, GFP_KERNEL);
ptr2_free(ptr2);
ptr1[size] = 'x'; //corruption here
static noinline void ptr1_free(char* ptr)
{
kfree(ptr);
}
static noinline void ptr2_free(char* ptr)
{
kfree(ptr);
}
---
Powered by blists - more mailing lists