| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 May 2020 13:21:55 +0800
From: Walter Wu <walter-zh.wu@...iatek.com>
To: Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Matthias Brugger <matthias.bgg@...il.com>
CC: <kasan-dev@...glegroups.com>, <linux-mm@...ck.org>,
<linux-kernel@...r.kernel.org>,
<linux-arm-kernel@...ts.infradead.org>,
wsd_upstream <wsd_upstream@...iatek.com>,
<linux-mediatek@...ts.infradead.org>,
Walter Wu <walter-zh.wu@...iatek.com>
Subject: [PATCH 2/3] kasan: record and print the free track
We add new KASAN_RCU_STACK_RECORD configuration option. It will move
free track from slub meta-data (struct kasan_alloc_meta) into freed object.
Because we hope this options doesn't enlarge slub meta-data size.
This option doesn't enlarge struct kasan_alloc_meta size.
- add two call_rcu() call stack into kasan_alloc_meta, size is 8 bytes.
- remove free track from kasan_alloc_meta, size is 8 bytes.
This option is only suitable for generic KASAN, because we move free track
into the freed object, so free track is valid information only when it
exists in quarantine. If the object is in-use state, then the KASAN report
doesn't print call_rcu() free track information.
[1]https://bugzilla.kernel.org/show_bug.cgi?id=198437
Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com>
Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Alexander Potapenko <glider@...gle.com>
---
mm/kasan/common.c | 10 +++++++++-
mm/kasan/report.c | 24 +++++++++++++++++++++---
2 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
index 32d422bdf127..13ec03e225a7 100644
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -321,8 +321,15 @@ void kasan_record_callrcu(void *addr)
/* record last call_rcu() call stack */
alloc_info->rcu_free_stack[1] = save_stack(GFP_NOWAIT);
}
-#endif
+static void kasan_set_free_info(struct kmem_cache *cache,
+ void *object, u8 tag)
+{
+ /* store free track into freed object */
+ set_track((struct kasan_track *)(object + BYTES_PER_WORD), GFP_NOWAIT);
+}
+
+#else
static void kasan_set_free_info(struct kmem_cache *cache,
void *object, u8 tag)
{
@@ -339,6 +346,7 @@ static void kasan_set_free_info(struct kmem_cache *cache,
set_track(&alloc_meta->free_track[idx], GFP_NOWAIT);
}
+#endif
void kasan_poison_slab(struct page *page)
{
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 7aaccc70b65b..f2b0c6b9dffa 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -175,8 +175,23 @@ static void kasan_print_rcu_free_stack(struct kasan_alloc_meta *alloc_info)
print_track(&free_track, "Last call_rcu() call stack", true);
pr_err("\n");
}
-#endif
+static struct kasan_track *kasan_get_free_track(struct kmem_cache *cache,
+ void *object, u8 tag, const void *addr)
+{
+ u8 *shadow_addr = (u8 *)kasan_mem_to_shadow(addr);
+
+ /*
+ * Only the freed object can get free track,
+ * because free track information is stored to freed object.
+ */
+ if (*shadow_addr == KASAN_KMALLOC_FREE)
+ return (struct kasan_track *)(object + BYTES_PER_WORD);
+ else
+ return NULL;
+}
+
+#else
static struct kasan_track *kasan_get_free_track(struct kmem_cache *cache,
void *object, u8 tag, const void *addr)
{
@@ -196,6 +211,7 @@ static struct kasan_track *kasan_get_free_track(struct kmem_cache *cache,
return &alloc_meta->free_track[i];
}
+#endif
static void describe_object(struct kmem_cache *cache, void *object,
const void *addr, u8 tag)
@@ -208,8 +224,10 @@ static void describe_object(struct kmem_cache *cache, void *object,
print_track(&alloc_info->alloc_track, "Allocated", false);
pr_err("\n");
free_track = kasan_get_free_track(cache, object, tag, addr);
- print_track(free_track, "Freed", false);
- pr_err("\n");
+ if (free_track) {
+ print_track(free_track, "Freed", false);
+ pr_err("\n");
+ }
#ifdef CONFIG_KASAN_RCU_STACK_RECORD
kasan_print_rcu_free_stack(alloc_info);
#endif
--
2.18.0
Powered by blists - more mailing lists