[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <89492159bd43c01f7b13a72b050ff15f35e04973.1655150842.git.andreyknvl@google.com>
Date: Mon, 13 Jun 2022 22:14:23 +0200
From: andrey.konovalov@...ux.dev
To: Marco Elver <elver@...gle.com>,
Alexander Potapenko <glider@...gle.com>
Cc: Andrey Konovalov <andreyknvl@...il.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Andrey Ryabinin <ryabinin.a.a@...il.com>,
kasan-dev@...glegroups.com, Peter Collingbourne <pcc@...gle.com>,
Evgenii Stepanov <eugenis@...gle.com>,
Florian Mayer <fmayer@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org,
Andrey Konovalov <andreyknvl@...gle.com>
Subject: [PATCH 32/32] kasan: better identify bug types for tag-based modes
From: Andrey Konovalov <andreyknvl@...gle.com>
Identify the bug type for the tag-based modes based on the stack trace
entries found in the stack ring.
If a free entry is found first (meaning that it was added last), mark the
bug as use-after-free. If an alloc entry is found first, mark the bug as
slab-out-of-bounds. Otherwise, assign the common bug type.
This change returns the functionalify of the previously dropped
CONFIG_KASAN_TAGS_IDENTIFY.
Signed-off-by: Andrey Konovalov <andreyknvl@...gle.com>
---
mm/kasan/report_tags.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/mm/kasan/report_tags.c b/mm/kasan/report_tags.c
index 21911d1883d3..dc1f8fc0327f 100644
--- a/mm/kasan/report_tags.c
+++ b/mm/kasan/report_tags.c
@@ -10,7 +10,7 @@
extern struct kasan_stack_ring stack_ring;
-static const char *get_bug_type(struct kasan_report_info *info)
+static const char *get_common_bug_type(struct kasan_report_info *info)
{
/*
* If access_size is a negative number, then it has reason to be
@@ -36,10 +36,10 @@ void kasan_complete_mode_report_info(struct kasan_report_info *info)
bool is_free;
bool alloc_found = false, free_found = false;
- info->bug_type = get_bug_type(info);
-
- if (!info->cache || !info->object)
+ if (!info->cache || !info->object) {
+ info->bug_type = get_common_bug_type(info);
return;
+ }
pos = atomic64_read(&stack_ring.pos);
@@ -76,6 +76,13 @@ void kasan_complete_mode_report_info(struct kasan_report_info *info)
info->free_track.pid = pid;
info->free_track.stack = stack;
free_found = true;
+
+ /*
+ * If a free entry is found first, the bug is likely
+ * a use-after-free.
+ */
+ if (!info->bug_type)
+ info->bug_type = "use-after-free";
} else {
/* Second alloc of the same object. Give up. */
if (alloc_found)
@@ -84,6 +91,17 @@ void kasan_complete_mode_report_info(struct kasan_report_info *info)
info->alloc_track.pid = pid;
info->alloc_track.stack = stack;
alloc_found = true;
+
+ /*
+ * If an alloc entry is found first, the bug is likely
+ * an out-of-bounds.
+ */
+ if (!info->bug_type)
+ info->bug_type = "slab-out-of-bounds";
}
}
+
+ /* Assign the common bug type if no entries were found. */
+ if (!info->bug_type)
+ info->bug_type = get_common_bug_type(info);
}
--
2.25.1
Powered by blists - more mailing lists