[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAG_fn=UBWge=QGeB+XQRtuFkzqWbrA8_FJsrwhihhwkrzt8DoQ@mail.gmail.com>
Date: Wed, 7 Aug 2024 10:27:03 +0200
From: Alexander Potapenko <glider@...gle.com>
To: Marco Elver <elver@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>, Andrey Konovalov <andreyknvl@...il.com>,
Dmitry Vyukov <dvyukov@...gle.com>, Jann Horn <jannh@...gle.com>, kasan-dev@...glegroups.com,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH] kfence: introduce burst mode
On Mon, Aug 5, 2024 at 2:43 PM Marco Elver <elver@...gle.com> wrote:
>
> Introduce burst mode, which can be configured with kfence.burst=$count,
> where the burst count denotes the additional successive slab allocations
> to be allocated through KFENCE for each sample interval.
>
> The idea is that this can give developers an additional knob to make
> KFENCE more aggressive when debugging specific issues of systems where
> either rebooting or recompiling the kernel with KASAN is not possible.
>
> Experiment: To assess the effectiveness of the new option, we randomly
> picked a recent out-of-bounds [1] and use-after-free bug [2], each with
> a reproducer provided by syzbot, that initially detected these bugs with
> KASAN. We then tried to reproduce the bugs with KFENCE below.
>
> [1] Fixed by: 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr")
> https://syzkaller.appspot.com/bug?id=9d1b59d4718239da6f6069d3891863c25f9f24a2
> [2] Fixed by: f8ad00f3fb2a ("l2tp: fix possible UAF when cleaning up tunnels")
> https://syzkaller.appspot.com/bug?id=4f34adc84f4a3b080187c390eeef60611fd450e1
>
> The following KFENCE configs were compared. A pool size of 1023 objects
> was used for all configurations.
>
> Baseline
> kfence.sample_interval=100
> kfence.skip_covered_thresh=75
> kfence.burst=0
>
> Aggressive
> kfence.sample_interval=1
> kfence.skip_covered_thresh=10
> kfence.burst=0
>
> AggressiveBurst
> kfence.sample_interval=1
> kfence.skip_covered_thresh=10
> kfence.burst=1000
>
> Each reproducer was run 10 times (after a fresh reboot), with the
> following detection counts for each KFENCE config:
>
> | Detection Count out of 10 |
> | OOB [1] | UAF [2] |
> ------------------+-------------+-------------+
> Default | 0/10 | 0/10 |
> Aggressive | 0/10 | 0/10 |
> AggressiveBurst | 8/10 | 8/10 |
>
> With the Default and even the Aggressive configs the results are
> unsurprising, given KFENCE has not been designed for deterministic bug
> detection of small test cases.
>
> However, when enabling burst mode with relatively large burst count,
> KFENCE can start to detect heap memory-safety bugs even in simpler test
> cases with high probability (in the above cases with ~80% probability).
>
> Signed-off-by: Marco Elver <elver@...gle.com>
Reviewed-by: Alexander Potapenko <glider@...gle.com>
Powered by blists - more mailing lists