| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241021195714.50473-1-niharchaithanya@gmail.com>
Date: Tue, 22 Oct 2024 01:27:15 +0530
From: Nihar Chaithanya <niharchaithanya@...il.com>
To: ryabinin.a.a@...il.com
Cc: glider@...gle.com,
andreyknvl@...il.com,
dvyukov@...gle.com,
elver@...gle.com,
skhan@...uxfoundation.org,
kasan-dev@...glegroups.com,
linux-kernel@...r.kernel.org,
Nihar Chaithanya <niharchaithanya@...il.com>
Subject: [PATCH v2] kasan:report: filter out kasan related stack entries
The reports of KASAN include KASAN related stack frames which are not
the point of interest in the stack-trace. KCSAN report filters out such
internal frames providing relevant stack trace. Currently, KASAN reports
are generated by dump_stack_lvl() which prints the entire stack.
Add functionality to KASAN reports to save the stack entries and filter
out the kasan related stack frames in place of dump_stack_lvl() and
stack_depot_print().
Within this new functionality:
- A function kasan_dump_stack_lvl() in place of dump_stack_lvl() is
created which contains functionality for saving, filtering and
printing the stack-trace.
- A function kasan_stack_depot_print() in place of
stack_depot_print() is created which contains functionality for
filtering and printing the stack-trace.
- The get_stack_skipnr() function is included to get the number of
stack entries to be skipped for filtering the stack-trace.
Signed-off-by: Nihar Chaithanya <niharchaithanya@...il.com>
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=215756
---
Changes in v2:
- Changed the function name from save_stack_lvl_kasan() to
kasan_dump_stack_lvl().
- Added filtering of stack frames for print_track() with
kasan_stack_depot_print().
- Removed redundant print_stack_trace(), and instead using
stack_trace_print() directly.
- Removed sanitize_stack_entries() and replace_stack_entry()
functions.
- Increased the buffer size in get_stack_skipnr to 128.
Note:
When using sanitize_stack_entries() the output was innacurate for free and
alloc tracks, because of the missing ip value in print_track().
The buffer size in get_stack_skipnr() is increase as it was too small when
testing with some KASAN uaf bugs which included free and alloc tracks.
mm/kasan/report.c | 62 ++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 56 insertions(+), 6 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index b48c768acc84..e00cf764693c 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -261,6 +261,59 @@ static void print_error_description(struct kasan_report_info *info)
info->access_addr, current->comm, task_pid_nr(current));
}
+/* Helper to skip KASAN-related functions in stack-trace. */
+static int get_stack_skipnr(const unsigned long stack_entries[], int num_entries)
+{
+ char buf[128];
+ int len, skip;
+
+ for (skip = 0; skip < num_entries; ++skip) {
+ len = scnprintf(buf, sizeof(buf), "%ps", (void *)stack_entries[skip]);
+
+ /* Never show kasan_* functions. */
+ if (strnstr(buf, "kasan_", len) == buf)
+ continue;
+ /*
+ * No match for runtime functions -- @skip entries to skip to
+ * get to first frame of interest.
+ */
+ break;
+ }
+
+ return skip;
+}
+
+/*
+ * Use in place of stack_dump_lvl to filter KASAN related functions in
+ * stack_trace.
+ */
+static void kasan_dump_stack_lvl(void)
+{
+ unsigned long stack_entries[KASAN_STACK_DEPTH] = { 0 };
+ int num_stack_entries = stack_trace_save(stack_entries, KASAN_STACK_DEPTH, 1);
+ int skipnr = get_stack_skipnr(stack_entries, num_stack_entries);
+
+ dump_stack_print_info(KERN_ERR);
+ stack_trace_print(stack_entries + skipnr, num_stack_entries - skipnr, 0);
+ pr_err("\n");
+}
+
+/*
+ * Use in place of stack_depot_print to filter KASAN related functions in
+ * stack_trace.
+ */
+static void kasan_stack_depot_print(depot_stack_handle_t stack)
+{
+ unsigned long *entries;
+ unsigned int nr_entries;
+
+ nr_entries = stack_depot_fetch(stack, &entries);
+ int skipnr = get_stack_skipnr(entries, nr_entries);
+
+ if (nr_entries > 0)
+ stack_trace_print(entries + skipnr, nr_entries - skipnr, 0);
+}
+
static void print_track(struct kasan_track *track, const char *prefix)
{
#ifdef CONFIG_KASAN_EXTRA_INFO
@@ -277,7 +330,7 @@ static void print_track(struct kasan_track *track, const char *prefix)
pr_err("%s by task %u:\n", prefix, track->pid);
#endif /* CONFIG_KASAN_EXTRA_INFO */
if (track->stack)
- stack_depot_print(track->stack);
+ kasan_stack_depot_print(track->stack);
else
pr_err("(stack is not available)\n");
}
@@ -374,9 +427,6 @@ static void print_address_description(void *addr, u8 tag,
{
struct page *page = addr_to_page(addr);
- dump_stack_lvl(KERN_ERR);
- pr_err("\n");
-
if (info->cache && info->object) {
describe_object(addr, info);
pr_err("\n");
@@ -484,11 +534,11 @@ static void print_report(struct kasan_report_info *info)
kasan_print_tags(tag, info->first_bad_addr);
pr_err("\n");
+ kasan_dump_stack_lvl();
+
if (addr_has_metadata(addr)) {
print_address_description(addr, tag, info);
print_memory_metadata(info->first_bad_addr);
- } else {
- dump_stack_lvl(KERN_ERR);
}
}
--
2.34.1
Powered by blists - more mailing lists