This patch series adds support for building KASAN-enabled kernels with clang.
This mostly involves adding callbacks for a couple of new features in LLVM's
AddressSanitizer implementation. We also need to probe for the (slightly
different) CFLAGS used to configure ASAN with clang.
*** BLURB HERE ***
Alexander Potapenko (1):
kasan: added functions for unpoisoning stack variables
Greg Hackmann (3):
kasan: support alloca() poisoning
kasan: support LLVM-style asan parameters
kasan: add compiler support for clang
include/linux/compiler-clang.h | 10 ++++++++++
lib/test_kasan.c | 22 ++++++++++++++++++++++
mm/kasan/kasan.c | 41 +++++++++++++++++++++++++++++++++++++++++
mm/kasan/kasan.h | 8 ++++++++
mm/kasan/report.c | 3 +++
scripts/Makefile.kasan | 10 +++++++++-
6 files changed, 93 insertions(+), 1 deletion(-)
--
2.13.2.725.g09c95d1e9-goog
clang's AddressSanitizer implementation adds redzones on either side of
alloca()ed buffers. These redzones are 32-byte aligned and at least 32
bytes long.
__asan_alloca_poison() is passed the size and address of the allocated
buffer, *excluding* the redzones on either side. The left redzone will
always be to the immediate left of this buffer; but AddressSanitizer may
need to add padding between the end of the buffer and the right redzone.
If there are any 8-byte chunks inside this padding, we should poison
those too.
__asan_allocas_unpoison() is just passed the top and bottom of the
dynamic stack area, so unpoisoning is simpler.
Signed-off-by: Greg Hackmann <[email protected]>
---
lib/test_kasan.c | 22 ++++++++++++++++++++++
mm/kasan/kasan.c | 26 ++++++++++++++++++++++++++
mm/kasan/kasan.h | 8 ++++++++
mm/kasan/report.c | 3 +++
4 files changed, 59 insertions(+)
diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index a25c9763fce1..f774fcafb696 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -473,6 +473,26 @@ static noinline void __init use_after_scope_test(void)
p[1023] = 1;
}
+static noinline void __init kasan_alloca_oob_left(void)
+{
+ volatile int i = 10;
+ char alloca_array[i];
+ char *p = alloca_array - 1;
+
+ pr_info("out-of-bounds to left on alloca\n");
+ *(volatile char *)p;
+}
+
+static noinline void __init kasan_alloca_oob_right(void)
+{
+ volatile int i = 10;
+ char alloca_array[i];
+ char *p = alloca_array + round_up(i, 8);
+
+ pr_info("out-of-bounds to right on alloca\n");
+ *(volatile char *)p;
+}
+
static int __init kmalloc_tests_init(void)
{
/*
@@ -503,6 +523,8 @@ static int __init kmalloc_tests_init(void)
memcg_accounted_kmem_cache();
kasan_stack_oob();
kasan_global_oob();
+ kasan_alloca_oob_left();
+ kasan_alloca_oob_right();
ksize_unpoisons_memory();
copy_user_test();
use_after_scope_test();
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index c81549d5c833..892b626f564b 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -802,6 +802,32 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size)
}
EXPORT_SYMBOL(__asan_unpoison_stack_memory);
+/* Emitted by compiler to poison alloca()ed objects. */
+void __asan_alloca_poison(unsigned long addr, size_t size)
+{
+ size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);
+ size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) -
+ round_up(size, KASAN_SHADOW_SCALE_SIZE);
+
+ const void *left_redzone = (const void *)(addr -
+ KASAN_ALLOCA_REDZONE_SIZE);
+ const void *right_redzone = (const void *)(addr + rounded_up_size);
+
+ kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,
+ KASAN_ALLOCA_LEFT);
+ kasan_poison_shadow(right_redzone,
+ padding_size + KASAN_ALLOCA_REDZONE_SIZE,
+ KASAN_ALLOCA_RIGHT);
+}
+EXPORT_SYMBOL(__asan_alloca_poison);
+
+/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */
+void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
+{
+ kasan_unpoison_shadow(stack_top, stack_bottom - stack_top);
+}
+EXPORT_SYMBOL(__asan_allocas_unpoison);
+
#ifdef CONFIG_MEMORY_HOTPLUG
static int kasan_mem_notifier(struct notifier_block *nb,
unsigned long action, void *data)
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index 1229298cce64..b857dc70d6a2 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -23,6 +23,14 @@
#define KASAN_STACK_PARTIAL 0xF4
#define KASAN_USE_AFTER_SCOPE 0xF8
+/*
+ * alloca redzone shadow values
+ */
+#define KASAN_ALLOCA_LEFT 0xCA
+#define KASAN_ALLOCA_RIGHT 0xCB
+
+#define KASAN_ALLOCA_REDZONE_SIZE 32
+
/* Don't break randconfig/all*config builds */
#ifndef KASAN_ABI_VERSION
#define KASAN_ABI_VERSION 1
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index beee0e980e2d..c6a5b7ab9e3a 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -101,6 +101,9 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
break;
case KASAN_USE_AFTER_SCOPE:
bug_type = "use-after-scope";
+ case KASAN_ALLOCA_LEFT:
+ case KASAN_ALLOCA_RIGHT:
+ bug_type = "alloca-out-of-bounds";
break;
}
--
2.13.2.725.g09c95d1e9-goog
Use cc-option to figure out whether the compiler's sanitizer uses
LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters
("--param asan-foo=bar").
Signed-off-by: Greg Hackmann <[email protected]>
---
scripts/Makefile.kasan | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
index 9576775a86f6..b66ae4b4546b 100644
--- a/scripts/Makefile.kasan
+++ b/scripts/Makefile.kasan
@@ -9,11 +9,19 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET)
CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address
-CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \
+CFLAGS_KASAN_GCC := $(call cc-option, -fsanitize=kernel-address \
-fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \
--param asan-stack=1 --param asan-globals=1 \
--param asan-instrumentation-with-call-threshold=$(call_threshold))
+CFLAGS_KASAN_LLVM := $(call cc-option, -fsanitize=kernel-address \
+ -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET) \
+ -mllvm -asan-stack=1 -mllvm -asan-globals=1 \
+ -mllvm -asan-use-after-scope=1 \
+ -mllvm -asan-instrumentation-with-call-threshold=$(call_threshold))
+
+CFLAGS_KASAN := $(CFLAGS_KASAN_GCC) $(CFLAGS_KASAN_LLVM)
+
ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),)
ifneq ($(CONFIG_COMPILE_TEST),y)
$(warning Cannot use CONFIG_KASAN: \
--
2.13.2.725.g09c95d1e9-goog
From: Alexander Potapenko <[email protected]>
As a code-size optimization, LLVM builds since r279383 may
bulk-manipulate the shadow region when (un)poisoning large memory
blocks. This requires new callbacks that simply do an uninstrumented
memset().
This fixes linking the Clang-built kernel when using KASAN.
Signed-off-by: Alexander Potapenko <[email protected]>
[[email protected]: fix memset() parameters, and tweak
commit message to describe new callbacks]
Signed-off-by: Greg Hackmann <[email protected]>
---
mm/kasan/kasan.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 892b626f564b..89911e5c69f9 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -828,6 +828,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
}
EXPORT_SYMBOL(__asan_allocas_unpoison);
+/* Emitted by the compiler to [un]poison local variables. */
+#define DEFINE_ASAN_SET_SHADOW(byte) \
+ void __asan_set_shadow_##byte(const void *addr, size_t size) \
+ { \
+ __memset((void *)addr, 0x##byte, size); \
+ } \
+ EXPORT_SYMBOL(__asan_set_shadow_##byte)
+
+DEFINE_ASAN_SET_SHADOW(00);
+DEFINE_ASAN_SET_SHADOW(f1);
+DEFINE_ASAN_SET_SHADOW(f2);
+DEFINE_ASAN_SET_SHADOW(f3);
+DEFINE_ASAN_SET_SHADOW(f5);
+DEFINE_ASAN_SET_SHADOW(f8);
+
#ifdef CONFIG_MEMORY_HOTPLUG
static int kasan_mem_notifier(struct notifier_block *nb,
unsigned long action, void *data)
--
2.13.2.725.g09c95d1e9-goog
For now we can hard-code ASAN ABI level 5, since historical clang builds
can't build the kernel anyway. We also need to emulate gcc's
__SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented.
Signed-off-by: Greg Hackmann <[email protected]>
---
include/linux/compiler-clang.h | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index d614c5ea1b5e..8153f793b22a 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -23,3 +23,13 @@
*/
#undef inline
#define inline inline __attribute__((unused)) notrace
+
+/* all clang versions usable with the kernel support KASAN ABI version 5
+ */
+#define KASAN_ABI_VERSION 5
+
+/* emulate gcc's __SANITIZE_ADDRESS__ flag
+ */
+#if __has_feature(address_sanitizer)
+#define __SANITIZE_ADDRESS__
+#endif
--
2.13.2.725.g09c95d1e9-goog
On 07/06/2017 03:01 PM, Greg Hackmann wrote:
> @@ -101,6 +101,9 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
> break;
> case KASAN_USE_AFTER_SCOPE:
> bug_type = "use-after-scope";
> + case KASAN_ALLOCA_LEFT:
> + case KASAN_ALLOCA_RIGHT:
> + bug_type = "alloca-out-of-bounds";
> break;
> }
There needs to be a "break" above the new case statements. I'll wait to
see if there's any other feedback, then send out a V2 patch that fixes this.
On Fri, Jul 7, 2017 at 12:01 AM, Greg Hackmann <[email protected]> wrote:
> clang's AddressSanitizer implementation adds redzones on either side of
> alloca()ed buffers. These redzones are 32-byte aligned and at least 32
> bytes long.
>
> __asan_alloca_poison() is passed the size and address of the allocated
> buffer, *excluding* the redzones on either side. The left redzone will
> always be to the immediate left of this buffer; but AddressSanitizer may
> need to add padding between the end of the buffer and the right redzone.
> If there are any 8-byte chunks inside this padding, we should poison
> those too.
>
> __asan_allocas_unpoison() is just passed the top and bottom of the
> dynamic stack area, so unpoisoning is simpler.
>
> Signed-off-by: Greg Hackmann <[email protected]>
> ---
> lib/test_kasan.c | 22 ++++++++++++++++++++++
> mm/kasan/kasan.c | 26 ++++++++++++++++++++++++++
> mm/kasan/kasan.h | 8 ++++++++
> mm/kasan/report.c | 3 +++
> 4 files changed, 59 insertions(+)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index a25c9763fce1..f774fcafb696 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -473,6 +473,26 @@ static noinline void __init use_after_scope_test(void)
> p[1023] = 1;
> }
>
> +static noinline void __init kasan_alloca_oob_left(void)
> +{
> + volatile int i = 10;
> + char alloca_array[i];
> + char *p = alloca_array - 1;
> +
> + pr_info("out-of-bounds to left on alloca\n");
> + *(volatile char *)p;
> +}
> +
> +static noinline void __init kasan_alloca_oob_right(void)
> +{
> + volatile int i = 10;
> + char alloca_array[i];
> + char *p = alloca_array + round_up(i, 8);
> +
> + pr_info("out-of-bounds to right on alloca\n");
> + *(volatile char *)p;
> +}
> +
> static int __init kmalloc_tests_init(void)
> {
> /*
> @@ -503,6 +523,8 @@ static int __init kmalloc_tests_init(void)
> memcg_accounted_kmem_cache();
> kasan_stack_oob();
> kasan_global_oob();
> + kasan_alloca_oob_left();
> + kasan_alloca_oob_right();
> ksize_unpoisons_memory();
> copy_user_test();
> use_after_scope_test();
> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
> index c81549d5c833..892b626f564b 100644
> --- a/mm/kasan/kasan.c
> +++ b/mm/kasan/kasan.c
> @@ -802,6 +802,32 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size)
> }
> EXPORT_SYMBOL(__asan_unpoison_stack_memory);
>
> +/* Emitted by compiler to poison alloca()ed objects. */
> +void __asan_alloca_poison(unsigned long addr, size_t size)
> +{
> + size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);
> + size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) -
> + round_up(size, KASAN_SHADOW_SCALE_SIZE);
Perhaps s/round_up(size, KASAN_SHADOW_SCALE_SIZE)/rounded_up_size/
because we already calculated that.
> +
> + const void *left_redzone = (const void *)(addr -
> + KASAN_ALLOCA_REDZONE_SIZE);
> + const void *right_redzone = (const void *)(addr + rounded_up_size);
Please check that size is rounded to KASAN_ALLOCA_REDZONE_SIZE. That's
the expectation, right? That can change is clang silently.
> + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,
> + KASAN_ALLOCA_LEFT);
> + kasan_poison_shadow(right_redzone,
> + padding_size + KASAN_ALLOCA_REDZONE_SIZE,
> + KASAN_ALLOCA_RIGHT);
We also need to poison the unaligned part at the end of the object
from size to rounded_up_size. You can see how we do it for heap
objects.
> +}
> +EXPORT_SYMBOL(__asan_alloca_poison);
> +/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */
> +void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
> +{
> + kasan_unpoison_shadow(stack_top, stack_bottom - stack_top);
> +}
> +EXPORT_SYMBOL(__asan_allocas_unpoison);
> +
> #ifdef CONFIG_MEMORY_HOTPLUG
> static int kasan_mem_notifier(struct notifier_block *nb,
> unsigned long action, void *data)
> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
> index 1229298cce64..b857dc70d6a2 100644
> --- a/mm/kasan/kasan.h
> +++ b/mm/kasan/kasan.h
> @@ -23,6 +23,14 @@
> #define KASAN_STACK_PARTIAL 0xF4
> #define KASAN_USE_AFTER_SCOPE 0xF8
>
> +/*
> + * alloca redzone shadow values
> + */
> +#define KASAN_ALLOCA_LEFT 0xCA
> +#define KASAN_ALLOCA_RIGHT 0xCB
> +
> +#define KASAN_ALLOCA_REDZONE_SIZE 32
> +
> /* Don't break randconfig/all*config builds */
> #ifndef KASAN_ABI_VERSION
> #define KASAN_ABI_VERSION 1
> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
> index beee0e980e2d..c6a5b7ab9e3a 100644
> --- a/mm/kasan/report.c
> +++ b/mm/kasan/report.c
> @@ -101,6 +101,9 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
> break;
> case KASAN_USE_AFTER_SCOPE:
> bug_type = "use-after-scope";
> + case KASAN_ALLOCA_LEFT:
> + case KASAN_ALLOCA_RIGHT:
> + bug_type = "alloca-out-of-bounds";
> break;
> }
>
> --
> 2.13.2.725.g09c95d1e9-goog
>
On Fri, Jul 7, 2017 at 12:01 AM, Greg Hackmann <[email protected]> wrote:
> From: Alexander Potapenko <[email protected]>
>
> As a code-size optimization, LLVM builds since r279383 may
> bulk-manipulate the shadow region when (un)poisoning large memory
> blocks. This requires new callbacks that simply do an uninstrumented
> memset().
>
> This fixes linking the Clang-built kernel when using KASAN.
>
> Signed-off-by: Alexander Potapenko <[email protected]>
> [[email protected]: fix memset() parameters, and tweak
> commit message to describe new callbacks]
> Signed-off-by: Greg Hackmann <[email protected]>
> ---
> mm/kasan/kasan.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
> index 892b626f564b..89911e5c69f9 100644
> --- a/mm/kasan/kasan.c
> +++ b/mm/kasan/kasan.c
> @@ -828,6 +828,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
> }
> EXPORT_SYMBOL(__asan_allocas_unpoison);
>
> +/* Emitted by the compiler to [un]poison local variables. */
> +#define DEFINE_ASAN_SET_SHADOW(byte) \
> + void __asan_set_shadow_##byte(const void *addr, size_t size) \
> + { \
> + __memset((void *)addr, 0x##byte, size); \
> + } \
> + EXPORT_SYMBOL(__asan_set_shadow_##byte)
> +
> +DEFINE_ASAN_SET_SHADOW(00);
> +DEFINE_ASAN_SET_SHADOW(f1);
> +DEFINE_ASAN_SET_SHADOW(f2);
> +DEFINE_ASAN_SET_SHADOW(f3);
> +DEFINE_ASAN_SET_SHADOW(f5);
> +DEFINE_ASAN_SET_SHADOW(f8);
> +
> #ifdef CONFIG_MEMORY_HOTPLUG
> static int kasan_mem_notifier(struct notifier_block *nb,
> unsigned long action, void *data)
Reviewed-by: Dmitry Vyukov <[email protected]>
On Fri, Jul 7, 2017 at 12:01 AM, Greg Hackmann <[email protected]> wrote:
> Use cc-option to figure out whether the compiler's sanitizer uses
> LLVM-style parameters ("-mllvm -asan-foo=bar") or GCC-style parameters
> ("--param asan-foo=bar").
>
> Signed-off-by: Greg Hackmann <[email protected]>
> ---
> scripts/Makefile.kasan | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
> index 9576775a86f6..b66ae4b4546b 100644
> --- a/scripts/Makefile.kasan
> +++ b/scripts/Makefile.kasan
> @@ -9,11 +9,19 @@ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET)
>
> CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address
>
> -CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \
> +CFLAGS_KASAN_GCC := $(call cc-option, -fsanitize=kernel-address \
> -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \
> --param asan-stack=1 --param asan-globals=1 \
> --param asan-instrumentation-with-call-threshold=$(call_threshold))
>
> +CFLAGS_KASAN_LLVM := $(call cc-option, -fsanitize=kernel-address \
> + -mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET) \
> + -mllvm -asan-stack=1 -mllvm -asan-globals=1 \
> + -mllvm -asan-use-after-scope=1 \
> + -mllvm -asan-instrumentation-with-call-threshold=$(call_threshold))
> +
> +CFLAGS_KASAN := $(CFLAGS_KASAN_GCC) $(CFLAGS_KASAN_LLVM)
> +
> ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),)
> ifneq ($(CONFIG_COMPILE_TEST),y)
> $(warning Cannot use CONFIG_KASAN: \
Reviewed-by: Dmitry Vyukov <[email protected]>
On Fri, Jul 7, 2017 at 12:01 AM, Greg Hackmann <[email protected]> wrote:
> For now we can hard-code ASAN ABI level 5, since historical clang builds
> can't build the kernel anyway. We also need to emulate gcc's
> __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented.
>
> Signed-off-by: Greg Hackmann <[email protected]>
> ---
> include/linux/compiler-clang.h | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
> index d614c5ea1b5e..8153f793b22a 100644
> --- a/include/linux/compiler-clang.h
> +++ b/include/linux/compiler-clang.h
> @@ -23,3 +23,13 @@
> */
> #undef inline
> #define inline inline __attribute__((unused)) notrace
> +
> +/* all clang versions usable with the kernel support KASAN ABI version 5
> + */
> +#define KASAN_ABI_VERSION 5
> +
> +/* emulate gcc's __SANITIZE_ADDRESS__ flag
> + */
> +#if __has_feature(address_sanitizer)
> +#define __SANITIZE_ADDRESS__
> +#endif
Reviewed-by: Dmitry Vyukov <[email protected]>
On 07/07/2017 01:01 AM, Greg Hackmann wrote:
> clang's AddressSanitizer implementation adds redzones on either side of
> alloca()ed buffers. These redzones are 32-byte aligned and at least 32
> bytes long.
gcc now supports this too. So I think this patch should enable it.
It's off by default so you'll have to add --param asan-instrument-allocas=1 into cflags
to make it work
>
> __asan_alloca_poison() is passed the size and address of the allocated
> buffer, *excluding* the redzones on either side. The left redzone will
> always be to the immediate left of this buffer; but AddressSanitizer may
> need to add padding between the end of the buffer and the right redzone.
> If there are any 8-byte chunks inside this padding, we should poison
> those too.
>
> __asan_allocas_unpoison() is just passed the top and bottom of the
> dynamic stack area, so unpoisoning is simpler.
>
> Signed-off-by: Greg Hackmann <[email protected]>
> ---
> lib/test_kasan.c | 22 ++++++++++++++++++++++
Tests would be better as a separate patch.
> mm/kasan/kasan.c | 26 ++++++++++++++++++++++++++
> mm/kasan/kasan.h | 8 ++++++++
> mm/kasan/report.c | 3 +++
> 4 files changed, 59 insertions(+)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index a25c9763fce1..f774fcafb696 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -473,6 +473,26 @@ static noinline void __init use_after_scope_test(void)
> p[1023] = 1;
> }
>
> +static noinline void __init kasan_alloca_oob_left(void)
> +{
> + volatile int i = 10;
> + char alloca_array[i];
> + char *p = alloca_array - 1;
> +
> + pr_info("out-of-bounds to left on alloca\n");
> + *(volatile char *)p;
> +}
> +
> +static noinline void __init kasan_alloca_oob_right(void)
> +{
> + volatile int i = 10;
> + char alloca_array[i];
> + char *p = alloca_array + round_up(i, 8);
Why round_up() ?
> +
> + pr_info("out-of-bounds to right on alloca\n");
> + *(volatile char *)p;
> +}
> +
> static int __init kmalloc_tests_init(void)
> {
> /*
> @@ -503,6 +523,8 @@ static int __init kmalloc_tests_init(void)
> memcg_accounted_kmem_cache();
> kasan_stack_oob();
> kasan_global_oob();
> + kasan_alloca_oob_left();
> + kasan_alloca_oob_right();
> ksize_unpoisons_memory();
> copy_user_test();
> use_after_scope_test();
> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
> index c81549d5c833..892b626f564b 100644
> --- a/mm/kasan/kasan.c
> +++ b/mm/kasan/kasan.c
> @@ -802,6 +802,32 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size)
> }
> EXPORT_SYMBOL(__asan_unpoison_stack_memory);
>
> +/* Emitted by compiler to poison alloca()ed objects. */
> +void __asan_alloca_poison(unsigned long addr, size_t size)
> +{
> + size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);
> + size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) -
> + round_up(size, KASAN_SHADOW_SCALE_SIZE);
> +
> + const void *left_redzone = (const void *)(addr -
> + KASAN_ALLOCA_REDZONE_SIZE);
> + const void *right_redzone = (const void *)(addr + rounded_up_size);
> +
> + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,
> + KASAN_ALLOCA_LEFT);
> + kasan_poison_shadow(right_redzone,
> + padding_size + KASAN_ALLOCA_REDZONE_SIZE,
> + KASAN_ALLOCA_RIGHT);
As Dmitry pointed out, the memory between [addr+size, addr+rounded_up_size) is left
unpoisoned. kasan_alloca_oob_right() without round_up() would have caught this.
On 07/07/2017 01:01 AM, Greg Hackmann wrote:
> From: Alexander Potapenko <[email protected]>
>
> As a code-size optimization, LLVM builds since r279383 may
> bulk-manipulate the shadow region when (un)poisoning large memory
> blocks. This requires new callbacks that simply do an uninstrumented
> memset().
>
> This fixes linking the Clang-built kernel when using KASAN.
>
> Signed-off-by: Alexander Potapenko <[email protected]>
> [[email protected]: fix memset() parameters, and tweak
> commit message to describe new callbacks]
> Signed-off-by: Greg Hackmann <[email protected]>
> ---
> mm/kasan/kasan.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
> index 892b626f564b..89911e5c69f9 100644
> --- a/mm/kasan/kasan.c
> +++ b/mm/kasan/kasan.c
> @@ -828,6 +828,21 @@ void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
> }
> EXPORT_SYMBOL(__asan_allocas_unpoison);
>
> +/* Emitted by the compiler to [un]poison local variables. */
> +#define DEFINE_ASAN_SET_SHADOW(byte) \
> + void __asan_set_shadow_##byte(const void *addr, size_t size) \
> + { \
> + __memset((void *)addr, 0x##byte, size); \
> + } \
> + EXPORT_SYMBOL(__asan_set_shadow_##byte)
> +
> +DEFINE_ASAN_SET_SHADOW(00);
> +DEFINE_ASAN_SET_SHADOW(f1);
> +DEFINE_ASAN_SET_SHADOW(f2);
> +DEFINE_ASAN_SET_SHADOW(f3);
> +DEFINE_ASAN_SET_SHADOW(f5);
> +DEFINE_ASAN_SET_SHADOW(f8);
I think we can remove f8 as it should be used only by use-after-return instrumentation.
We don't use it in the kernel
> +
> #ifdef CONFIG_MEMORY_HOTPLUG
> static int kasan_mem_notifier(struct notifier_block *nb,
> unsigned long action, void *data)
>
On 07/07/2017 01:01 AM, Greg Hackmann wrote:
> For now we can hard-code ASAN ABI level 5, since historical clang builds
> can't build the kernel anyway. We also need to emulate gcc's
> __SANITIZE_ADDRESS__ flag, or memset() calls won't be instrumented.
>
> Signed-off-by: Greg Hackmann <[email protected]>
> ---
> include/linux/compiler-clang.h | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
> index d614c5ea1b5e..8153f793b22a 100644
> --- a/include/linux/compiler-clang.h
> +++ b/include/linux/compiler-clang.h
> @@ -23,3 +23,13 @@
> */
> #undef inline
> #define inline inline __attribute__((unused)) notrace
> +
> +/* all clang versions usable with the kernel support KASAN ABI version 5
> + */
Enclosing */ should be on the same line for single-line comments.
> +#define KASAN_ABI_VERSION 5
> +
> +/* emulate gcc's __SANITIZE_ADDRESS__ flag
> + */
Ditto.
> +#if __has_feature(address_sanitizer)
> +#define __SANITIZE_ADDRESS__
> +#endif
>
Hi,
Thanks for taking a look at this patchstack. I apologize for the delay
in responding.
On 07/10/2017 01:44 AM, Dmitry Vyukov wrote:
>> +
>> + const void *left_redzone = (const void *)(addr -
>> + KASAN_ALLOCA_REDZONE_SIZE);
>> + const void *right_redzone = (const void *)(addr + rounded_up_size);
>
> Please check that size is rounded to KASAN_ALLOCA_REDZONE_SIZE. That's
> the expectation, right? That can change is clang silently.
>
>> + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,
>> + KASAN_ALLOCA_LEFT);
>> + kasan_poison_shadow(right_redzone,
>> + padding_size + KASAN_ALLOCA_REDZONE_SIZE,
>> + KASAN_ALLOCA_RIGHT);
>
> We also need to poison the unaligned part at the end of the object
> from size to rounded_up_size. You can see how we do it for heap
> objects.
The expectation is that `size' is the exact size of the alloca()ed
object. `rounded_up_size' then adds the 0-7 bytes needed to adjust the
size to the ASAN shadow scale. So `addr + rounded_up_size' should be
the correct place to start poisoning.
In retrospect this part of the code was pretty confusing. How about
this? I think its intent is clearer, plus it's a closer match for the
description in my commit message:
unsigned long left_redzone_start;
unsigned long object_end;
unsigned long right_redzone_start, right_redzone_end;
left_redzone_start = addr - KASAN_ALLOCA_REDZONE_SIZE;
kasan_poison_shadow((const void *)left_redzone_start,
KASAN_ALLOCA_REDZONE_SIZE,
KASAN_ALLOCA_LEFT);
object_end = round_up(addr + size, KASAN_SHADOW_SCALE_SIZE);
right_redzone_start = round_up(object_end, KASAN_ALLOCA_REDZONE_SIZE);
right_redzone_end = right_redzone_start + KASAN_ALLOCA_REDZONE_SIZE;
kasan_poison_shadow((const void *)object_end,
right_redzone_end - object_end,
KASAN_ALLOCA_RIGHT);
On 07/10/2017 03:30 AM, Andrey Ryabinin wrote:
> gcc now supports this too. So I think this patch should enable it.
> It's off by default so you'll have to add --param asan-instrument-allocas=1 into cflags
> to make it work
Thanks, will fix. For now, it looks like I'll need to build gcc from
git to test this?
>> lib/test_kasan.c | 22 ++++++++++++++++++++++
>
> Tests would be better as a separate patch.
I was following the precedent in 828347f8f9a5 ("kasan: support
use-after-scope detection") which added both at the same time. But I
can split the test off into a separate patch if you feel really strongly
about it.
On Fri, Jul 14, 2017 at 12:40 AM, Greg Hackmann <[email protected]> wrote:
> Hi,
>
> Thanks for taking a look at this patchstack. I apologize for the delay in
> responding.
>
> On 07/10/2017 01:44 AM, Dmitry Vyukov wrote:
>>>
>>> +
>>> + const void *left_redzone = (const void *)(addr -
>>> + KASAN_ALLOCA_REDZONE_SIZE);
>>> + const void *right_redzone = (const void *)(addr +
>>> rounded_up_size);
>>
>>
>> Please check that size is rounded to KASAN_ALLOCA_REDZONE_SIZE. That's
>> the expectation, right? That can change is clang silently.
>>
>>> + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,
>>> + KASAN_ALLOCA_LEFT);
>>> + kasan_poison_shadow(right_redzone,
>>> + padding_size + KASAN_ALLOCA_REDZONE_SIZE,
>>> + KASAN_ALLOCA_RIGHT);
>>
>>
>> We also need to poison the unaligned part at the end of the object
>> from size to rounded_up_size. You can see how we do it for heap
>> objects.
>
>
> The expectation is that `size' is the exact size of the alloca()ed object.
> `rounded_up_size' then adds the 0-7 bytes needed to adjust the size to the
> ASAN shadow scale. So `addr + rounded_up_size' should be the correct place
> to start poisoning.
We need to start poisoning at addr+size exactly.
Asan shadow scheme supports this. It's not possible to poison
beginning of an aligned 8-byte block, but leave tail unpoisoned. But
it is possible to poison tail of an aligned 8-byte block and leave
beginning unpoisoned. Look at what we do for kmalloc.
> In retrospect this part of the code was pretty confusing. How about this?
> I think its intent is clearer, plus it's a closer match for the description
> in my commit message:
>
> unsigned long left_redzone_start;
> unsigned long object_end;
> unsigned long right_redzone_start, right_redzone_end;
>
> left_redzone_start = addr - KASAN_ALLOCA_REDZONE_SIZE;
> kasan_poison_shadow((const void *)left_redzone_start,
> KASAN_ALLOCA_REDZONE_SIZE,
> KASAN_ALLOCA_LEFT);
>
> object_end = round_up(addr + size, KASAN_SHADOW_SCALE_SIZE);
> right_redzone_start = round_up(object_end,
> KASAN_ALLOCA_REDZONE_SIZE);
> right_redzone_end = right_redzone_start + KASAN_ALLOCA_REDZONE_SIZE;
> kasan_poison_shadow((const void *)object_end,
> right_redzone_end - object_end,
> KASAN_ALLOCA_RIGHT);
On 07/14/2017 01:49 AM, Greg Hackmann wrote:
> On 07/10/2017 03:30 AM, Andrey Ryabinin wrote:
>> gcc now supports this too. So I think this patch should enable it.
>> It's off by default so you'll have to add --param asan-instrument-allocas=1 into cflags
>> to make it work
>
> Thanks, will fix. For now, it looks like I'll need to build gcc from git to test this?
>
Right, you'll need quite fresh revision >= 250032
>>> lib/test_kasan.c | 22 ++++++++++++++++++++++
>>
>> Tests would be better as a separate patch.
>
> I was following the precedent in 828347f8f9a5 ("kasan: support use-after-scope detection") which added both at the same time. But I can split the test off into a separate patch if you feel really strongly about it.
Please, do the split.