Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp7030339ybi; Thu, 13 Jun 2019 08:24:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqwoADaEq9jGGXAbIC0vi1ZHLpREAR81qReBcHu7fZ+RUZWieITYDV8f9WZW4MntdWzjQKsH X-Received: by 2002:a65:448a:: with SMTP id l10mr30987809pgq.53.1560439482949; Thu, 13 Jun 2019 08:24:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560439482; cv=none; d=google.com; s=arc-20160816; b=BEV3iveYGQjLjLlMGoEzYXc15B2vzZnANX9K0955ktaQuAwd0bCzKS25aGnnvNsSs+ uIHygE5KKsf6TPTUNaqbRvG2gXotd7hEWbTeVM5MLisqsDBfYf4PVQGXhxS6vU3BviYO K+4Uf6vdfsvAS7P6yBXWTknztAcr9SSYn5pTKa6hvT032BVzYIDsWbfnE3jeblZ27Omq r2+ps0GABadlTFwKTKURmnFm2JIyglQlo8T0wuW0ktU6+k904F32G8VEWw06+cFysSDo 7swVN9urJoiBA6BjhRNBBggJXr5EAEZNV17a8YCfBl1rhwPM/1xIB8bdXoAWoc8ANHGp WU1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=QyNWTj03afzaPDBn1iluZU89nDIXGRZJdacSCBorwio=; b=QIq17NO1RZJYkgu3x+osvIe7pYNX1vXa/mNCBBxM5mx+/K2Mo1tYBpwPnChWnHdTSO rUDuRWyo9XxdmY8jKYVO+1lhuvvLNgWqqX4rtSGGog5hyJx8idrgFxjJzOwohFItiPJU DW+02yl0tJfH3YTNDcZfrFUGoX6UPe5+Yh2S5podzyTFC39gM/McT6y7PaGNV0h3NJPC hzXzy07ZRlFLdzyniPyTipgEwnpCYD8EjSJqpqi59o/hdru4L/o59wQqYAt/XO2U1xd/ /RpejMYCtmsqD2vf3AwaIVlu1pefm7vH0KQ6LQ0kF2sIsC0PVDKm0EUlgLfH0hhM9xz1 XSQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u132si83288pgc.97.2019.06.13.08.24.26; Thu, 13 Jun 2019 08:24:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389185AbfFMPXe (ORCPT + 99 others); Thu, 13 Jun 2019 11:23:34 -0400 Received: from relay.sw.ru ([185.231.240.75]:43558 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731838AbfFMM1Q (ORCPT ); Thu, 13 Jun 2019 08:27:16 -0400 Received: from [172.16.25.12] by relay.sw.ru with esmtp (Exim 4.92) (envelope-from ) id 1hbOol-000152-4t; Thu, 13 Jun 2019 15:26:59 +0300 Subject: Re: [PATCH v3] kasan: add memory corruption identification for software tag-based mode To: Walter Wu , Alexander Potapenko , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Matthias Brugger , Martin Schwidefsky , Arnd Bergmann , Vasily Gorbik , Andrey Konovalov , "Jason A . Donenfeld" , Miles Chen Cc: kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, wsd_upstream@mediatek.com References: <20190613081357.1360-1-walter-zh.wu@mediatek.com> From: Andrey Ryabinin Message-ID: Date: Thu, 13 Jun 2019 15:27:09 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: <20190613081357.1360-1-walter-zh.wu@mediatek.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/13/19 11:13 AM, Walter Wu wrote: > This patch adds memory corruption identification at bug report for > software tag-based mode, the report show whether it is "use-after-free" > or "out-of-bound" error instead of "invalid-access" error.This will make > it easier for programmers to see the memory corruption problem. > > Now we extend the quarantine to support both generic and tag-based kasan. > For tag-based kasan, the quarantine stores only freed object information > to check if an object is freed recently. When tag-based kasan reports an > error, we can check if the tagged addr is in the quarantine and make a > good guess if the object is more like "use-after-free" or "out-of-bound". > We already have all the information and don't need the quarantine to make such guess. Basically if shadow of the first byte of object has the same tag as tag in pointer than it's out-of-bounds, otherwise it's use-after-free. In pseudo-code it's something like this: u8 object_tag = *(u8 *)kasan_mem_to_shadow(nearest_object(cacche, page, access_addr)); if (access_addr_tag == object_tag && object_tag != KASAN_TAG_INVALID) // out-of-bounds else // use-after-free