Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7153914ybi; Mon, 8 Jul 2019 15:44:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqyxgSfGNZJjTp6DTDnfLhslBrBDSA2qyGD/3spqSo1jNRDb0Q6Y+WrY8dr8sF1eRUXgRakb X-Received: by 2002:a17:90a:bd8c:: with SMTP id z12mr28788087pjr.60.1562625868094; Mon, 08 Jul 2019 15:44:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562625868; cv=none; d=google.com; s=arc-20160816; b=I3QmrOsBlD3XQI1jigNsdJ5VKpjl2X0VdWtXks5Rllhcn4qnOnMHI2voph9td23hId iE6tSO/pPOev6x0QE3TciYIL9JMq00unqCDcBVGwcXKgqeNNyknTtRY0LfdkeW7UNsPP 9SzOdOV/b2HHWTTw8oXimIOV5sDp/uQt/G/MKizsMu1+X8EZQ37+r0gW+ENSWnjAVWQ0 8nRY6m3MpaXTdLgPxeuBma/t+BAdrb4sxBM8fFMlOtjWci09mZaWkyoV36EbZhKGhosR JldF0PTa7PI7EJIsGG9mmRVHkuqYkX+AN6JaKfcaejWYhLClKgm0KtIgsqcCKExBKghP MQaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=8xnud/qEILYwa7BJOMRtOBOSIve8spYjI6fhHhkcm+Q=; b=yXTSL3r/9yCBWVYnnBpfqn1Tu+KCFFduUtcutV0kQDrIvKXTwTgTHs1rhj37JiDOWi vOUrywyBOAvtaF6y2BpyJwdZKdCQeWF0HVBDgazXDGYB+gfechaksh/BiyrlEdTfdSWX pDFjeB6yHEp2LairBdMHYSILfAj2Hf27wqTxcdVZxhPyhWnt04Dvi6y4GO3Ee2gVYlP+ arhsFLNf5fPRmQK+ZRbc32jmGQ39BA4xL5bBDdvDEpTIDO0d+IUUZ/VNWqGhBAF8wh80 R0ulYwZWGTsek0qvS04puUkhsTTypmpP+vFfxqSqbaaFe/tbm0RvYE6PwVarqftjU4Qa +20A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d13si5685916pgu.268.2019.07.08.15.44.13; Mon, 08 Jul 2019 15:44:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730294AbfGHQdx (ORCPT + 99 others); Mon, 8 Jul 2019 12:33:53 -0400 Received: from relay.sw.ru ([185.231.240.75]:58336 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725807AbfGHQdx (ORCPT ); Mon, 8 Jul 2019 12:33:53 -0400 Received: from [172.16.25.12] by relay.sw.ru with esmtp (Exim 4.92) (envelope-from ) id 1hkWa8-00028e-L6; Mon, 08 Jul 2019 19:33:36 +0300 Subject: Re: [PATCH v3] kasan: add memory corruption identification for software tag-based mode To: Dmitry Vyukov , Walter Wu Cc: Alexander Potapenko , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Matthias Brugger , Martin Schwidefsky , Arnd Bergmann , Vasily Gorbik , Andrey Konovalov , "Jason A . Donenfeld" , Miles Chen , kasan-dev , LKML , Linux-MM , Linux ARM , linux-mediatek@lists.infradead.org, wsd_upstream References: <20190613081357.1360-1-walter-zh.wu@mediatek.com> <1560447999.15814.15.camel@mtksdccf07> <1560479520.15814.34.camel@mtksdccf07> <1560744017.15814.49.camel@mtksdccf07> <1560774735.15814.54.camel@mtksdccf07> <1561974995.18866.1.camel@mtksdccf07> From: Andrey Ryabinin Message-ID: Date: Mon, 8 Jul 2019 19:33:41 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/5/19 4:34 PM, Dmitry Vyukov wrote: > On Mon, Jul 1, 2019 at 11:56 AM Walter Wu wrote: >>>>>>>>> This patch adds memory corruption identification at bug report for >>>>>>>>> software tag-based mode, the report show whether it is "use-after-free" >>>>>>>>> or "out-of-bound" error instead of "invalid-access" error.This will make >>>>>>>>> it easier for programmers to see the memory corruption problem. >>>>>>>>> >>>>>>>>> Now we extend the quarantine to support both generic and tag-based kasan. >>>>>>>>> For tag-based kasan, the quarantine stores only freed object information >>>>>>>>> to check if an object is freed recently. When tag-based kasan reports an >>>>>>>>> error, we can check if the tagged addr is in the quarantine and make a >>>>>>>>> good guess if the object is more like "use-after-free" or "out-of-bound". >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> We already have all the information and don't need the quarantine to make such guess. >>>>>>>> Basically if shadow of the first byte of object has the same tag as tag in pointer than it's out-of-bounds, >>>>>>>> otherwise it's use-after-free. >>>>>>>> >>>>>>>> In pseudo-code it's something like this: >>>>>>>> >>>>>>>> u8 object_tag = *(u8 *)kasan_mem_to_shadow(nearest_object(cacche, page, access_addr)); >>>>>>>> >>>>>>>> if (access_addr_tag == object_tag && object_tag != KASAN_TAG_INVALID) >>>>>>>> // out-of-bounds >>>>>>>> else >>>>>>>> // use-after-free >>>>>>> >>>>>>> Thanks your explanation. >>>>>>> I see, we can use it to decide corruption type. >>>>>>> But some use-after-free issues, it may not have accurate free-backtrace. >>>>>>> Unfortunately in that situation, free-backtrace is the most important. >>>>>>> please see below example >>>>>>> >>>>>>> In generic KASAN, it gets accurate free-backrace(ptr1). >>>>>>> In tag-based KASAN, it gets wrong free-backtrace(ptr2). It will make >>>>>>> programmer misjudge, so they may not believe tag-based KASAN. >>>>>>> So We provide this patch, we hope tag-based KASAN bug report is the same >>>>>>> accurate with generic KASAN. >>>>>>> >>>>>>> --- >>>>>>> ptr1 = kmalloc(size, GFP_KERNEL); >>>>>>> ptr1_free(ptr1); >>>>>>> >>>>>>> ptr2 = kmalloc(size, GFP_KERNEL); >>>>>>> ptr2_free(ptr2); >>>>>>> >>>>>>> ptr1[size] = 'x'; //corruption here >>>>>>> >>>>>>> >>>>>>> static noinline void ptr1_free(char* ptr) >>>>>>> { >>>>>>> kfree(ptr); >>>>>>> } >>>>>>> static noinline void ptr2_free(char* ptr) >>>>>>> { >>>>>>> kfree(ptr); >>>>>>> } >>>>>>> --- >>>>>>> >>>>>> We think of another question about deciding by that shadow of the first >>>>>> byte. >>>>>> In tag-based KASAN, it is immediately released after calling kfree(), so >>>>>> the slub is easy to be used by another pointer, then it will change >>>>>> shadow memory to the tag of new pointer, it will not be the >>>>>> KASAN_TAG_INVALID, so there are many false negative cases, especially in >>>>>> small size allocation. >>>>>> >>>>>> Our patch is to solve those problems. so please consider it, thanks. >>>>>> >>>>> Hi, Andrey and Dmitry, >>>>> >>>>> I am sorry to bother you. >>>>> Would you tell me what you think about this patch? >>>>> We want to use tag-based KASAN, so we hope its bug report is clear and >>>>> correct as generic KASAN. >>>>> >>>>> Thanks your review. >>>>> Walter >>>> >>>> Hi Walter, >>>> >>>> I will probably be busy till the next week. Sorry for delays. >>> >>> It's ok. Thanks your kindly help. >>> I hope I can contribute to tag-based KASAN. It is a very important tool >>> for us. >> >> Hi, Dmitry, >> >> Would you have free time to discuss this patch together? >> Thanks. > > Sorry for delays. I am overwhelm by some urgent work. I afraid to > promise any dates because the next week I am on a conference, then > again a backlog and an intern starting... > > Andrey, do you still have concerns re this patch? This change allows > to print the free stack. I 'm not sure that quarantine is a best way to do that. Quarantine is made to delay freeing, but we don't that here. If we want to remember more free stacks wouldn't be easier simply to remember more stacks in object itself? Same for previously used tags for better use-after-free identification. > We also have a quarantine for hwasan in user-space. Though it works a > bit differently then the normal asan quarantine. We keep a per-thread > fixed-size ring-buffer of recent allocations: > https://github.com/llvm-mirror/compiler-rt/blob/master/lib/hwasan/hwasan_report.cpp#L274-L284 > and scan these ring buffers during reports. >