Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6996688ybi; Mon, 22 Jul 2019 05:23:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqzgGskOE0UVg8/V77Ltc23EdyIkgxOp2D/xZsXQPBSvidixm3Ussgtv+1uHyWXyINqe2lCN X-Received: by 2002:a17:90a:b394:: with SMTP id e20mr76162091pjr.76.1563798190303; Mon, 22 Jul 2019 05:23:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563798190; cv=none; d=google.com; s=arc-20160816; b=IKMPCMtx75J35EGCrqUDveMz7RpWy6OyQZwg9az3nKYgyN79lKV+SyvwuVsXh8YEbe FklSSvoXHFQBr0dccJ/J31+2hrf5S6dMfHEA7NSnFzybRCCw7DfukPcfkwbBVcllMrZM l+fyjtqVroZ95hfjIe2wTLhu4RyxR4V/aqWrNx6c8dWXNsrRXkattJC3iv9Ek49V0MWH Ad5rjADO5x5HSDWiPDNu0lP0zmwcFZgXRFnMlqRTnxqZHiCcNGybzhaCY43qkZOUb6pI TavOsyFUsw2sx6sII+KS7JUFnEL0zR5W0pK6TilAKMkBZgzuOg6RisXnhOPXjx3+7Mmp m5QQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :references:in-reply-to:date:cc:to:from:subject:message-id; bh=+9Hah1o88uTNtSe4/7uYaciyMFH0liersSRqkZ9QIvs=; b=QVvI50AyzQro0w52kPMw2hL3Jna4Qa9kqg8aXlAA5NHWeSzoAsLBOwjt+2KUic6+sk K/x1gRyqcFVju7Etg/Y/ySoah9nPcMUMHtyNVsg+3o0pHZ8vkl+hrijoSwMaea56gUuf 8LfRc1h2jkgvS/oUlh1jvFijfZ2yVaAO+cTBWNvExrjrfNBkn2cLZ03bNOiRCBk8bS6N AbHokfnlMHuGOXPpw8zjodBkn1GR6TvLwHVOO5977bb+38onlgy2/VjOklQfVDcZRo+r 644wCLr2kIlvASzt7M03q9ndEvbfBLOTEcL6MUQiifNuYtEO7/anvHix+UHi8XUDQgk3 juCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z18si9660630pjt.94.2019.07.22.05.22.51; Mon, 22 Jul 2019 05:23:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729235AbfGVJwu (ORCPT + 99 others); Mon, 22 Jul 2019 05:52:50 -0400 Received: from mailgw01.mediatek.com ([210.61.82.183]:58370 "EHLO mailgw01.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1728129AbfGVJwu (ORCPT ); Mon, 22 Jul 2019 05:52:50 -0400 X-UUID: 4416e42ecd35467192de92f81e192f6f-20190722 X-UUID: 4416e42ecd35467192de92f81e192f6f-20190722 Received: from mtkmrs01.mediatek.inc [(172.21.131.159)] by mailgw01.mediatek.com (envelope-from ) (mhqrelay.mediatek.com ESMTP with TLS) with ESMTP id 1042474360; Mon, 22 Jul 2019 17:52:43 +0800 Received: from mtkcas09.mediatek.inc (172.21.101.178) by mtkmbs07n1.mediatek.inc (172.21.101.16) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 22 Jul 2019 17:52:42 +0800 Received: from [172.21.84.99] (172.21.84.99) by mtkcas09.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1395.4 via Frontend Transport; Mon, 22 Jul 2019 17:52:42 +0800 Message-ID: <1563789162.31223.3.camel@mtksdccf07> Subject: Re: [PATCH v3] kasan: add memory corruption identification for software tag-based mode From: Walter Wu To: Andrey Ryabinin CC: Dmitry Vyukov , Alexander Potapenko , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Matthias Brugger , "Martin Schwidefsky" , Arnd Bergmann , "Vasily Gorbik" , Andrey Konovalov , "Jason A . Donenfeld" , Miles Chen , kasan-dev , LKML , Linux-MM , Linux ARM , , wsd_upstream Date: Mon, 22 Jul 2019 17:52:42 +0800 In-Reply-To: <9ab1871a-2605-ab34-3fd3-4b44a0e17ab7@virtuozzo.com> References: <20190613081357.1360-1-walter-zh.wu@mediatek.com> <1560447999.15814.15.camel@mtksdccf07> <1560479520.15814.34.camel@mtksdccf07> <1560744017.15814.49.camel@mtksdccf07> <1560774735.15814.54.camel@mtksdccf07> <1561974995.18866.1.camel@mtksdccf07> <1562640832.9077.32.camel@mtksdccf07> <1562839579.5846.12.camel@mtksdccf07> <37897fb7-88c1-859a-dfcc-0a5e89a642e0@virtuozzo.com> <1563160001.4793.4.camel@mtksdccf07> <9ab1871a-2605-ab34-3fd3-4b44a0e17ab7@virtuozzo.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3-0ubuntu6 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 X-MTK: N Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2019-07-18 at 19:11 +0300, Andrey Ryabinin wrote: > > On 7/15/19 6:06 AM, Walter Wu wrote: > > On Fri, 2019-07-12 at 13:52 +0300, Andrey Ryabinin wrote: > >> > >> On 7/11/19 1:06 PM, Walter Wu wrote: > >>> On Wed, 2019-07-10 at 21:24 +0300, Andrey Ryabinin wrote: > >>>> > >>>> On 7/9/19 5:53 AM, Walter Wu wrote: > >>>>> On Mon, 2019-07-08 at 19:33 +0300, Andrey Ryabinin wrote: > >>>>>> > >>>>>> On 7/5/19 4:34 PM, Dmitry Vyukov wrote: > >>>>>>> On Mon, Jul 1, 2019 at 11:56 AM Walter Wu wrote: > >>>> > >>>>>>> > >>>>>>> Sorry for delays. I am overwhelm by some urgent work. I afraid to > >>>>>>> promise any dates because the next week I am on a conference, then > >>>>>>> again a backlog and an intern starting... > >>>>>>> > >>>>>>> Andrey, do you still have concerns re this patch? This change allows > >>>>>>> to print the free stack. > >>>>>> > >>>>>> I 'm not sure that quarantine is a best way to do that. Quarantine is made to delay freeing, but we don't that here. > >>>>>> If we want to remember more free stacks wouldn't be easier simply to remember more stacks in object itself? > >>>>>> Same for previously used tags for better use-after-free identification. > >>>>>> > >>>>> > >>>>> Hi Andrey, > >>>>> > >>>>> We ever tried to use object itself to determine use-after-free > >>>>> identification, but tag-based KASAN immediately released the pointer > >>>>> after call kfree(), the original object will be used by another > >>>>> pointer, if we use object itself to determine use-after-free issue, then > >>>>> it has many false negative cases. so we create a lite quarantine(ring > >>>>> buffers) to record recent free stacks in order to avoid those false > >>>>> negative situations. > >>>> > >>>> I'm telling that *more* than one free stack and also tags per object can be stored. > >>>> If object reused we would still have information about n-last usages of the object. > >>>> It seems like much easier and more efficient solution than patch you proposing. > >>>> > >>> To make the object reused, we must ensure that no other pointers uses it > >>> after kfree() release the pointer. > >>> Scenario: > >>> 1). The object reused information is valid when no another pointer uses > >>> it. > >>> 2). The object reused information is invalid when another pointer uses > >>> it. > >>> Do you mean that the object reused is scenario 1) ? > >>> If yes, maybe we can change the calling quarantine_put() location. It > >>> will be fully use that quarantine, but at scenario 2) it looks like to > >>> need this patch. > >>> If no, maybe i miss your meaning, would you tell me how to use invalid > >>> object information? or? > >>> > >> > >> > >> KASAN keeps information about object with the object, right after payload in the kasan_alloc_meta struct. > >> This information is always valid as long as slab page allocated. Currently it keeps only one last free stacktrace. > >> It could be extended to record more free stacktraces and also record previously used tags which will allow you > >> to identify use-after-free and extract right free stacktrace. > > > > Thanks for your explanation. > > > > For extend slub object, if one record is 9B (sizeof(u8)+ sizeof(struct > > kasan_track)) and add five records into slub object, every slub object > > may add 45B usage after the system runs longer. > > Slub object number is easy more than 1,000,000(maybe it may be more > > bigger), then the extending object memory usage should be 45MB, and > > unfortunately it is no limit. The memory usage is more bigger than our > > patch. > > No, it's not necessarily more. > And there are other aspects to consider such as performance, how simple reliable the code is. > > > > > We hope tag-based KASAN advantage is smaller memory usage. If it’s > > possible, we should spend less memory in order to identify > > use-after-free. Would you accept our patch after fine tune it? > > Sure, if you manage to fix issues and demonstrate that performance penalty of your > patch is close to zero. I remember that there are already the lists which you concern. Maybe we can try to solve those problems one by one. 1. deadlock issue? cause by kmalloc() after kfree()? 2. decrease allocation fail, to modify GFP_NOWAIT flag to GFP_KERNEL? 3. check whether slim 48 bytes (sizeof (qlist_object) + sizeof(kasan_alloc_meta)) and additional unique stacktrace in stackdepot? 4. duplicate struct 'kasan_track' information in two different places Would you have any other concern? or?