Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp12636020rwl; Tue, 3 Jan 2023 18:20:01 -0800 (PST) X-Google-Smtp-Source: AMrXdXsyxj+j8ynHy3M/Pr7yTtqNOSRKQMa+EbM3srCUxpAAzQ8kIl4TkWOOMnmRCfYRnTCkmeer X-Received: by 2002:a05:6a20:4283:b0:a5:a9c1:5600 with SMTP id o3-20020a056a20428300b000a5a9c15600mr64093559pzj.48.1672798801248; Tue, 03 Jan 2023 18:20:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672798801; cv=none; d=google.com; s=arc-20160816; b=AQz8xDEuvATKshVte9DAl45s4kdDSoPC2/2X+3ejxvNmWORj4hBJRWSBnGv5Mx+QJy pqMe2DdZEghbrF7hdUu57TcwersdSWYh8qbEFZTrKl3L1m3dQY+v+/Yj2PqAkVB6Mylk 50kpAUk1G/zAeZWgryco7R545NmLxCewhNyb80qqejwqOQjJ4ct7BCY9gjh4gMU/huFl ubeKkcaatsoHfka6XwNXbm+mgcTd3kGfNnBu48e0gZ337iOw5gw/IN0rIV63+pEFvbDv uyyO2070/EVK3yax8HbWrv0rLpaYOE9Et5sJaepsxQYT5fGwSasDgl4JUxHIarddfEs7 rXvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=hHeFWn8psj8u8cGp1SABE4QnAQdoZWb4E9tsvr9oCvk=; b=QlieX+H3aP5RjmS0OmDGYd8S3mJEi8YdjLNMMz/5e0UmUFqRkTK5hYWO1yqQVAG/Fs ssPcAgu+Lq2iPSiO3TO0Eun0qwcGadd94aOCijn17HI4vwNwhvvtPdRzsv5J8fO94/XA SHhXoBesnvyNLD5rG9WPSlThDAiqz1VDSBLf9gbX1eFki7AwJT1zAXpvYsrZ8EWTRLUy kPAXobUK/4QgM5cSuccMcteOOi9TjDVZf8mXeFDAIbT1mcHNyOqY0POesYLnp1hGlI7r U/aTOyP4UGqcAeOW2+dfoFtuLfSSEf5YsUP3BIob/i9ZBEnrlijHzJvF0elkFHQV+Vsz wttg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=dIntYs8V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t203-20020a635fd4000000b00477ba9ec461si33505565pgb.879.2023.01.03.18.19.52; Tue, 03 Jan 2023 18:20:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=dIntYs8V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230352AbjADCBI (ORCPT + 59 others); Tue, 3 Jan 2023 21:01:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45898 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229794AbjADCBG (ORCPT ); Tue, 3 Jan 2023 21:01:06 -0500 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 405871091 for ; Tue, 3 Jan 2023 18:01:01 -0800 (PST) Received: by mail-pj1-x1036.google.com with SMTP id j8-20020a17090a3e0800b00225fdd5007fso23312979pjc.2 for ; Tue, 03 Jan 2023 18:01:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hHeFWn8psj8u8cGp1SABE4QnAQdoZWb4E9tsvr9oCvk=; b=dIntYs8Vf4z/54w86VjYfR8QSrf959Il8mXbiEes8eVzuXfpOrY99hD9Ws5Diw5VwO V0SzFWJI9wBDkn2eynnJ2czga+dwdBwdgkhdNlE73DqxIBjzn/Mtl2JnRp4hxcV5eQdE MdbOPFV+pg2nfORgvucmgCQ3xFIS8SRdbzHhc3O687/EHdUrEyIA4z2W/mfNK/KcUhUt bmDhqo0DefNVGKtkJVd09K3bhjLN2dV31/SibDgzkFZohPuRBEl0WQ06frEwB+XuQPqw r9THHuktVvRdSaB3+gyJLh8hIHoUbpbJn4aHdar/Aov1ZwcW6vNg+XIihS3ps4F+umpZ 1zUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hHeFWn8psj8u8cGp1SABE4QnAQdoZWb4E9tsvr9oCvk=; b=I6U3Xb4VUeuwWl1kaU2rs9kNXqh96Q2LvBvUUnf9URoSu90T48C0zyBSQb5ArqgDqm sSY/mWp9gyRVvIfmSiel1jNY5xSKw74x9wzvR6eaiZ4knohTMCSg79uGdJYi8cQAHFDf Km5uedn/BqkT7UE7IjIGrZGuEu8fmdoeeL5jFWA4P++0ABnDBXmrhy/6ttu+hIIwVnuf 9H5gPa04mOY2xu29qlFDTrcJE3Hpe4uuNMlRhhVJGP4EbFulMZagAhLh63jvZoqAuVCP VpfWGit2fd7MF9DpWDuSOR/S41mqENEXJgFF2P73J2IUOoTfdApkNBIsUNMMLflg669W /BYA== X-Gm-Message-State: AFqh2krjHerveyIn2/oIMW+rv+/iYbREpfDawbchXWxCwROfae6zdnwo 78OxMlqUfXwpr1z9XBTfKWUIYFwVElQg8iJQIow= X-Received: by 2002:a17:903:3287:b0:189:8d8b:9db7 with SMTP id jh7-20020a170903328700b001898d8b9db7mr3112912plb.150.1672797660693; Tue, 03 Jan 2023 18:01:00 -0800 (PST) MIME-Version: 1.0 References: <20230103075603.12294-1-Kuan-Ying.Lee@mediatek.com> In-Reply-To: <20230103075603.12294-1-Kuan-Ying.Lee@mediatek.com> From: Andrey Konovalov Date: Wed, 4 Jan 2023 03:00:49 +0100 Message-ID: Subject: Re: [PATCH] kasan: infer the requested size by scanning shadow memory To: Kuan-Ying Lee Cc: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Matthias Brugger , chinwen.chang@mediatek.com, qun-wei.lin@mediatek.com, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 3, 2023 at 8:56 AM Kuan-Ying Lee wrote: > > We scan the shadow memory to infer the requested size instead of > printing cache->object_size directly. > > This patch will fix the confusing generic kasan report like below. [1] > Report shows "cache kmalloc-192 of size 192", but user > actually kmalloc(184). > > ================================================================== > BUG: KASAN: slab-out-of-bounds in _find_next_bit+0x143/0x160 lib/find_bit.c:109 > Read of size 8 at addr ffff8880175766b8 by task kworker/1:1/26 > ... > The buggy address belongs to the object at ffff888017576600 > which belongs to the cache kmalloc-192 of size 192 > The buggy address is located 184 bytes inside of > 192-byte region [ffff888017576600, ffff8880175766c0) > ... > Memory state around the buggy address: > ffff888017576580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888017576600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff888017576680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc > ^ > ffff888017576700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888017576780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > After this patch, report will show "cache kmalloc-192 of size 184". I think this introduces more confusion. kmalloc-192 cache doesn't have the size of 184. Let's leave the first two lines as is, and instead change the second two lines to: The buggy address is located 0 bytes to the right of requested 184-byte region [ffff888017576600, ffff8880175766c0) This specifically points out an out-of-bounds access. Note the added "requested". Alternatively, we could say "allocated". > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -340,8 +340,13 @@ static inline void kasan_print_address_stack_frame(const void *addr) { } > > #ifdef CONFIG_KASAN_GENERIC > void kasan_print_aux_stacks(struct kmem_cache *cache, const void *object); > +int kasan_get_alloc_size(void *object_addr, struct kmem_cache *cache); > #else > static inline void kasan_print_aux_stacks(struct kmem_cache *cache, const void *object) { } > +static inline int kasan_get_alloc_size(void *object_addr, struct kmem_cache *cache) > +{ > + return cache->object_size; Please implement similar shadow/tag walking for the tag-based modes. Even though we can only deduce the requested size with the granularity of 16 bytes, it still makes sense. It makes sense to also use the word "allocated" instead of "requested" for these modes, as the size is not deduced precisely. > --- a/mm/kasan/report.c > +++ b/mm/kasan/report.c > @@ -236,12 +236,13 @@ static void describe_object_addr(const void *addr, struct kmem_cache *cache, > { > unsigned long access_addr = (unsigned long)addr; > unsigned long object_addr = (unsigned long)object; > + int real_size = kasan_get_alloc_size((void *)object_addr, cache); Please add another field to the mode-specific section of the kasan_report_info structure, fill it in complete_report_info, and use it here. See kasan_find_first_bad_addr as a reference. Thanks for working on this!