Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp5802686rwl; Sun, 8 Jan 2023 23:12:11 -0800 (PST) X-Google-Smtp-Source: AMrXdXvqkIfmz3nh8/Fw1TcxN//WQfeQXohej5F1moAHC9Nmey0vUFfD1s6XCiTOictfTF02SpfI X-Received: by 2002:a17:902:dad0:b0:189:5f5c:da1e with SMTP id q16-20020a170902dad000b001895f5cda1emr99761005plx.27.1673248331576; Sun, 08 Jan 2023 23:12:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673248331; cv=none; d=google.com; s=arc-20160816; b=gKd6SpUcm/6E0G5fbHh35FyHW6mhj0mPayJZmfAzgzxi1pNKdNE3eBHq9kx77RO8c7 SDwGYK11eb53+9ntTunsx3JKVYZdoQKbBFPGwg4IWt299rvg2h0OqHzIMaymmdWROsaV 4OZgvxXVYfGL9sbx+f+m1GPmmAJaScpl3ikfSaU0Dl0oQxEcfiz5KAcvjMHw24/lvbgl PVg+veimUrTl7H5gYo2v2tuZZhGuo7stJs3SQ65NeFTYrFbtKdOWL9d8Olgvp9qNydeJ ZpZXn3ekFnVH1i0KfAAnRh4y2OUrPwKDpA0RVyD3yiqfM2z7XlCny1UiqdgfQU28L0Cu r0Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=8fHjJ5mqa9cPGpS5KD+GC/eZ7abKkX/dkmk/DvDpfNA=; b=R63/bYQ+N0FWBzvYks+PoAThWxzChYU6ToHgqZ8ZAO+zrzkiwvTzQ5tvDWqEgcOy02 1hVphh6Q1DttIM/FrNKD6stoPYBgdVWF+rQaDzHbwxumAp6x0Vsg0upyzvKTN0QZgBQg Gdon6MqhyTxq7Rx/5JR9dk33lJAnuZMt0+I05LSceqC0Ltl8RfaXWB9xvjYwQBKeqdLJ KuaEymyzD/vbxQai5YYD6eG9i/48KUs1kAbdx9dqK8kDYjs5Oql9JE3g7KQ4sgJ2fIBr FT7QF3xpThgKHFRQpu1HrwXdo+xfbRJ9qwgMF3fKz4VrsLVQGkU4OJfSEzHP3huVYQ2h HY4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=OyMUf+5B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p2-20020a170902c70200b00192dbc36b89si7540420plp.232.2023.01.08.23.12.04; Sun, 08 Jan 2023 23:12:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=OyMUf+5B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230504AbjAIGvW (ORCPT + 56 others); Mon, 9 Jan 2023 01:51:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230284AbjAIGvU (ORCPT ); Mon, 9 Jan 2023 01:51:20 -0500 Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6208E12633 for ; Sun, 8 Jan 2023 22:51:18 -0800 (PST) Received: by mail-lf1-x12f.google.com with SMTP id b3so11530751lfv.2 for ; Sun, 08 Jan 2023 22:51:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8fHjJ5mqa9cPGpS5KD+GC/eZ7abKkX/dkmk/DvDpfNA=; b=OyMUf+5B6frZZs4hQkljDvf/Xom1i0Hqd9XJHQkHyv7eihmEw1hjihNs3D99WNWYdr z9hevlf2PG4glj9VEoG+tDPk2ZYWsPeICavudYQWLYiTye6iTYirV+zuwBaHqWXWGeHQ ioBbj5QAhnOumJ6vGSvi90hV9Z9Ns8tD50zqOfwwZC2qgL+8cpoQ+sNQCW6bq+wJiCEu 3+RHv073gwOCssDoZeVPmWmk2a4LhYJOSejGG1NRazdFDx6z6MoQuP1NFKSwnqPI93LM xHGIK/3IDfUZ2L6jP8bddwAIfVCkmPe458adq7vFG6hlA/WlyRNAzQzc1JIrIZJNMPsi KVIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8fHjJ5mqa9cPGpS5KD+GC/eZ7abKkX/dkmk/DvDpfNA=; b=rz7IxW7Ia3jEswp2KNIncUL+rZ6RSVbERqIvcMCtCJfjPHZYlwjcdUwxI3VXy6Mgtb c6GTh4cmlMSTAguJmEfhqtO3vCER+OXGIkl9Q6LvYwA8XWzfJaerdJh8oiCkDL9efRuV hNnYbBc4PrTLx70ELotzpSfzfDWkXiad6Z7+9idksIwBVQ0m2Nwx7abhkL3O3jnpcePm xXDEe2SHelNTM9vyX6QNkcHSCSSt/pXWuOfV9Gxwio2WsM07saMZ1I99BYALEQz8nlbV Jz+TBfQEqi4z//42HtaEFRYfj95jc/nGVWzxg7GJSDi6bpSrrrhgrZ7Nw1YaJO753WPL 14Fw== X-Gm-Message-State: AFqh2krurPbWiB+uuZs/poXB2HsQRo80YTtrnjWr2YL83pCB2mxXbsxV 0bsNsD37DfwnDNCKozLi/h0UP6+c4Z/fjjrwRJDqWQ== X-Received: by 2002:a05:6512:12c4:b0:4a2:676e:cf60 with SMTP id p4-20020a05651212c400b004a2676ecf60mr2640163lfg.624.1673247076285; Sun, 08 Jan 2023 22:51:16 -0800 (PST) MIME-Version: 1.0 References: <20230103075603.12294-1-Kuan-Ying.Lee@mediatek.com> In-Reply-To: <20230103075603.12294-1-Kuan-Ying.Lee@mediatek.com> From: Dmitry Vyukov Date: Mon, 9 Jan 2023 07:51:04 +0100 Message-ID: Subject: Re: [PATCH] kasan: infer the requested size by scanning shadow memory To: Kuan-Ying Lee Cc: Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Vincenzo Frascino , Andrew Morton , Matthias Brugger , chinwen.chang@mediatek.com, qun-wei.lin@mediatek.com, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 3 Jan 2023 at 08:56, 'Kuan-Ying Lee' via kasan-dev wrote: > > We scan the shadow memory to infer the requested size instead of > printing cache->object_size directly. > > This patch will fix the confusing generic kasan report like below. [1] > Report shows "cache kmalloc-192 of size 192", but user > actually kmalloc(184). > > ================================================================== > BUG: KASAN: slab-out-of-bounds in _find_next_bit+0x143/0x160 lib/find_bit.c:109 > Read of size 8 at addr ffff8880175766b8 by task kworker/1:1/26 > ... > The buggy address belongs to the object at ffff888017576600 > which belongs to the cache kmalloc-192 of size 192 > The buggy address is located 184 bytes inside of > 192-byte region [ffff888017576600, ffff8880175766c0) > ... > Memory state around the buggy address: > ffff888017576580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888017576600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff888017576680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc > ^ > ffff888017576700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888017576780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > After this patch, report will show "cache kmalloc-192 of size 184". > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=216457 [1] > > Signed-off-by: Kuan-Ying Lee > --- > mm/kasan/kasan.h | 5 +++++ > mm/kasan/report.c | 3 ++- > mm/kasan/report_generic.c | 18 ++++++++++++++++++ > 3 files changed, 25 insertions(+), 1 deletion(-) > > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index 32413f22aa82..7bb627d21580 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -340,8 +340,13 @@ static inline void kasan_print_address_stack_frame(const void *addr) { } > > #ifdef CONFIG_KASAN_GENERIC > void kasan_print_aux_stacks(struct kmem_cache *cache, const void *object); > +int kasan_get_alloc_size(void *object_addr, struct kmem_cache *cache); > #else > static inline void kasan_print_aux_stacks(struct kmem_cache *cache, const void *object) { } > +static inline int kasan_get_alloc_size(void *object_addr, struct kmem_cache *cache) > +{ > + return cache->object_size; > +} > #endif > > bool kasan_report(unsigned long addr, size_t size, > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > index 1d02757e90a3..6de454bb2cad 100644 > --- a/mm/kasan/report.c > +++ b/mm/kasan/report.c > @@ -236,12 +236,13 @@ static void describe_object_addr(const void *addr, struct kmem_cache *cache, > { > unsigned long access_addr = (unsigned long)addr; > unsigned long object_addr = (unsigned long)object; > + int real_size = kasan_get_alloc_size((void *)object_addr, cache); > const char *rel_type; > int rel_bytes; > > pr_err("The buggy address belongs to the object at %px\n" > " which belongs to the cache %s of size %d\n", > - object, cache->name, cache->object_size); > + object, cache->name, real_size); > > if (access_addr < object_addr) { > rel_type = "to the left"; > diff --git a/mm/kasan/report_generic.c b/mm/kasan/report_generic.c > index 043c94b04605..01b38e459352 100644 > --- a/mm/kasan/report_generic.c > +++ b/mm/kasan/report_generic.c > @@ -43,6 +43,24 @@ void *kasan_find_first_bad_addr(void *addr, size_t size) > return p; > } > > +int kasan_get_alloc_size(void *addr, struct kmem_cache *cache) > +{ > + int size = 0; > + u8 *shadow = (u8 *)kasan_mem_to_shadow(addr); > + > + while (size < cache->object_size) { > + if (*shadow == 0) > + size += KASAN_GRANULE_SIZE; > + else if (*shadow >= 1 && *shadow <= KASAN_GRANULE_SIZE - 1) > + size += *shadow; > + else > + return size; > + shadow++; This only works for out-of-bounds reports, but I don't see any checks for report type. Won't this break reporting for all other report types? I would also print the cache name anyway. Sometimes reports are perplexing and/or this logic may return a wrong result for some reason. The total object size may be useful to understand harder cases. > + } > + > + return cache->object_size; > +} > + > static const char *get_shadow_bug_type(struct kasan_report_info *info) > { > const char *bug_type = "unknown-crash";