Received: by 10.223.164.202 with SMTP id h10csp4897019wrb; Wed, 29 Nov 2017 13:52:31 -0800 (PST) X-Google-Smtp-Source: AGs4zMar0tXgIStSfifugfHHf7cKQEWI9zYdxlbxI2Fgx4kWY4ozHDr8mAQ1owVT1cmMZIhLdxAP X-Received: by 10.98.149.72 with SMTP id p69mr4468646pfd.76.1511992351144; Wed, 29 Nov 2017 13:52:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511992351; cv=none; d=google.com; s=arc-20160816; b=QQ3SmWb7LuWQHdDCEXtCAJpCPwx8tsnpTwryGrE6mSBUSlifdGdE4Qb+yE+/IgEacP XtN4vRC6VDbTIx40fQIjDWFfyOcmSpIbhSgAYg9RxIkH4JoEBRIrj5Vrs12xAlCyiZt+ w1NDe91tgV9GjLUPLo/FBHiR0B/YniN5WJ/jW1cG3QhdGqSf5v4tal9Xy5tGdsnTl0TR wR2b3u1HMXlkQxQCliGW+hMK5VWUXoUP+k8KCxboG34GYKSOYGAXXrfZZL8Nr42YEEne PCLdq+L/FWn1WVspt36ywY7o8fHdS949JA//ITr+7q4XLwC0KgtrjTm5qzHd9Q96aaZ+ IS5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=CHDaEhJigPjiBOcH9K7b4HKI0L14JpwQRaqxYXi8Sgk=; b=E/qSKv7sk31+4YPBSCtRx7OIl+IyLnmqqs2XHrU6f4Cp05QiXrDErGl6QsO+AYTD+Y 9e6RRmEMQwZ6yG4xB2nxW1QlgZpMUb6juvbIPV/BKuj9ozHMQoE5VClVhVawxN1j7QwS yAsUQ+QQE5PZEynoOIoFdeuqosNdK24UyuCigIKgokfxgApRZMUwaoVS69w6/07yx3Vg mM1R1Gefv4A2qZ/jU/AP4P7I/+NX5xkGW2NVp6+DFPCYQCH60Q1VltuH0n8PWS+Ol6A/ kC4JOCqLIlLpG/QHJO0jHQ/8J+PlKROK5+OBZ2To+dLUBu1qEWbxOII+KqlW51wp/MZi yB1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=nM/5MOA/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h89si1877740pld.745.2017.11.29.13.52.17; Wed, 29 Nov 2017 13:52:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=nM/5MOA/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752349AbdK2VvR (ORCPT + 99 others); Wed, 29 Nov 2017 16:51:17 -0500 Received: from mail-it0-f65.google.com ([209.85.214.65]:46344 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752138AbdK2VvN (ORCPT ); Wed, 29 Nov 2017 16:51:13 -0500 Received: by mail-it0-f65.google.com with SMTP id t1so5844872ite.5 for ; Wed, 29 Nov 2017 13:51:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CHDaEhJigPjiBOcH9K7b4HKI0L14JpwQRaqxYXi8Sgk=; b=nM/5MOA/ETj8OnBI82TJlsBmtBJvnyNoxEawOzoNTKrTzgsxBFqZiBt4VBnd/P8ng8 7QACL+Lt1E6sygjQ+s2D5JC3E84x0Skgnc2TFEAYqMXQ5m4elE48VB7iZzUp1/rcdM4i ExiSgyuLJD2nTEgukiyzcHVv4x3YW+2Han6XRlONic5UfI9Q/Bp7EbnxhZAgCunxHeJR e4kLa//FnigQQTTiFizY8HgQ9z0/21egmhdoE043LyWHndOd37EEktLcBf/hoD6ysq2C AFwQEeiYhNhz6pm/NB+BPguXjXzuV6/u03LCZn7X7opI4Mr2nNJJcFq/3Mo3YjIDHcl9 NUvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CHDaEhJigPjiBOcH9K7b4HKI0L14JpwQRaqxYXi8Sgk=; b=jj7bPv3dSfyOM8RNHIVychJfzRQxnuUFX1JMCXgwj1kkSBgbwy92v51dCKjHHDefzg hBbx/2Hw1AmHqOHex2bDKCRDLCnnOHsIQ4y6eUZ9VokaeLBZFJ2kQtwz+Frn9ZHmvHJw lMpIsN6Wz+YI8mO7pRrUUq0Gz9OG+jJpZQb0KYKQs710783hXKR2NpylrRqJ6db5nJfF 9uKK0MqE7eRf9Ru/ZmcxTFtLDPvY43H0jpSy9zoND/tR007n0QE0+EVeiIb34qwZ1gJG mRmrUEzawin0Xi9mfWAIQd5qbmFbh62aCg0+u/yEzcInN2QQGBvAE6kLmsBkUklz2CSd GNEw== X-Gm-Message-State: AJaThX6Q461ljR1OLtszuObr8t07kgIf7sK/4Sv7zNAXwYOPB12j7T2x HORX0VPE8vGwlnOokRbSFOfzAw== X-Received: by 10.36.79.75 with SMTP id c72mr354141itb.146.1511992272607; Wed, 29 Nov 2017 13:51:12 -0800 (PST) Received: from paullawrence.mtv.corp.google.com ([172.22.120.84]) by smtp.gmail.com with ESMTPSA id x72sm1438438ite.43.2017.11.29.13.51.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 29 Nov 2017 13:51:12 -0800 (PST) From: Paul Lawrence To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Masahiro Yamada , Michal Marek Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kbuild@vger.kernel.org, Matthias Kaehlcke , Michael Davidson , Greg Hackmann , Paul Lawrence Subject: [PATCH v2 1/5] kasan: support alloca() poisoning Date: Wed, 29 Nov 2017 13:50:46 -0800 Message-Id: <20171129215050.158653-2-paullawrence@google.com> X-Mailer: git-send-email 2.15.0.531.g2ccb3012c9-goog In-Reply-To: <20171129215050.158653-1-paullawrence@google.com> References: <20171129215050.158653-1-paullawrence@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org clang's AddressSanitizer implementation adds redzones on either side of alloca()ed buffers. These redzones are 32-byte aligned and at least 32 bytes long. __asan_alloca_poison() is passed the size and address of the allocated buffer, *excluding* the redzones on either side. The left redzone will always be to the immediate left of this buffer; but AddressSanitizer may need to add padding between the end of the buffer and the right redzone. If there are any 8-byte chunks inside this padding, we should poison those too. __asan_allocas_unpoison() is just passed the top and bottom of the dynamic stack area, so unpoisoning is simpler. Signed-off-by: Greg Hackmann Signed-off-by: Paul Lawrence mm/kasan/kasan.c | 32 ++++++++++++++++++++++++++++++++ mm/kasan/kasan.h | 8 ++++++++ mm/kasan/report.c | 4 ++++ 3 files changed, 44 insertions(+) diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 405bba487df5..f86f862f41f8 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -736,6 +736,38 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size) } EXPORT_SYMBOL(__asan_unpoison_stack_memory); +/* Emitted by compiler to poison alloca()ed objects. */ +void __asan_alloca_poison(unsigned long addr, size_t size) +{ + size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE); + size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) - + rounded_up_size; + + const void *left_redzone = (const void *)(addr - + KASAN_ALLOCA_REDZONE_SIZE); + const void *right_redzone = (const void *)(addr + rounded_up_size); + + WARN_ON(!IS_ALIGNED(addr, KASAN_ALLOCA_REDZONE_SIZE)); + + kasan_unpoison_shadow((const void *)addr, size); + kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE, + KASAN_ALLOCA_LEFT); + kasan_poison_shadow(right_redzone, + padding_size + KASAN_ALLOCA_REDZONE_SIZE, + KASAN_ALLOCA_RIGHT); +} +EXPORT_SYMBOL(__asan_alloca_poison); + +/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */ +void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom) +{ + if (unlikely(!stack_top || stack_top > stack_bottom)) + return; + + kasan_unpoison_shadow(stack_top, stack_bottom - stack_top); +} +EXPORT_SYMBOL(__asan_allocas_unpoison); + #ifdef CONFIG_MEMORY_HOTPLUG static int __meminit kasan_mem_notifier(struct notifier_block *nb, unsigned long action, void *data) diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index c70851a9a6a4..7c0bcd1f4c0d 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -24,6 +24,14 @@ #define KASAN_STACK_PARTIAL 0xF4 #define KASAN_USE_AFTER_SCOPE 0xF8 +/* + * alloca redzone shadow values + */ +#define KASAN_ALLOCA_LEFT 0xCA +#define KASAN_ALLOCA_RIGHT 0xCB + +#define KASAN_ALLOCA_REDZONE_SIZE 32 + /* Don't break randconfig/all*config builds */ #ifndef KASAN_ABI_VERSION #define KASAN_ABI_VERSION 1 diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 6bcfb01ba038..25419d426426 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -102,6 +102,10 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info) case KASAN_USE_AFTER_SCOPE: bug_type = "use-after-scope"; break; + case KASAN_ALLOCA_LEFT: + case KASAN_ALLOCA_RIGHT: + bug_type = "alloca-out-of-bounds"; + break; } return bug_type; -- 2.15.0.531.g2ccb3012c9-goog From 1585425336220537547@xxx Wed Nov 29 18:17:03 +0000 2017 X-GM-THRID: 1585425336220537547 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread