Received: by 10.223.164.202 with SMTP id h10csp4897019wrb;
        Wed, 29 Nov 2017 13:52:31 -0800 (PST)
X-Google-Smtp-Source: AGs4zMar0tXgIStSfifugfHHf7cKQEWI9zYdxlbxI2Fgx4kWY4ozHDr8mAQ1owVT1cmMZIhLdxAP
X-Received: by 10.98.149.72 with SMTP id p69mr4468646pfd.76.1511992351144;
        Wed, 29 Nov 2017 13:52:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511992351; cv=none;
        d=google.com; s=arc-20160816;
        b=QQ3SmWb7LuWQHdDCEXtCAJpCPwx8tsnpTwryGrE6mSBUSlifdGdE4Qb+yE+/IgEacP
         XtN4vRC6VDbTIx40fQIjDWFfyOcmSpIbhSgAYg9RxIkH4JoEBRIrj5Vrs12xAlCyiZt+
         w1NDe91tgV9GjLUPLo/FBHiR0B/YniN5WJ/jW1cG3QhdGqSf5v4tal9Xy5tGdsnTl0TR
         wR2b3u1HMXlkQxQCliGW+hMK5VWUXoUP+k8KCxboG34GYKSOYGAXXrfZZL8Nr42YEEne
         PCLdq+L/FWn1WVspt36ywY7o8fHdS949JA//ITr+7q4XLwC0KgtrjTm5qzHd9Q96aaZ+
         IS5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=CHDaEhJigPjiBOcH9K7b4HKI0L14JpwQRaqxYXi8Sgk=;
        b=E/qSKv7sk31+4YPBSCtRx7OIl+IyLnmqqs2XHrU6f4Cp05QiXrDErGl6QsO+AYTD+Y
         9e6RRmEMQwZ6yG4xB2nxW1QlgZpMUb6juvbIPV/BKuj9ozHMQoE5VClVhVawxN1j7QwS
         yAsUQ+QQE5PZEynoOIoFdeuqosNdK24UyuCigIKgokfxgApRZMUwaoVS69w6/07yx3Vg
         mM1R1Gefv4A2qZ/jU/AP4P7I/+NX5xkGW2NVp6+DFPCYQCH60Q1VltuH0n8PWS+Ol6A/
         kC4JOCqLIlLpG/QHJO0jHQ/8J+PlKROK5+OBZ2To+dLUBu1qEWbxOII+KqlW51wp/MZi
         yB1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=nM/5MOA/;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h89si1877740pld.745.2017.11.29.13.52.17;
        Wed, 29 Nov 2017 13:52:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=nM/5MOA/;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752349AbdK2VvR (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Wed, 29 Nov 2017 16:51:17 -0500
Received: from mail-it0-f65.google.com ([209.85.214.65]:46344 "EHLO
        mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752138AbdK2VvN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2017 16:51:13 -0500
Received: by mail-it0-f65.google.com with SMTP id t1so5844872ite.5
        for <linux-kernel@vger.kernel.org>; Wed, 29 Nov 2017 13:51:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=CHDaEhJigPjiBOcH9K7b4HKI0L14JpwQRaqxYXi8Sgk=;
        b=nM/5MOA/ETj8OnBI82TJlsBmtBJvnyNoxEawOzoNTKrTzgsxBFqZiBt4VBnd/P8ng8
         7QACL+Lt1E6sygjQ+s2D5JC3E84x0Skgnc2TFEAYqMXQ5m4elE48VB7iZzUp1/rcdM4i
         ExiSgyuLJD2nTEgukiyzcHVv4x3YW+2Han6XRlONic5UfI9Q/Bp7EbnxhZAgCunxHeJR
         e4kLa//FnigQQTTiFizY8HgQ9z0/21egmhdoE043LyWHndOd37EEktLcBf/hoD6ysq2C
         AFwQEeiYhNhz6pm/NB+BPguXjXzuV6/u03LCZn7X7opI4Mr2nNJJcFq/3Mo3YjIDHcl9
         NUvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=CHDaEhJigPjiBOcH9K7b4HKI0L14JpwQRaqxYXi8Sgk=;
        b=jj7bPv3dSfyOM8RNHIVychJfzRQxnuUFX1JMCXgwj1kkSBgbwy92v51dCKjHHDefzg
         hBbx/2Hw1AmHqOHex2bDKCRDLCnnOHsIQ4y6eUZ9VokaeLBZFJ2kQtwz+Frn9ZHmvHJw
         lMpIsN6Wz+YI8mO7pRrUUq0Gz9OG+jJpZQb0KYKQs710783hXKR2NpylrRqJ6db5nJfF
         9uKK0MqE7eRf9Ru/ZmcxTFtLDPvY43H0jpSy9zoND/tR007n0QE0+EVeiIb34qwZ1gJG
         mRmrUEzawin0Xi9mfWAIQd5qbmFbh62aCg0+u/yEzcInN2QQGBvAE6kLmsBkUklz2CSd
         GNEw==
X-Gm-Message-State: AJaThX6Q461ljR1OLtszuObr8t07kgIf7sK/4Sv7zNAXwYOPB12j7T2x
        HORX0VPE8vGwlnOokRbSFOfzAw==
X-Received: by 10.36.79.75 with SMTP id c72mr354141itb.146.1511992272607;
        Wed, 29 Nov 2017 13:51:12 -0800 (PST)
Received: from paullawrence.mtv.corp.google.com ([172.22.120.84])
        by smtp.gmail.com with ESMTPSA id x72sm1438438ite.43.2017.11.29.13.51.11
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 29 Nov 2017 13:51:12 -0800 (PST)
From:   Paul Lawrence <paullawrence@google.com>
To:     Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Alexander Potapenko <glider@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Masahiro Yamada <yamada.masahiro@socionext.com>,
        Michal Marek <mmarek@suse.com>
Cc:     linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
        linux-mm@kvack.org, linux-kbuild@vger.kernel.org,
        Matthias Kaehlcke <mka@chromium.org>,
        Michael Davidson <md@google.com>,
        Greg Hackmann <ghackmann@google.com>,
        Paul Lawrence <paullawrence@google.com>
Subject: [PATCH v2 1/5] kasan: support alloca() poisoning
Date:   Wed, 29 Nov 2017 13:50:46 -0800
Message-Id: <20171129215050.158653-2-paullawrence@google.com>
X-Mailer: git-send-email 2.15.0.531.g2ccb3012c9-goog
In-Reply-To: <20171129215050.158653-1-paullawrence@google.com>
References: <20171129215050.158653-1-paullawrence@google.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

clang's AddressSanitizer implementation adds redzones on either side of
alloca()ed buffers.  These redzones are 32-byte aligned and at least 32
bytes long.

__asan_alloca_poison() is passed the size and address of the allocated
buffer, *excluding* the redzones on either side.  The left redzone will
always be to the immediate left of this buffer; but AddressSanitizer may
need to add padding between the end of the buffer and the right redzone.
If there are any 8-byte chunks inside this padding, we should poison
those too.

__asan_allocas_unpoison() is just passed the top and bottom of the
dynamic stack area, so unpoisoning is simpler.

Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>

 mm/kasan/kasan.c  | 32 ++++++++++++++++++++++++++++++++
 mm/kasan/kasan.h  |  8 ++++++++
 mm/kasan/report.c |  4 ++++
 3 files changed, 44 insertions(+)

diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 405bba487df5..f86f862f41f8 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -736,6 +736,38 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size)
 }
 EXPORT_SYMBOL(__asan_unpoison_stack_memory);
 
+/* Emitted by compiler to poison alloca()ed objects. */
+void __asan_alloca_poison(unsigned long addr, size_t size)
+{
+	size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);
+	size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) -
+			rounded_up_size;
+
+	const void *left_redzone = (const void *)(addr -
+			KASAN_ALLOCA_REDZONE_SIZE);
+	const void *right_redzone = (const void *)(addr + rounded_up_size);
+
+	WARN_ON(!IS_ALIGNED(addr, KASAN_ALLOCA_REDZONE_SIZE));
+
+	kasan_unpoison_shadow((const void *)addr, size);
+	kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,
+			KASAN_ALLOCA_LEFT);
+	kasan_poison_shadow(right_redzone,
+			padding_size + KASAN_ALLOCA_REDZONE_SIZE,
+			KASAN_ALLOCA_RIGHT);
+}
+EXPORT_SYMBOL(__asan_alloca_poison);
+
+/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */
+void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)
+{
+	if (unlikely(!stack_top || stack_top > stack_bottom))
+		return;
+
+	kasan_unpoison_shadow(stack_top, stack_bottom - stack_top);
+}
+EXPORT_SYMBOL(__asan_allocas_unpoison);
+
 #ifdef CONFIG_MEMORY_HOTPLUG
 static int __meminit kasan_mem_notifier(struct notifier_block *nb,
 			unsigned long action, void *data)
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index c70851a9a6a4..7c0bcd1f4c0d 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -24,6 +24,14 @@
 #define KASAN_STACK_PARTIAL     0xF4
 #define KASAN_USE_AFTER_SCOPE   0xF8
 
+/*
+ * alloca redzone shadow values
+ */
+#define KASAN_ALLOCA_LEFT	0xCA
+#define KASAN_ALLOCA_RIGHT	0xCB
+
+#define KASAN_ALLOCA_REDZONE_SIZE	32
+
 /* Don't break randconfig/all*config builds */
 #ifndef KASAN_ABI_VERSION
 #define KASAN_ABI_VERSION 1
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 6bcfb01ba038..25419d426426 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -102,6 +102,10 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
 	case KASAN_USE_AFTER_SCOPE:
 		bug_type = "use-after-scope";
 		break;
+	case KASAN_ALLOCA_LEFT:
+	case KASAN_ALLOCA_RIGHT:
+		bug_type = "alloca-out-of-bounds";
+		break;
 	}
 
 	return bug_type;
-- 
2.15.0.531.g2ccb3012c9-goog


From 1585425336220537547@xxx Wed Nov 29 18:17:03 +0000 2017
X-GM-THRID: 1585425336220537547
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread