2022-05-09 19:15:07

by andrey.konovalov

[permalink] [raw]
Subject: [PATCH 1/3] kasan: update documentation

From: Andrey Konovalov <[email protected]>

Do assorted clean-ups and improvements to KASAN documentation, including:

- Describe each mode in a dedicated paragraph.
- Split out a Support section that describes in details which compilers,
architectures and memory types each mode requires/supports.
- Capitalize the first letter in the names of each KASAN mode.

Signed-off-by: Andrey Konovalov <[email protected]>
---
Documentation/dev-tools/kasan.rst | 143 ++++++++++++++++++------------
1 file changed, 87 insertions(+), 56 deletions(-)

diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst
index 7614a1fc30fa..aca219ed1198 100644
--- a/Documentation/dev-tools/kasan.rst
+++ b/Documentation/dev-tools/kasan.rst
@@ -4,39 +4,76 @@ The Kernel Address Sanitizer (KASAN)
Overview
--------

-KernelAddressSANitizer (KASAN) is a dynamic memory safety error detector
-designed to find out-of-bound and use-after-free bugs. KASAN has three modes:
+Kernel Address Sanitizer (KASAN) is a dynamic memory safety error detector
+designed to find out-of-bounds and use-after-free bugs.

-1. generic KASAN (similar to userspace ASan),
-2. software tag-based KASAN (similar to userspace HWASan),
-3. hardware tag-based KASAN (based on hardware memory tagging).
+KASAN has three modes:

-Generic KASAN is mainly used for debugging due to a large memory overhead.
-Software tag-based KASAN can be used for dogfood testing as it has a lower
-memory overhead that allows using it with real workloads. Hardware tag-based
-KASAN comes with low memory and performance overheads and, therefore, can be
-used in production. Either as an in-field memory bug detector or as a security
-mitigation.
+1. Generic KASAN
+2. Software Tag-Based KASAN
+3. Hardware Tag-Based KASAN

-Software KASAN modes (#1 and #2) use compile-time instrumentation to insert
-validity checks before every memory access and, therefore, require a compiler
-version that supports that.
+Generic KASAN, enabled with CONFIG_KASAN_GENERIC, is the mode intended for
+debugging, similar to userspace ASan. This mode is supported on many CPU
+architectures, but it has significant performance and memory overheads.

-Generic KASAN is supported in GCC and Clang. With GCC, it requires version
-8.3.0 or later. Any supported Clang version is compatible, but detection of
-out-of-bounds accesses for global variables is only supported since Clang 11.
+Software Tag-Based KASAN or SW_TAGS KASAN, enabled with CONFIG_KASAN_SW_TAGS,
+can be used for both debugging and dogfood testing, similar to userspace HWASan.
+This mode is only supported for arm64, but its moderate memory overhead allows
+using it for testing on memory-restricted devices with real workloads.

-Software tag-based KASAN mode is only supported in Clang.
+Hardware Tag-Based KASAN or HW_TAGS KASAN, enabled with CONFIG_KASAN_HW_TAGS,
+is the mode intended to be used as an in-field memory bug detector or as a
+security mitigation. This mode only works on arm64 CPUs that support MTE
+(Memory Tagging Extension), but it has low memory and performance overheads and
+thus can be used in production.

-The hardware KASAN mode (#3) relies on hardware to perform the checks but
-still requires a compiler version that supports memory tagging instructions.
-This mode is supported in GCC 10+ and Clang 12+.
+For details about the memory and performance impact of each KASAN mode, see the
+descriptions of the corresponding Kconfig options.

-Both software KASAN modes work with SLUB and SLAB memory allocators,
-while the hardware tag-based KASAN currently only supports SLUB.
+The Generic and the Software Tag-Based modes are commonly referred to as the
+software modes. The Software Tag-Based and the Hardware Tag-Based modes are
+referred to as the tag-based modes.

-Currently, generic KASAN is supported for the x86_64, arm, arm64, xtensa, s390,
-and riscv architectures, and tag-based KASAN modes are supported only for arm64.
+Support
+-------
+
+Architectures
+~~~~~~~~~~~~~
+
+Generic KASAN is supported on x86_64, arm, arm64, powerpc, riscv, s390, and
+xtensa, and the tag-based KASAN modes are supported only on arm64.
+
+Compilers
+~~~~~~~~~
+
+Software KASAN modes use compile-time instrumentation to insert validity checks
+before every memory access and thus require a compiler version that provides
+support for that. The Hardware Tag-Based mode relies on hardware to perform
+these checks but still requires a compiler version that supports the memory
+tagging instructions.
+
+Generic KASAN requires GCC version 8.3.0 or later
+or any Clang version supported by the kernel.
+
+Software Tag-Based KASAN requires GCC 11+
+or any Clang version supported by the kernel.
+
+Hardware Tag-Based KASAN requires GCC 10+ or Clang 12+.
+
+Memory types
+~~~~~~~~~~~~
+
+Generic KASAN supports finding bugs in all of slab, page_alloc, vmap, vmalloc,
+stack, and global memory.
+
+Software Tag-Based KASAN supports slab, page_alloc, vmalloc, and stack memory.
+
+Hardware Tag-Based KASAN supports slab, page_alloc, and non-executable vmalloc
+memory.
+
+For slab, both software KASAN modes support SLUB and SLAB allocators, while
+Hardware Tag-Based KASAN only supports SLUB.

Usage
-----
@@ -45,13 +82,13 @@ To enable KASAN, configure the kernel with::

CONFIG_KASAN=y

-and choose between ``CONFIG_KASAN_GENERIC`` (to enable generic KASAN),
-``CONFIG_KASAN_SW_TAGS`` (to enable software tag-based KASAN), and
-``CONFIG_KASAN_HW_TAGS`` (to enable hardware tag-based KASAN).
+and choose between ``CONFIG_KASAN_GENERIC`` (to enable Generic KASAN),
+``CONFIG_KASAN_SW_TAGS`` (to enable Software Tag-Based KASAN), and
+``CONFIG_KASAN_HW_TAGS`` (to enable Hardware Tag-Based KASAN).

-For software modes, also choose between ``CONFIG_KASAN_OUTLINE`` and
+For the software modes, also choose between ``CONFIG_KASAN_OUTLINE`` and
``CONFIG_KASAN_INLINE``. Outline and inline are compiler instrumentation types.
-The former produces a smaller binary while the latter is 1.1-2 times faster.
+The former produces a smaller binary while the latter is up to 2 times faster.

To include alloc and free stack traces of affected slab objects into reports,
enable ``CONFIG_STACKTRACE``. To include alloc and free stack traces of affected
@@ -146,7 +183,7 @@ is either 8 or 16 aligned bytes depending on KASAN mode. Each number in the
memory state section of the report shows the state of one of the memory
granules that surround the accessed address.

-For generic KASAN, the size of each memory granule is 8. The state of each
+For Generic KASAN, the size of each memory granule is 8. The state of each
granule is encoded in one shadow byte. Those 8 bytes can be accessible,
partially accessible, freed, or be a part of a redzone. KASAN uses the following
encoding for each shadow byte: 00 means that all 8 bytes of the corresponding
@@ -181,14 +218,14 @@ By default, KASAN prints a bug report only for the first invalid memory access.
With ``kasan_multi_shot``, KASAN prints a report on every invalid access. This
effectively disables ``panic_on_warn`` for KASAN reports.

-Alternatively, independent of ``panic_on_warn`` the ``kasan.fault=`` boot
+Alternatively, independent of ``panic_on_warn``, the ``kasan.fault=`` boot
parameter can be used to control panic and reporting behaviour:

- ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN
report or also panic the kernel (default: ``report``). The panic happens even
if ``kasan_multi_shot`` is enabled.

-Hardware tag-based KASAN mode (see the section about various modes below) is
+Hardware Tag-Based KASAN mode (see the section about various modes below) is
intended for use in production as a security mitigation. Therefore, it supports
additional boot parameters that allow disabling KASAN or controlling features:

@@ -250,49 +287,46 @@ outline-instrumented kernel.
Generic KASAN is the only mode that delays the reuse of freed objects via
quarantine (see mm/kasan/quarantine.c for implementation).

-Software tag-based KASAN
+Software Tag-Based KASAN
~~~~~~~~~~~~~~~~~~~~~~~~

-Software tag-based KASAN uses a software memory tagging approach to checking
+Software Tag-Based KASAN uses a software memory tagging approach to checking
access validity. It is currently only implemented for the arm64 architecture.

-Software tag-based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
+Software Tag-Based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
to store a pointer tag in the top byte of kernel pointers. It uses shadow memory
to store memory tags associated with each 16-byte memory cell (therefore, it
dedicates 1/16th of the kernel memory for shadow memory).

-On each memory allocation, software tag-based KASAN generates a random tag, tags
+On each memory allocation, Software Tag-Based KASAN generates a random tag, tags
the allocated memory with this tag, and embeds the same tag into the returned
pointer.

-Software tag-based KASAN uses compile-time instrumentation to insert checks
+Software Tag-Based KASAN uses compile-time instrumentation to insert checks
before each memory access. These checks make sure that the tag of the memory
that is being accessed is equal to the tag of the pointer that is used to access
-this memory. In case of a tag mismatch, software tag-based KASAN prints a bug
+this memory. In case of a tag mismatch, Software Tag-Based KASAN prints a bug
report.

-Software tag-based KASAN also has two instrumentation modes (outline, which
+Software Tag-Based KASAN also has two instrumentation modes (outline, which
emits callbacks to check memory accesses; and inline, which performs the shadow
memory checks inline). With outline instrumentation mode, a bug report is
printed from the function that performs the access check. With inline
instrumentation, a ``brk`` instruction is emitted by the compiler, and a
dedicated ``brk`` handler is used to print bug reports.

-Software tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
+Software Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
pointers with the 0xFF pointer tag are not checked). The value 0xFE is currently
reserved to tag freed memory regions.

-Software tag-based KASAN currently only supports tagging of slab, page_alloc,
-and vmalloc memory.
-
-Hardware tag-based KASAN
+Hardware Tag-Based KASAN
~~~~~~~~~~~~~~~~~~~~~~~~

-Hardware tag-based KASAN is similar to the software mode in concept but uses
+Hardware Tag-Based KASAN is similar to the software mode in concept but uses
hardware memory tagging support instead of compiler instrumentation and
shadow memory.

-Hardware tag-based KASAN is currently only implemented for arm64 architecture
+Hardware Tag-Based KASAN is currently only implemented for arm64 architecture
and based on both arm64 Memory Tagging Extension (MTE) introduced in ARMv8.5
Instruction Set Architecture and Top Byte Ignore (TBI).

@@ -302,21 +336,18 @@ access, hardware makes sure that the tag of the memory that is being accessed is
equal to the tag of the pointer that is used to access this memory. In case of a
tag mismatch, a fault is generated, and a report is printed.

-Hardware tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
+Hardware Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
pointers with the 0xFF pointer tag are not checked). The value 0xFE is currently
reserved to tag freed memory regions.

-Hardware tag-based KASAN currently only supports tagging of slab, page_alloc,
-and VM_ALLOC-based vmalloc memory.
-
-If the hardware does not support MTE (pre ARMv8.5), hardware tag-based KASAN
+If the hardware does not support MTE (pre ARMv8.5), Hardware Tag-Based KASAN
will not be enabled. In this case, all KASAN boot parameters are ignored.

Note that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being
enabled. Even when ``kasan.mode=off`` is provided or when the hardware does not
support MTE (but supports TBI).

-Hardware tag-based KASAN only reports the first found bug. After that, MTE tag
+Hardware Tag-Based KASAN only reports the first found bug. After that, MTE tag
checking gets disabled.

Shadow memory
@@ -414,15 +445,15 @@ generic ``noinstr`` one.
Note that disabling compiler instrumentation (either on a per-file or a
per-function basis) makes KASAN ignore the accesses that happen directly in
that code for software KASAN modes. It does not help when the accesses happen
-indirectly (through calls to instrumented functions) or with the hardware
-tag-based mode that does not use compiler instrumentation.
+indirectly (through calls to instrumented functions) or with Hardware
+Tag-Based KASAN, which does not use compiler instrumentation.

For software KASAN modes, to disable KASAN reports in a part of the kernel code
for the current task, annotate this part of the code with a
``kasan_disable_current()``/``kasan_enable_current()`` section. This also
disables the reports for indirect accesses that happen through function calls.

-For tag-based KASAN modes (include the hardware one), to disable access
+For tag-based KASAN modes (include the Hardware one), to disable access
checking, use ``kasan_reset_tag()`` or ``page_kasan_tag_reset()``. Note that
temporarily disabling access checking via ``page_kasan_tag_reset()`` requires
saving and restoring the per-page KASAN tag via
--
2.25.1



2022-05-09 19:15:09

by andrey.konovalov

[permalink] [raw]
Subject: [PATCH 3/3] kasan: clean-up kconfig options descriptions

From: Andrey Konovalov <[email protected]>

Various readability clean-ups of KASAN Kconfig options.

No functional changes.

Signed-off-by: Andrey Konovalov <[email protected]>
---
lib/Kconfig.kasan | 168 ++++++++++++++++++++++------------------------
1 file changed, 82 insertions(+), 86 deletions(-)

diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
index 1f3e620188a2..f0973da583e0 100644
--- a/lib/Kconfig.kasan
+++ b/lib/Kconfig.kasan
@@ -1,4 +1,5 @@
# SPDX-License-Identifier: GPL-2.0-only
+
# This config refers to the generic KASAN mode.
config HAVE_ARCH_KASAN
bool
@@ -15,9 +16,8 @@ config HAVE_ARCH_KASAN_VMALLOC
config ARCH_DISABLE_KASAN_INLINE
bool
help
- An architecture might not support inline instrumentation.
- When this option is selected, inline and stack instrumentation are
- disabled.
+ Disables both inline and stack instrumentation. Selected by
+ architectures that do not support these instrumentation types.

config CC_HAS_KASAN_GENERIC
def_bool $(cc-option, -fsanitize=kernel-address)
@@ -26,13 +26,13 @@ config CC_HAS_KASAN_SW_TAGS
def_bool $(cc-option, -fsanitize=kernel-hwaddress)

# This option is only required for software KASAN modes.
-# Old GCC versions don't have proper support for no_sanitize_address.
+# Old GCC versions do not have proper support for no_sanitize_address.
# See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89124 for details.
config CC_HAS_WORKING_NOSANITIZE_ADDRESS
def_bool !CC_IS_GCC || GCC_VERSION >= 80300

menuconfig KASAN
- bool "KASAN: runtime memory debugger"
+ bool "KASAN: dynamic memory safety error detector"
depends on (((HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC) || \
(HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS)) && \
CC_HAS_WORKING_NOSANITIZE_ADDRESS) || \
@@ -40,10 +40,13 @@ menuconfig KASAN
depends on (SLUB && SYSFS) || (SLAB && !DEBUG_SLAB)
select STACKDEPOT_ALWAYS_INIT
help
- Enables KASAN (KernelAddressSANitizer) - runtime memory debugger,
- designed to find out-of-bounds accesses and use-after-free bugs.
+ Enables KASAN (Kernel Address Sanitizer) - a dynamic memory safety
+ error detector designed to find out-of-bounds and use-after-free bugs.
+
See Documentation/dev-tools/kasan.rst for details.

+ For better error reports, also enable CONFIG_STACKTRACE.
+
if KASAN

choice
@@ -51,75 +54,71 @@ choice
default KASAN_GENERIC
help
KASAN has three modes:
- 1. generic KASAN (similar to userspace ASan,
- x86_64/arm64/xtensa, enabled with CONFIG_KASAN_GENERIC),
- 2. software tag-based KASAN (arm64 only, based on software
- memory tagging (similar to userspace HWASan), enabled with
- CONFIG_KASAN_SW_TAGS), and
- 3. hardware tag-based KASAN (arm64 only, based on hardware
- memory tagging, enabled with CONFIG_KASAN_HW_TAGS).

- All KASAN modes are strictly debugging features.
+ 1. Generic KASAN (supported by many architectures, enabled with
+ CONFIG_KASAN_GENERIC, similar to userspace ASan),
+ 2. Software Tag-Based KASAN (arm64 only, based on software memory
+ tagging, enabled with CONFIG_KASAN_SW_TAGS, similar to userspace
+ HWASan), and
+ 3. Hardware Tag-Based KASAN (arm64 only, based on hardware memory
+ tagging, enabled with CONFIG_KASAN_HW_TAGS).

- For better error reports enable CONFIG_STACKTRACE.
+ See Documentation/dev-tools/kasan.rst for details about each mode.

config KASAN_GENERIC
- bool "Generic mode"
+ bool "Generic KASAN"
depends on HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC
depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
select SLUB_DEBUG if SLUB
select CONSTRUCTORS
help
- Enables generic KASAN mode.
+ Enables Generic KASAN.

- This mode is supported in both GCC and Clang. With GCC it requires
- version 8.3.0 or later. Any supported Clang version is compatible,
- but detection of out-of-bounds accesses for global variables is
- supported only since Clang 11.
+ Requires GCC 8.3.0+ or Clang.

- This mode consumes about 1/8th of available memory at kernel start
- and introduces an overhead of ~x1.5 for the rest of the allocations.
+ Consumes about 1/8th of available memory at kernel start and adds an
+ overhead of ~50% for dynamic allocations.
The performance slowdown is ~x3.

- Currently CONFIG_KASAN_GENERIC doesn't work with CONFIG_DEBUG_SLAB
- (the resulting kernel does not boot).
+ (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)

config KASAN_SW_TAGS
- bool "Software tag-based mode"
+ bool "Software Tag-Based KASAN"
depends on HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS
depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
select SLUB_DEBUG if SLUB
select CONSTRUCTORS
help
- Enables software tag-based KASAN mode.
+ Enables Software Tag-Based KASAN.

- This mode require software memory tagging support in the form of
- HWASan-like compiler instrumentation.
+ Requires GCC 11+ or Clang.

- Currently this mode is only implemented for arm64 CPUs and relies on
- Top Byte Ignore. This mode requires Clang.
+ Supported only on arm64 CPUs and relies on Top Byte Ignore.

- This mode consumes about 1/16th of available memory at kernel start
- and introduces an overhead of ~20% for the rest of the allocations.
- This mode may potentially introduce problems relating to pointer
- casting and comparison, as it embeds tags into the top byte of each
- pointer.
+ Consumes about 1/16th of available memory at kernel start and
+ add an overhead of ~20% for dynamic allocations.

- Currently CONFIG_KASAN_SW_TAGS doesn't work with CONFIG_DEBUG_SLAB
- (the resulting kernel does not boot).
+ May potentially introduce problems related to pointer casting and
+ comparison, as it embeds a tag into the top byte of each pointer.
+
+ (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)

config KASAN_HW_TAGS
- bool "Hardware tag-based mode"
+ bool "Hardware Tag-Based KASAN"
depends on HAVE_ARCH_KASAN_HW_TAGS
depends on SLUB
help
- Enables hardware tag-based KASAN mode.
+ Enables Hardware Tag-Based KASAN.
+
+ Requires GCC 10+ or Clang 12+.

- This mode requires hardware memory tagging support, and can be used
- by any architecture that provides it.
+ Supported only on arm64 CPUs starting from ARMv8.5 and relies on
+ Memory Tagging Extension and Top Byte Ignore.

- Currently this mode is only implemented for arm64 CPUs starting from
- ARMv8.5 and relies on Memory Tagging Extension and Top Byte Ignore.
+ Consumes about 1/32nd of available memory.
+
+ May potentially introduce problems related to pointer casting and
+ comparison, as it embeds a tag into the top byte of each pointer.

endchoice

@@ -131,83 +130,80 @@ choice
config KASAN_OUTLINE
bool "Outline instrumentation"
help
- Before every memory access compiler insert function call
- __asan_load*/__asan_store*. These functions performs check
- of shadow memory. This is slower than inline instrumentation,
- however it doesn't bloat size of kernel's .text section so
- much as inline does.
+ Makes the compiler insert function calls that check whether the memory
+ is accessible before each memory access. Slower than KASAN_INLINE, but
+ does not bloat the size of the kernel's .text section so much.

config KASAN_INLINE
bool "Inline instrumentation"
depends on !ARCH_DISABLE_KASAN_INLINE
help
- Compiler directly inserts code checking shadow memory before
- memory accesses. This is faster than outline (in some workloads
- it gives about x2 boost over outline instrumentation), but
- make kernel's .text size much bigger.
+ Makes the compiler directly insert memory accessibility checks before
+ each memory access. Faster than KASAN_OUTLINE (gives ~x2 boost for
+ some workloads), but makes the kernel's .text size much bigger.

endchoice

config KASAN_STACK
- bool "Enable stack instrumentation (unsafe)" if CC_IS_CLANG && !COMPILE_TEST
+ bool "Stack instrumentation (unsafe)" if CC_IS_CLANG && !COMPILE_TEST
depends on KASAN_GENERIC || KASAN_SW_TAGS
depends on !ARCH_DISABLE_KASAN_INLINE
default y if CC_IS_GCC
help
- The LLVM stack address sanitizer has a know problem that
- causes excessive stack usage in a lot of functions, see
- https://bugs.llvm.org/show_bug.cgi?id=38809
- Disabling asan-stack makes it safe to run kernels build
- with clang-8 with KASAN enabled, though it loses some of
- the functionality.
- This feature is always disabled when compile-testing with clang
- to avoid cluttering the output in stack overflow warnings,
- but clang users can still enable it for builds without
- CONFIG_COMPILE_TEST. On gcc it is assumed to always be safe
- to use and enabled by default.
- If the architecture disables inline instrumentation, stack
- instrumentation is also disabled as it adds inline-style
- instrumentation that is run unconditionally.
+ Disables stack instrumentation and thus KASAN's ability to detect
+ out-of-bounds bugs in stack variables.
+
+ With Clang, stack instrumentation has a problem that causes excessive
+ stack usage, see https://bugs.llvm.org/show_bug.cgi?id=38809. Thus,
+ with Clang, this option is deemed unsafe.
+
+ This option is always disabled when compile-testing with Clang to
+ avoid cluttering the log with stack overflow warnings.
+
+ With GCC, enabling stack instrumentation is assumed to be safe.
+
+ If the architecture disables inline instrumentation via
+ ARCH_DISABLE_KASAN_INLINE, stack instrumentation gets disabled
+ as well, as it adds inline-style instrumentation that is run
+ unconditionally.

config KASAN_TAGS_IDENTIFY
- bool "Enable memory corruption identification"
+ bool "Memory corruption type identification"
depends on KASAN_SW_TAGS || KASAN_HW_TAGS
help
- This option enables best-effort identification of bug type
- (use-after-free or out-of-bounds) at the cost of increased
- memory consumption.
+ Enables best-effort identification of the bug types (use-after-free
+ or out-of-bounds) at the cost of increased memory consumption.
+ Only applicable for the tag-based KASAN modes.

config KASAN_VMALLOC
bool "Check accesses to vmalloc allocations"
depends on HAVE_ARCH_KASAN_VMALLOC
help
- This mode makes KASAN check accesses to vmalloc allocations for
- validity.
+ Makes KASAN check the validity of accesses to vmalloc allocations.

- With software KASAN modes, checking is done for all types of vmalloc
- allocations. Enabling this option leads to higher memory usage.
+ With software KASAN modes, all types vmalloc allocations are
+ checked. Enabling this option leads to higher memory usage.

- With hardware tag-based KASAN, only VM_ALLOC mappings are checked.
- There is no additional memory usage.
+ With Hardware Tag-Based KASAN, only non-executable VM_ALLOC mappings
+ are checked. There is no additional memory usage.

config KASAN_KUNIT_TEST
tristate "KUnit-compatible tests of KASAN bug detection capabilities" if !KUNIT_ALL_TESTS
depends on KASAN && KUNIT
default KUNIT_ALL_TESTS
help
- This is a KUnit test suite doing various nasty things like
- out of bounds and use after free accesses. It is useful for testing
- kernel debugging features like KASAN.
+ A KUnit-based KASAN test suite. Triggers different kinds of
+ out-of-bounds and use-after-free accesses. Useful for testing whether
+ KASAN can detect certain bug types.

For more information on KUnit and unit tests in general, please refer
- to the KUnit documentation in Documentation/dev-tools/kunit.
+ to the KUnit documentation in Documentation/dev-tools/kunit/.

config KASAN_MODULE_TEST
tristate "KUnit-incompatible tests of KASAN bug detection capabilities"
depends on m && KASAN && !KASAN_HW_TAGS
help
- This is a part of the KASAN test suite that is incompatible with
- KUnit. Currently includes tests that do bad copy_from/to_user
- accesses.
+ A part of the KASAN test suite that is not integrated with KUnit.
+ Incompatible with Hardware Tag-Based KASAN.

endif # KASAN
--
2.25.1


2022-05-09 19:15:13

by andrey.konovalov

[permalink] [raw]
Subject: [PATCH 2/3] kasan: move boot parameters section in documentation

From: Andrey Konovalov <[email protected]>

Move the "Boot parameters" section in KASAN documentation next to the
section that describes KASAN build options.

No content changes.

Signed-off-by: Andrey Konovalov <[email protected]>
---
Documentation/dev-tools/kasan.rst | 82 +++++++++++++++----------------
1 file changed, 41 insertions(+), 41 deletions(-)

diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst
index aca219ed1198..7f103e975ac2 100644
--- a/Documentation/dev-tools/kasan.rst
+++ b/Documentation/dev-tools/kasan.rst
@@ -94,6 +94,47 @@ To include alloc and free stack traces of affected slab objects into reports,
enable ``CONFIG_STACKTRACE``. To include alloc and free stack traces of affected
physical pages, enable ``CONFIG_PAGE_OWNER`` and boot with ``page_owner=on``.

+Boot parameters
+~~~~~~~~~~~~~~~
+
+KASAN is affected by the generic ``panic_on_warn`` command line parameter.
+When it is enabled, KASAN panics the kernel after printing a bug report.
+
+By default, KASAN prints a bug report only for the first invalid memory access.
+With ``kasan_multi_shot``, KASAN prints a report on every invalid access. This
+effectively disables ``panic_on_warn`` for KASAN reports.
+
+Alternatively, independent of ``panic_on_warn``, the ``kasan.fault=`` boot
+parameter can be used to control panic and reporting behaviour:
+
+- ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN
+ report or also panic the kernel (default: ``report``). The panic happens even
+ if ``kasan_multi_shot`` is enabled.
+
+Hardware Tag-Based KASAN mode (see the section about various modes below) is
+intended for use in production as a security mitigation. Therefore, it supports
+additional boot parameters that allow disabling KASAN or controlling features:
+
+- ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
+
+- ``kasan.mode=sync``, ``=async`` or ``=asymm`` controls whether KASAN
+ is configured in synchronous, asynchronous or asymmetric mode of
+ execution (default: ``sync``).
+ Synchronous mode: a bad access is detected immediately when a tag
+ check fault occurs.
+ Asynchronous mode: a bad access detection is delayed. When a tag check
+ fault occurs, the information is stored in hardware (in the TFSR_EL1
+ register for arm64). The kernel periodically checks the hardware and
+ only reports tag faults during these checks.
+ Asymmetric mode: a bad access is detected synchronously on reads and
+ asynchronously on writes.
+
+- ``kasan.vmalloc=off`` or ``=on`` disables or enables tagging of vmalloc
+ allocations (default: ``on``).
+
+- ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
+ traces collection (default: ``on``).
+
Error reports
~~~~~~~~~~~~~

@@ -208,47 +249,6 @@ traces point to places in code that interacted with the object but that are not
directly present in the bad access stack trace. Currently, this includes
call_rcu() and workqueue queuing.

-Boot parameters
-~~~~~~~~~~~~~~~
-
-KASAN is affected by the generic ``panic_on_warn`` command line parameter.
-When it is enabled, KASAN panics the kernel after printing a bug report.
-
-By default, KASAN prints a bug report only for the first invalid memory access.
-With ``kasan_multi_shot``, KASAN prints a report on every invalid access. This
-effectively disables ``panic_on_warn`` for KASAN reports.
-
-Alternatively, independent of ``panic_on_warn``, the ``kasan.fault=`` boot
-parameter can be used to control panic and reporting behaviour:
-
-- ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN
- report or also panic the kernel (default: ``report``). The panic happens even
- if ``kasan_multi_shot`` is enabled.
-
-Hardware Tag-Based KASAN mode (see the section about various modes below) is
-intended for use in production as a security mitigation. Therefore, it supports
-additional boot parameters that allow disabling KASAN or controlling features:
-
-- ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
-
-- ``kasan.mode=sync``, ``=async`` or ``=asymm`` controls whether KASAN
- is configured in synchronous, asynchronous or asymmetric mode of
- execution (default: ``sync``).
- Synchronous mode: a bad access is detected immediately when a tag
- check fault occurs.
- Asynchronous mode: a bad access detection is delayed. When a tag check
- fault occurs, the information is stored in hardware (in the TFSR_EL1
- register for arm64). The kernel periodically checks the hardware and
- only reports tag faults during these checks.
- Asymmetric mode: a bad access is detected synchronously on reads and
- asynchronously on writes.
-
-- ``kasan.vmalloc=off`` or ``=on`` disables or enables tagging of vmalloc
- allocations (default: ``on``).
-
-- ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
- traces collection (default: ``on``).
-
Implementation details
----------------------

--
2.25.1


2022-05-10 12:24:43

by Marco Elver

[permalink] [raw]
Subject: Re: [PATCH 2/3] kasan: move boot parameters section in documentation

On Mon, May 09, 2022 at 09:07PM +0200, [email protected] wrote:
> From: Andrey Konovalov <[email protected]>
>
> Move the "Boot parameters" section in KASAN documentation next to the
> section that describes KASAN build options.
>
> No content changes.
>
> Signed-off-by: Andrey Konovalov <[email protected]>

Reviewed-by: Marco Elver <[email protected]>

> ---
> Documentation/dev-tools/kasan.rst | 82 +++++++++++++++----------------
> 1 file changed, 41 insertions(+), 41 deletions(-)
>
> diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst
> index aca219ed1198..7f103e975ac2 100644
> --- a/Documentation/dev-tools/kasan.rst
> +++ b/Documentation/dev-tools/kasan.rst
> @@ -94,6 +94,47 @@ To include alloc and free stack traces of affected slab objects into reports,
> enable ``CONFIG_STACKTRACE``. To include alloc and free stack traces of affected
> physical pages, enable ``CONFIG_PAGE_OWNER`` and boot with ``page_owner=on``.
>
> +Boot parameters
> +~~~~~~~~~~~~~~~
> +
> +KASAN is affected by the generic ``panic_on_warn`` command line parameter.
> +When it is enabled, KASAN panics the kernel after printing a bug report.
> +
> +By default, KASAN prints a bug report only for the first invalid memory access.
> +With ``kasan_multi_shot``, KASAN prints a report on every invalid access. This
> +effectively disables ``panic_on_warn`` for KASAN reports.
> +
> +Alternatively, independent of ``panic_on_warn``, the ``kasan.fault=`` boot
> +parameter can be used to control panic and reporting behaviour:
> +
> +- ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN
> + report or also panic the kernel (default: ``report``). The panic happens even
> + if ``kasan_multi_shot`` is enabled.
> +
> +Hardware Tag-Based KASAN mode (see the section about various modes below) is
> +intended for use in production as a security mitigation. Therefore, it supports
> +additional boot parameters that allow disabling KASAN or controlling features:
> +
> +- ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
> +
> +- ``kasan.mode=sync``, ``=async`` or ``=asymm`` controls whether KASAN
> + is configured in synchronous, asynchronous or asymmetric mode of
> + execution (default: ``sync``).
> + Synchronous mode: a bad access is detected immediately when a tag
> + check fault occurs.
> + Asynchronous mode: a bad access detection is delayed. When a tag check
> + fault occurs, the information is stored in hardware (in the TFSR_EL1
> + register for arm64). The kernel periodically checks the hardware and
> + only reports tag faults during these checks.
> + Asymmetric mode: a bad access is detected synchronously on reads and
> + asynchronously on writes.
> +
> +- ``kasan.vmalloc=off`` or ``=on`` disables or enables tagging of vmalloc
> + allocations (default: ``on``).
> +
> +- ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
> + traces collection (default: ``on``).
> +
> Error reports
> ~~~~~~~~~~~~~
>
> @@ -208,47 +249,6 @@ traces point to places in code that interacted with the object but that are not
> directly present in the bad access stack trace. Currently, this includes
> call_rcu() and workqueue queuing.
>
> -Boot parameters
> -~~~~~~~~~~~~~~~
> -
> -KASAN is affected by the generic ``panic_on_warn`` command line parameter.
> -When it is enabled, KASAN panics the kernel after printing a bug report.
> -
> -By default, KASAN prints a bug report only for the first invalid memory access.
> -With ``kasan_multi_shot``, KASAN prints a report on every invalid access. This
> -effectively disables ``panic_on_warn`` for KASAN reports.
> -
> -Alternatively, independent of ``panic_on_warn``, the ``kasan.fault=`` boot
> -parameter can be used to control panic and reporting behaviour:
> -
> -- ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN
> - report or also panic the kernel (default: ``report``). The panic happens even
> - if ``kasan_multi_shot`` is enabled.
> -
> -Hardware Tag-Based KASAN mode (see the section about various modes below) is
> -intended for use in production as a security mitigation. Therefore, it supports
> -additional boot parameters that allow disabling KASAN or controlling features:
> -
> -- ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
> -
> -- ``kasan.mode=sync``, ``=async`` or ``=asymm`` controls whether KASAN
> - is configured in synchronous, asynchronous or asymmetric mode of
> - execution (default: ``sync``).
> - Synchronous mode: a bad access is detected immediately when a tag
> - check fault occurs.
> - Asynchronous mode: a bad access detection is delayed. When a tag check
> - fault occurs, the information is stored in hardware (in the TFSR_EL1
> - register for arm64). The kernel periodically checks the hardware and
> - only reports tag faults during these checks.
> - Asymmetric mode: a bad access is detected synchronously on reads and
> - asynchronously on writes.
> -
> -- ``kasan.vmalloc=off`` or ``=on`` disables or enables tagging of vmalloc
> - allocations (default: ``on``).
> -
> -- ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
> - traces collection (default: ``on``).
> -
> Implementation details
> ----------------------
>
> --
> 2.25.1
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/ec9c923f35e7c5312836c4624a7f317dc1ee2c1c.1652123204.git.andreyknvl%40google.com.

2022-05-10 14:54:35

by Marco Elver

[permalink] [raw]
Subject: Re: [PATCH 1/3] kasan: update documentation

On Mon, May 09, 2022 at 09:07PM +0200, [email protected] wrote:
> From: Andrey Konovalov <[email protected]>
>
> Do assorted clean-ups and improvements to KASAN documentation, including:
>
> - Describe each mode in a dedicated paragraph.
> - Split out a Support section that describes in details which compilers,
> architectures and memory types each mode requires/supports.
> - Capitalize the first letter in the names of each KASAN mode.
>
> Signed-off-by: Andrey Konovalov <[email protected]>

Reviewed-by: Marco Elver <[email protected]>

But see comment below.

> ---
> Documentation/dev-tools/kasan.rst | 143 ++++++++++++++++++------------
> 1 file changed, 87 insertions(+), 56 deletions(-)
>
> diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst
> index 7614a1fc30fa..aca219ed1198 100644
> --- a/Documentation/dev-tools/kasan.rst
> +++ b/Documentation/dev-tools/kasan.rst
> @@ -4,39 +4,76 @@ The Kernel Address Sanitizer (KASAN)
> Overview
> --------
>
> -KernelAddressSANitizer (KASAN) is a dynamic memory safety error detector
> -designed to find out-of-bound and use-after-free bugs. KASAN has three modes:
> +Kernel Address Sanitizer (KASAN) is a dynamic memory safety error detector
> +designed to find out-of-bounds and use-after-free bugs.
>
> -1. generic KASAN (similar to userspace ASan),
> -2. software tag-based KASAN (similar to userspace HWASan),
> -3. hardware tag-based KASAN (based on hardware memory tagging).
> +KASAN has three modes:
>
> -Generic KASAN is mainly used for debugging due to a large memory overhead.
> -Software tag-based KASAN can be used for dogfood testing as it has a lower
> -memory overhead that allows using it with real workloads. Hardware tag-based
> -KASAN comes with low memory and performance overheads and, therefore, can be
> -used in production. Either as an in-field memory bug detector or as a security
> -mitigation.
> +1. Generic KASAN
> +2. Software Tag-Based KASAN
> +3. Hardware Tag-Based KASAN
>
> -Software KASAN modes (#1 and #2) use compile-time instrumentation to insert
> -validity checks before every memory access and, therefore, require a compiler
> -version that supports that.
> +Generic KASAN, enabled with CONFIG_KASAN_GENERIC, is the mode intended for
> +debugging, similar to userspace ASan. This mode is supported on many CPU
> +architectures, but it has significant performance and memory overheads.
>
> -Generic KASAN is supported in GCC and Clang. With GCC, it requires version
> -8.3.0 or later. Any supported Clang version is compatible, but detection of
> -out-of-bounds accesses for global variables is only supported since Clang 11.
> +Software Tag-Based KASAN or SW_TAGS KASAN, enabled with CONFIG_KASAN_SW_TAGS,
> +can be used for both debugging and dogfood testing, similar to userspace HWASan.
> +This mode is only supported for arm64, but its moderate memory overhead allows
> +using it for testing on memory-restricted devices with real workloads.
>
> -Software tag-based KASAN mode is only supported in Clang.
> +Hardware Tag-Based KASAN or HW_TAGS KASAN, enabled with CONFIG_KASAN_HW_TAGS,
> +is the mode intended to be used as an in-field memory bug detector or as a
> +security mitigation. This mode only works on arm64 CPUs that support MTE
> +(Memory Tagging Extension), but it has low memory and performance overheads and
> +thus can be used in production.
>
> -The hardware KASAN mode (#3) relies on hardware to perform the checks but
> -still requires a compiler version that supports memory tagging instructions.
> -This mode is supported in GCC 10+ and Clang 12+.
> +For details about the memory and performance impact of each KASAN mode, see the
> +descriptions of the corresponding Kconfig options.
>
> -Both software KASAN modes work with SLUB and SLAB memory allocators,
> -while the hardware tag-based KASAN currently only supports SLUB.
> +The Generic and the Software Tag-Based modes are commonly referred to as the
> +software modes. The Software Tag-Based and the Hardware Tag-Based modes are
> +referred to as the tag-based modes.
>
> -Currently, generic KASAN is supported for the x86_64, arm, arm64, xtensa, s390,
> -and riscv architectures, and tag-based KASAN modes are supported only for arm64.
> +Support
> +-------
> +
> +Architectures
> +~~~~~~~~~~~~~
> +
> +Generic KASAN is supported on x86_64, arm, arm64, powerpc, riscv, s390, and
> +xtensa, and the tag-based KASAN modes are supported only on arm64.
> +
> +Compilers
> +~~~~~~~~~
> +
> +Software KASAN modes use compile-time instrumentation to insert validity checks
> +before every memory access and thus require a compiler version that provides
> +support for that. The Hardware Tag-Based mode relies on hardware to perform
> +these checks but still requires a compiler version that supports the memory
> +tagging instructions.
> +
> +Generic KASAN requires GCC version 8.3.0 or later
> +or any Clang version supported by the kernel.
> +
> +Software Tag-Based KASAN requires GCC 11+
> +or any Clang version supported by the kernel.
> +
> +Hardware Tag-Based KASAN requires GCC 10+ or Clang 12+.
> +
> +Memory types
> +~~~~~~~~~~~~
> +
> +Generic KASAN supports finding bugs in all of slab, page_alloc, vmap, vmalloc,
> +stack, and global memory.
> +
> +Software Tag-Based KASAN supports slab, page_alloc, vmalloc, and stack memory.
> +
> +Hardware Tag-Based KASAN supports slab, page_alloc, and non-executable vmalloc
> +memory.
> +
> +For slab, both software KASAN modes support SLUB and SLAB allocators, while
> +Hardware Tag-Based KASAN only supports SLUB.
>
> Usage
> -----
> @@ -45,13 +82,13 @@ To enable KASAN, configure the kernel with::
>
> CONFIG_KASAN=y
>
> -and choose between ``CONFIG_KASAN_GENERIC`` (to enable generic KASAN),
> -``CONFIG_KASAN_SW_TAGS`` (to enable software tag-based KASAN), and
> -``CONFIG_KASAN_HW_TAGS`` (to enable hardware tag-based KASAN).
> +and choose between ``CONFIG_KASAN_GENERIC`` (to enable Generic KASAN),
> +``CONFIG_KASAN_SW_TAGS`` (to enable Software Tag-Based KASAN), and
> +``CONFIG_KASAN_HW_TAGS`` (to enable Hardware Tag-Based KASAN).
>
> -For software modes, also choose between ``CONFIG_KASAN_OUTLINE`` and
> +For the software modes, also choose between ``CONFIG_KASAN_OUTLINE`` and
> ``CONFIG_KASAN_INLINE``. Outline and inline are compiler instrumentation types.
> -The former produces a smaller binary while the latter is 1.1-2 times faster.
> +The former produces a smaller binary while the latter is up to 2 times faster.
>
> To include alloc and free stack traces of affected slab objects into reports,
> enable ``CONFIG_STACKTRACE``. To include alloc and free stack traces of affected
> @@ -146,7 +183,7 @@ is either 8 or 16 aligned bytes depending on KASAN mode. Each number in the
> memory state section of the report shows the state of one of the memory
> granules that surround the accessed address.
>
> -For generic KASAN, the size of each memory granule is 8. The state of each
> +For Generic KASAN, the size of each memory granule is 8. The state of each
> granule is encoded in one shadow byte. Those 8 bytes can be accessible,
> partially accessible, freed, or be a part of a redzone. KASAN uses the following
> encoding for each shadow byte: 00 means that all 8 bytes of the corresponding
> @@ -181,14 +218,14 @@ By default, KASAN prints a bug report only for the first invalid memory access.
> With ``kasan_multi_shot``, KASAN prints a report on every invalid access. This
> effectively disables ``panic_on_warn`` for KASAN reports.
>
> -Alternatively, independent of ``panic_on_warn`` the ``kasan.fault=`` boot
> +Alternatively, independent of ``panic_on_warn``, the ``kasan.fault=`` boot
> parameter can be used to control panic and reporting behaviour:
>
> - ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN
> report or also panic the kernel (default: ``report``). The panic happens even
> if ``kasan_multi_shot`` is enabled.
>
> -Hardware tag-based KASAN mode (see the section about various modes below) is
> +Hardware Tag-Based KASAN mode (see the section about various modes below) is
> intended for use in production as a security mitigation. Therefore, it supports
> additional boot parameters that allow disabling KASAN or controlling features:
>
> @@ -250,49 +287,46 @@ outline-instrumented kernel.
> Generic KASAN is the only mode that delays the reuse of freed objects via
> quarantine (see mm/kasan/quarantine.c for implementation).
>
> -Software tag-based KASAN
> +Software Tag-Based KASAN
> ~~~~~~~~~~~~~~~~~~~~~~~~
>
> -Software tag-based KASAN uses a software memory tagging approach to checking
> +Software Tag-Based KASAN uses a software memory tagging approach to checking
> access validity. It is currently only implemented for the arm64 architecture.
>
> -Software tag-based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
> +Software Tag-Based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
> to store a pointer tag in the top byte of kernel pointers. It uses shadow memory
> to store memory tags associated with each 16-byte memory cell (therefore, it
> dedicates 1/16th of the kernel memory for shadow memory).
>
> -On each memory allocation, software tag-based KASAN generates a random tag, tags
> +On each memory allocation, Software Tag-Based KASAN generates a random tag, tags
> the allocated memory with this tag, and embeds the same tag into the returned
> pointer.
>
> -Software tag-based KASAN uses compile-time instrumentation to insert checks
> +Software Tag-Based KASAN uses compile-time instrumentation to insert checks
> before each memory access. These checks make sure that the tag of the memory
> that is being accessed is equal to the tag of the pointer that is used to access
> -this memory. In case of a tag mismatch, software tag-based KASAN prints a bug
> +this memory. In case of a tag mismatch, Software Tag-Based KASAN prints a bug
> report.
>
> -Software tag-based KASAN also has two instrumentation modes (outline, which
> +Software Tag-Based KASAN also has two instrumentation modes (outline, which
> emits callbacks to check memory accesses; and inline, which performs the shadow
> memory checks inline). With outline instrumentation mode, a bug report is
> printed from the function that performs the access check. With inline
> instrumentation, a ``brk`` instruction is emitted by the compiler, and a
> dedicated ``brk`` handler is used to print bug reports.
>
> -Software tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
> +Software Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
> pointers with the 0xFF pointer tag are not checked). The value 0xFE is currently
> reserved to tag freed memory regions.
>
> -Software tag-based KASAN currently only supports tagging of slab, page_alloc,
> -and vmalloc memory.
> -
> -Hardware tag-based KASAN
> +Hardware Tag-Based KASAN
> ~~~~~~~~~~~~~~~~~~~~~~~~
>
> -Hardware tag-based KASAN is similar to the software mode in concept but uses
> +Hardware Tag-Based KASAN is similar to the software mode in concept but uses
> hardware memory tagging support instead of compiler instrumentation and
> shadow memory.
>
> -Hardware tag-based KASAN is currently only implemented for arm64 architecture
> +Hardware Tag-Based KASAN is currently only implemented for arm64 architecture
> and based on both arm64 Memory Tagging Extension (MTE) introduced in ARMv8.5
> Instruction Set Architecture and Top Byte Ignore (TBI).
>
> @@ -302,21 +336,18 @@ access, hardware makes sure that the tag of the memory that is being accessed is
> equal to the tag of the pointer that is used to access this memory. In case of a
> tag mismatch, a fault is generated, and a report is printed.
>
> -Hardware tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
> +Hardware Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
> pointers with the 0xFF pointer tag are not checked). The value 0xFE is currently
> reserved to tag freed memory regions.
>
> -Hardware tag-based KASAN currently only supports tagging of slab, page_alloc,
> -and VM_ALLOC-based vmalloc memory.
> -
> -If the hardware does not support MTE (pre ARMv8.5), hardware tag-based KASAN
> +If the hardware does not support MTE (pre ARMv8.5), Hardware Tag-Based KASAN
> will not be enabled. In this case, all KASAN boot parameters are ignored.
>
> Note that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being
> enabled. Even when ``kasan.mode=off`` is provided or when the hardware does not
> support MTE (but supports TBI).
>
> -Hardware tag-based KASAN only reports the first found bug. After that, MTE tag
> +Hardware Tag-Based KASAN only reports the first found bug. After that, MTE tag
> checking gets disabled.
>
> Shadow memory
> @@ -414,15 +445,15 @@ generic ``noinstr`` one.
> Note that disabling compiler instrumentation (either on a per-file or a
> per-function basis) makes KASAN ignore the accesses that happen directly in
> that code for software KASAN modes. It does not help when the accesses happen
> -indirectly (through calls to instrumented functions) or with the hardware
> -tag-based mode that does not use compiler instrumentation.
> +indirectly (through calls to instrumented functions) or with Hardware
> +Tag-Based KASAN, which does not use compiler instrumentation.
>
> For software KASAN modes, to disable KASAN reports in a part of the kernel code
> for the current task, annotate this part of the code with a
> ``kasan_disable_current()``/``kasan_enable_current()`` section. This also
> disables the reports for indirect accesses that happen through function calls.
>
> -For tag-based KASAN modes (include the hardware one), to disable access
> +For tag-based KASAN modes (include the Hardware one), to disable access

The changes related to capitalization appear weird here. At least in
this case, it starts with "tag-based" (lower case) and then in braces
".. the Hardware one". This does not look like correct English.

The "hardware" here is not part of a name, so no need for
capitalization. And "tag-based" can also stay lower case, since it is
not part of a name either, but an adjective to "KASAN".

Or you rewrite the sentence.

> checking, use ``kasan_reset_tag()`` or ``page_kasan_tag_reset()``. Note that
> temporarily disabling access checking via ``page_kasan_tag_reset()`` requires
> saving and restoring the per-page KASAN tag via
> --
> 2.25.1
>

2022-05-10 19:38:39

by Andrey Konovalov

[permalink] [raw]
Subject: Re: [PATCH 1/3] kasan: update documentation

On Tue, May 10, 2022 at 2:06 PM Marco Elver <[email protected]> wrote:
>
> > -For tag-based KASAN modes (include the hardware one), to disable access
> > +For tag-based KASAN modes (include the Hardware one), to disable access
>
> The changes related to capitalization appear weird here. At least in
> this case, it starts with "tag-based" (lower case) and then in braces
> ".. the Hardware one". This does not look like correct English.
>
> The "hardware" here is not part of a name, so no need for
> capitalization. And "tag-based" can also stay lower case, since it is
> not part of a name either, but an adjective to "KASAN".
>
> Or you rewrite the sentence.

Yeah, I agree that this looks weird. I'll just drop the part in
parentheses in v2. Thanks!

2022-05-10 19:46:52

by Andrey Konovalov

[permalink] [raw]
Subject: Re: [PATCH 3/3] kasan: clean-up kconfig options descriptions

On Tue, May 10, 2022 at 1:57 PM Marco Elver <[email protected]> wrote:
>
> > - Currently CONFIG_KASAN_GENERIC doesn't work with CONFIG_DEBUG_SLAB
> > - (the resulting kernel does not boot).
> > + (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)
>
> Why aren't they made mutually exclusive via Kconfig constraints? Does it
> work these days?
>
> Either KASAN_GENERIC and KASAN_SW_TAGS do "depends on !DEBUG_SLAB ||
> COMPILE_TEST", or DEBUG_SLAB does "depends on !(KASAN_GENERIC || KASAN_SW_TAGS) || COMPILE_TEST".
>
> I feel DEBUG_SLAB might not be used very much these days, so perhaps
> DEBUG_SLAB should add the constraint, also given KASAN is the better
> debugging aid.

They are made exclusive: it's the KASAN option that depends on
!DEBUG_SLAB. And KASAN_HW_TAGS doesn't have this note, as it doesn't
work with SLAB at all at the moment. Moving the constraint to
DEBUG_SLAB might make sense, but let's keep this patchset as a
non-functional change. Thanks!

2022-05-10 20:58:41

by Marco Elver

[permalink] [raw]
Subject: Re: [PATCH 3/3] kasan: clean-up kconfig options descriptions

On Mon, May 09, 2022 at 09:07PM +0200, [email protected] wrote:
> From: Andrey Konovalov <[email protected]>
>
> Various readability clean-ups of KASAN Kconfig options.
>
> No functional changes.
>
> Signed-off-by: Andrey Konovalov <[email protected]>

Reviewed-by: Marco Elver <[email protected]>

But see further (not in this patch) suggestion for improvement below.

> ---
> lib/Kconfig.kasan | 168 ++++++++++++++++++++++------------------------
> 1 file changed, 82 insertions(+), 86 deletions(-)
>
> diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
> index 1f3e620188a2..f0973da583e0 100644
> --- a/lib/Kconfig.kasan
> +++ b/lib/Kconfig.kasan
> @@ -1,4 +1,5 @@
> # SPDX-License-Identifier: GPL-2.0-only
> +
> # This config refers to the generic KASAN mode.
> config HAVE_ARCH_KASAN
> bool
> @@ -15,9 +16,8 @@ config HAVE_ARCH_KASAN_VMALLOC
> config ARCH_DISABLE_KASAN_INLINE
> bool
> help
> - An architecture might not support inline instrumentation.
> - When this option is selected, inline and stack instrumentation are
> - disabled.
> + Disables both inline and stack instrumentation. Selected by
> + architectures that do not support these instrumentation types.
>
> config CC_HAS_KASAN_GENERIC
> def_bool $(cc-option, -fsanitize=kernel-address)
> @@ -26,13 +26,13 @@ config CC_HAS_KASAN_SW_TAGS
> def_bool $(cc-option, -fsanitize=kernel-hwaddress)
>
> # This option is only required for software KASAN modes.
> -# Old GCC versions don't have proper support for no_sanitize_address.
> +# Old GCC versions do not have proper support for no_sanitize_address.
> # See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89124 for details.
> config CC_HAS_WORKING_NOSANITIZE_ADDRESS
> def_bool !CC_IS_GCC || GCC_VERSION >= 80300
>
> menuconfig KASAN
> - bool "KASAN: runtime memory debugger"
> + bool "KASAN: dynamic memory safety error detector"
> depends on (((HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC) || \
> (HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS)) && \
> CC_HAS_WORKING_NOSANITIZE_ADDRESS) || \
> @@ -40,10 +40,13 @@ menuconfig KASAN
> depends on (SLUB && SYSFS) || (SLAB && !DEBUG_SLAB)
> select STACKDEPOT_ALWAYS_INIT
> help
> - Enables KASAN (KernelAddressSANitizer) - runtime memory debugger,
> - designed to find out-of-bounds accesses and use-after-free bugs.
> + Enables KASAN (Kernel Address Sanitizer) - a dynamic memory safety
> + error detector designed to find out-of-bounds and use-after-free bugs.
> +
> See Documentation/dev-tools/kasan.rst for details.
>
> + For better error reports, also enable CONFIG_STACKTRACE.
> +
> if KASAN
>
> choice
> @@ -51,75 +54,71 @@ choice
> default KASAN_GENERIC
> help
> KASAN has three modes:
> - 1. generic KASAN (similar to userspace ASan,
> - x86_64/arm64/xtensa, enabled with CONFIG_KASAN_GENERIC),
> - 2. software tag-based KASAN (arm64 only, based on software
> - memory tagging (similar to userspace HWASan), enabled with
> - CONFIG_KASAN_SW_TAGS), and
> - 3. hardware tag-based KASAN (arm64 only, based on hardware
> - memory tagging, enabled with CONFIG_KASAN_HW_TAGS).
>
> - All KASAN modes are strictly debugging features.
> + 1. Generic KASAN (supported by many architectures, enabled with
> + CONFIG_KASAN_GENERIC, similar to userspace ASan),
> + 2. Software Tag-Based KASAN (arm64 only, based on software memory
> + tagging, enabled with CONFIG_KASAN_SW_TAGS, similar to userspace
> + HWASan), and
> + 3. Hardware Tag-Based KASAN (arm64 only, based on hardware memory
> + tagging, enabled with CONFIG_KASAN_HW_TAGS).
>
> - For better error reports enable CONFIG_STACKTRACE.
> + See Documentation/dev-tools/kasan.rst for details about each mode.
>
> config KASAN_GENERIC
> - bool "Generic mode"
> + bool "Generic KASAN"
> depends on HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC
> depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
> select SLUB_DEBUG if SLUB
> select CONSTRUCTORS
> help
> - Enables generic KASAN mode.
> + Enables Generic KASAN.
>
> - This mode is supported in both GCC and Clang. With GCC it requires
> - version 8.3.0 or later. Any supported Clang version is compatible,
> - but detection of out-of-bounds accesses for global variables is
> - supported only since Clang 11.
> + Requires GCC 8.3.0+ or Clang.
>
> - This mode consumes about 1/8th of available memory at kernel start
> - and introduces an overhead of ~x1.5 for the rest of the allocations.
> + Consumes about 1/8th of available memory at kernel start and adds an
> + overhead of ~50% for dynamic allocations.
> The performance slowdown is ~x3.
>
> - Currently CONFIG_KASAN_GENERIC doesn't work with CONFIG_DEBUG_SLAB
> - (the resulting kernel does not boot).
> + (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)

Why aren't they made mutually exclusive via Kconfig constraints? Does it
work these days?

Either KASAN_GENERIC and KASAN_SW_TAGS do "depends on !DEBUG_SLAB ||
COMPILE_TEST", or DEBUG_SLAB does "depends on !(KASAN_GENERIC || KASAN_SW_TAGS) || COMPILE_TEST".

I feel DEBUG_SLAB might not be used very much these days, so perhaps
DEBUG_SLAB should add the constraint, also given KASAN is the better
debugging aid.

> config KASAN_SW_TAGS
> - bool "Software tag-based mode"
> + bool "Software Tag-Based KASAN"
> depends on HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS
> depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
> select SLUB_DEBUG if SLUB
> select CONSTRUCTORS
> help
> - Enables software tag-based KASAN mode.
> + Enables Software Tag-Based KASAN.
>
> - This mode require software memory tagging support in the form of
> - HWASan-like compiler instrumentation.
> + Requires GCC 11+ or Clang.
>
> - Currently this mode is only implemented for arm64 CPUs and relies on
> - Top Byte Ignore. This mode requires Clang.
> + Supported only on arm64 CPUs and relies on Top Byte Ignore.
>
> - This mode consumes about 1/16th of available memory at kernel start
> - and introduces an overhead of ~20% for the rest of the allocations.
> - This mode may potentially introduce problems relating to pointer
> - casting and comparison, as it embeds tags into the top byte of each
> - pointer.
> + Consumes about 1/16th of available memory at kernel start and
> + add an overhead of ~20% for dynamic allocations.
>
> - Currently CONFIG_KASAN_SW_TAGS doesn't work with CONFIG_DEBUG_SLAB
> - (the resulting kernel does not boot).
> + May potentially introduce problems related to pointer casting and
> + comparison, as it embeds a tag into the top byte of each pointer.
> +
> + (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)
>
> config KASAN_HW_TAGS
> - bool "Hardware tag-based mode"
> + bool "Hardware Tag-Based KASAN"
> depends on HAVE_ARCH_KASAN_HW_TAGS
> depends on SLUB
> help
> - Enables hardware tag-based KASAN mode.
> + Enables Hardware Tag-Based KASAN.
> +
> + Requires GCC 10+ or Clang 12+.
>
> - This mode requires hardware memory tagging support, and can be used
> - by any architecture that provides it.
> + Supported only on arm64 CPUs starting from ARMv8.5 and relies on
> + Memory Tagging Extension and Top Byte Ignore.
>
> - Currently this mode is only implemented for arm64 CPUs starting from
> - ARMv8.5 and relies on Memory Tagging Extension and Top Byte Ignore.
> + Consumes about 1/32nd of available memory.
> +
> + May potentially introduce problems related to pointer casting and
> + comparison, as it embeds a tag into the top byte of each pointer.
>
> endchoice
>
> @@ -131,83 +130,80 @@ choice
> config KASAN_OUTLINE
> bool "Outline instrumentation"
> help
> - Before every memory access compiler insert function call
> - __asan_load*/__asan_store*. These functions performs check
> - of shadow memory. This is slower than inline instrumentation,
> - however it doesn't bloat size of kernel's .text section so
> - much as inline does.
> + Makes the compiler insert function calls that check whether the memory
> + is accessible before each memory access. Slower than KASAN_INLINE, but
> + does not bloat the size of the kernel's .text section so much.
>
> config KASAN_INLINE
> bool "Inline instrumentation"
> depends on !ARCH_DISABLE_KASAN_INLINE
> help
> - Compiler directly inserts code checking shadow memory before
> - memory accesses. This is faster than outline (in some workloads
> - it gives about x2 boost over outline instrumentation), but
> - make kernel's .text size much bigger.
> + Makes the compiler directly insert memory accessibility checks before
> + each memory access. Faster than KASAN_OUTLINE (gives ~x2 boost for
> + some workloads), but makes the kernel's .text size much bigger.
>
> endchoice
>
> config KASAN_STACK
> - bool "Enable stack instrumentation (unsafe)" if CC_IS_CLANG && !COMPILE_TEST
> + bool "Stack instrumentation (unsafe)" if CC_IS_CLANG && !COMPILE_TEST
> depends on KASAN_GENERIC || KASAN_SW_TAGS
> depends on !ARCH_DISABLE_KASAN_INLINE
> default y if CC_IS_GCC
> help
> - The LLVM stack address sanitizer has a know problem that
> - causes excessive stack usage in a lot of functions, see
> - https://bugs.llvm.org/show_bug.cgi?id=38809
> - Disabling asan-stack makes it safe to run kernels build
> - with clang-8 with KASAN enabled, though it loses some of
> - the functionality.
> - This feature is always disabled when compile-testing with clang
> - to avoid cluttering the output in stack overflow warnings,
> - but clang users can still enable it for builds without
> - CONFIG_COMPILE_TEST. On gcc it is assumed to always be safe
> - to use and enabled by default.
> - If the architecture disables inline instrumentation, stack
> - instrumentation is also disabled as it adds inline-style
> - instrumentation that is run unconditionally.
> + Disables stack instrumentation and thus KASAN's ability to detect
> + out-of-bounds bugs in stack variables.
> +
> + With Clang, stack instrumentation has a problem that causes excessive
> + stack usage, see https://bugs.llvm.org/show_bug.cgi?id=38809. Thus,
> + with Clang, this option is deemed unsafe.
> +
> + This option is always disabled when compile-testing with Clang to
> + avoid cluttering the log with stack overflow warnings.
> +
> + With GCC, enabling stack instrumentation is assumed to be safe.
> +
> + If the architecture disables inline instrumentation via
> + ARCH_DISABLE_KASAN_INLINE, stack instrumentation gets disabled
> + as well, as it adds inline-style instrumentation that is run
> + unconditionally.
>
> config KASAN_TAGS_IDENTIFY
> - bool "Enable memory corruption identification"
> + bool "Memory corruption type identification"
> depends on KASAN_SW_TAGS || KASAN_HW_TAGS
> help
> - This option enables best-effort identification of bug type
> - (use-after-free or out-of-bounds) at the cost of increased
> - memory consumption.
> + Enables best-effort identification of the bug types (use-after-free
> + or out-of-bounds) at the cost of increased memory consumption.
> + Only applicable for the tag-based KASAN modes.
>
> config KASAN_VMALLOC
> bool "Check accesses to vmalloc allocations"
> depends on HAVE_ARCH_KASAN_VMALLOC
> help
> - This mode makes KASAN check accesses to vmalloc allocations for
> - validity.
> + Makes KASAN check the validity of accesses to vmalloc allocations.
>
> - With software KASAN modes, checking is done for all types of vmalloc
> - allocations. Enabling this option leads to higher memory usage.
> + With software KASAN modes, all types vmalloc allocations are
> + checked. Enabling this option leads to higher memory usage.
>
> - With hardware tag-based KASAN, only VM_ALLOC mappings are checked.
> - There is no additional memory usage.
> + With Hardware Tag-Based KASAN, only non-executable VM_ALLOC mappings
> + are checked. There is no additional memory usage.
>
> config KASAN_KUNIT_TEST
> tristate "KUnit-compatible tests of KASAN bug detection capabilities" if !KUNIT_ALL_TESTS
> depends on KASAN && KUNIT
> default KUNIT_ALL_TESTS
> help
> - This is a KUnit test suite doing various nasty things like
> - out of bounds and use after free accesses. It is useful for testing
> - kernel debugging features like KASAN.
> + A KUnit-based KASAN test suite. Triggers different kinds of
> + out-of-bounds and use-after-free accesses. Useful for testing whether
> + KASAN can detect certain bug types.
>
> For more information on KUnit and unit tests in general, please refer
> - to the KUnit documentation in Documentation/dev-tools/kunit.
> + to the KUnit documentation in Documentation/dev-tools/kunit/.
>
> config KASAN_MODULE_TEST
> tristate "KUnit-incompatible tests of KASAN bug detection capabilities"
> depends on m && KASAN && !KASAN_HW_TAGS
> help
> - This is a part of the KASAN test suite that is incompatible with
> - KUnit. Currently includes tests that do bad copy_from/to_user
> - accesses.
> + A part of the KASAN test suite that is not integrated with KUnit.
> + Incompatible with Hardware Tag-Based KASAN.
>
> endif # KASAN
> --
> 2.25.1
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/47afaecec29221347bee49f58c258ac1ced3b429.1652123204.git.andreyknvl%40google.com.