From patchwork Tue May 26 13:35:03 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Walleij X-Patchwork-Id: 48988 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-wg0-f71.google.com (mail-wg0-f71.google.com [74.125.82.71]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 7532F2121F for ; Tue, 26 May 2015 13:35:24 +0000 (UTC) Received: by wgme6 with SMTP id e6sf11531504wgm.3 for ; Tue, 26 May 2015 06:35:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:mime-version:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:sender:precedence :list-id:x-original-sender:x-original-authentication-results :mailing-list:list-post:list-help:list-archive:list-unsubscribe; bh=XPXbKfjWbu7jDFR9QVcBP6k5U3c0dt4yYgStQOS4xpU=; b=P3+3UgAk4mOvXpztvcswx7lku5anOuIAtO4Ox4stjD384kB9vVzvzStDFgx4hhOMdh JB6GH21lnNyj/xVqR3HO5vaqsr9TkB3WST70Mb5I1hQGzUiemxNOdfbSj/BCaeO/j6uV Ny5DhCdMFM6VfR9fdLhdRItSRFF8Jypbb5mQH+X6CzayMoPavkRoiCdfS9RwQwp9xYzm 382OITJZm5zy1ye50it6JmZGNb3jSbheC94qdqRGyOw51eJAYqADi9Ri/vR5TAxmjD4k klvEkjHlSY/67OUl41eLVYIeDofGj0Tqa+fE5KYagbNHkbBqpQYdPLzZNLPVmg7myyKh AhHQ== X-Gm-Message-State: ALoCoQnIe1GPOMTP/M5s00pQnmjK0Oy27P4w36k18bVnXZkKou2cBF7YSNVGheuI0epkTLlS60QG X-Received: by 10.112.171.41 with SMTP id ar9mr27603450lbc.24.1432647323746; Tue, 26 May 2015 06:35:23 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.8.51 with SMTP id o19ls137688laa.95.gmail; Tue, 26 May 2015 06:35:23 -0700 (PDT) X-Received: by 10.112.156.97 with SMTP id wd1mr21995081lbb.30.1432647323416; Tue, 26 May 2015 06:35:23 -0700 (PDT) Received: from mail-lb0-f179.google.com (mail-lb0-f179.google.com. [209.85.217.179]) by mx.google.com with ESMTPS id kw8si10959245lac.157.2015.05.26.06.35.23 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 May 2015 06:35:23 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.217.179 as permitted sender) client-ip=209.85.217.179; Received: by lbbzk7 with SMTP id zk7so70667670lbb.0 for ; Tue, 26 May 2015 06:35:23 -0700 (PDT) X-Received: by 10.112.29.36 with SMTP id g4mr21151772lbh.56.1432647323111; Tue, 26 May 2015 06:35:23 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.108.230 with SMTP id hn6csp2555173lbb; Tue, 26 May 2015 06:35:21 -0700 (PDT) X-Received: by 10.66.119.70 with SMTP id ks6mr4007397pab.78.1432647321231; Tue, 26 May 2015 06:35:21 -0700 (PDT) Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id gg6si20935506pbd.165.2015.05.26.06.35.20; Tue, 26 May 2015 06:35:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754907AbbEZNfO (ORCPT + 28 others); Tue, 26 May 2015 09:35:14 -0400 Received: from mail-ob0-f178.google.com ([209.85.214.178]:33201 "EHLO mail-ob0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752984AbbEZNfE (ORCPT ); Tue, 26 May 2015 09:35:04 -0400 Received: by obbnx5 with SMTP id nx5so74294406obb.0 for ; Tue, 26 May 2015 06:35:03 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.60.155.97 with SMTP id vv1mr18706725oeb.15.1432647303814; Tue, 26 May 2015 06:35:03 -0700 (PDT) Received: by 10.182.204.41 with HTTP; Tue, 26 May 2015 06:35:03 -0700 (PDT) In-Reply-To: <1431698344-28054-6-git-send-email-a.ryabinin@samsung.com> References: <1431698344-28054-1-git-send-email-a.ryabinin@samsung.com> <1431698344-28054-6-git-send-email-a.ryabinin@samsung.com> Date: Tue, 26 May 2015 15:35:03 +0200 Message-ID: Subject: Re: [PATCH v2 5/5] arm64: add KASan support From: Linus Walleij To: Andrey Ryabinin Cc: "linux-kernel@vger.kernel.org" , Dmitry Vyukov , Alexander Potapenko , David Keitel , Arnd Bergmann , Andrew Morton , Catalin Marinas , Will Deacon , "linux-arm-kernel@lists.infradead.org" , linux-mm@kvack.org Sender: linux-kernel-owner@vger.kernel.org Precedence: list List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: linus.walleij@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.217.179 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , On Fri, May 15, 2015 at 3:59 PM, Andrey Ryabinin wrote: > This patch adds arch specific code for kernel address sanitizer > (see Documentation/kasan.txt). I'm trying to test this on the Juno hardware (39 VA bits). I get this at boot: Virtual kernel memory layout: kasan : 0xffffff8000000000 - 0xffffff9000000000 ( 64 MB) vmalloc : 0xffffff9000000000 - 0xffffffbdbfff0000 ( 182 GB) Nice, kasan is shadowing vmem perfectly. Also shadowing itself it appears, well whatever. I enable CONFIG_KASAN, CONFIG_KASAN_OUTLINE, CONFIG_STACKTRACE, CONFIG_SLUB_DEBUG_ON, and CONFIG_TEST_KASAN. I patch the test like this because I'm not using any loadable modules: And then at boot I just get this: kasan test: kmalloc_oob_right out-of-bounds to right kasan test: kmalloc_oob_left out-of-bounds to left kasan test: kmalloc_node_oob_right kmalloc_node(): out-of-bounds to right kasan test: kmalloc_large_oob_rigth kmalloc large allocation: out-of-bounds to right kasan test: kmalloc_oob_krealloc_more out-of-bounds after krealloc more kasan test: kmalloc_oob_krealloc_less out-of-bounds after krealloc less kasan test: kmalloc_oob_16 kmalloc out-of-bounds for 16-bytes access kasan test: kmalloc_oob_in_memset out-of-bounds in memset kasan test: kmalloc_uaf use-after-free kasan test: kmalloc_uaf_memset use-after-free in memset kasan test: kmalloc_uaf2 use-after-free after another kmalloc kasan test: kmem_cache_oob out-of-bounds in kmem_cache_alloc kasan test: kasan_stack_oob out-of-bounds on stack kasan test: kasan_global_oob out-of-bounds global variable W00t no nice KASan warnings (which is what I expect). This is my compiler by the way: $ arm-linux-gnueabihf-gcc --version arm-linux-gnueabihf-gcc (crosstool-NG linaro-1.13.1-4.9-2014.09 - Linaro GCC 4.9-2014.09) 4.9.2 20140904 (prerelease) I did the same exercise on the foundation model (FVP) and I guess that is what you developed the patch set on because there I got nice KASan dumps: Virtual kernel memory layout: kasan : 0xffffff8000000000 - 0xffffff9000000000 ( 64 MB) vmalloc : 0xffffff9000000000 - 0xffffffbdbfff0000 ( 182 GB) (...) kasan test: kmalloc_oob_right out-of-bounds to right kasan test: kmalloc_oob_left out-of-bounds to left kasan test: kmalloc_node_oob_right kmalloc_node(): out-of-bounds to right ============================================================================= BUG kmalloc-4096 (Tainted: G S ): Redzone overwritten ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: 0xffffffc0676bc480-0xffffffc0676bc480. First byte 0x0 instead of 0xcc INFO: Allocated in kmalloc_node_oob_right+0x40/0x8c age=0 cpu=1 pid=1 alloc_debug_processing+0x170/0x17c __slab_alloc.isra.59.constprop.61+0x354/0x374 kmem_cache_alloc+0x1a4/0x1e0 kmalloc_node_oob_right+0x3c/0x8c kmalloc_tests_init+0x10/0x4c do_one_initcall+0x88/0x1a0 kernel_init_freeable+0x16c/0x210 kernel_init+0xc/0xd8 ret_from_fork+0xc/0x50 INFO: Freed in cleanup_uevent_env+0x10/0x18 age=0 cpu=3 pid=724 free_debug_processing+0x214/0x30c __slab_free+0x2b0/0x3f8 kfree+0x1a4/0x1dc cleanup_uevent_env+0xc/0x18 call_usermodehelper_freeinfo+0x18/0x30 umh_complete+0x34/0x40 ____call_usermodehelper+0x170/0x18c ret_from_fork+0xc/0x50 INFO: Slab 0xffffffbdc39dae00 objects=7 used=1 fp=0xffffffc0676b9180 flags=0x4081 INFO: Object 0xffffffc0676bb480 @offset=13440 fp=0xffffffc0676b8000 Bytes b4 ffffffc0676bb470: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Object ffffffc0676bb480: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffffffc0676bb490: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffffffc0676bb4a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffffffc0676bb4b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk (...) kasan test: kmalloc_large_oob_rigth kmalloc large allocation: out-of-bounds to right kasan test: kmalloc_oob_krealloc_more out-of-bounds after krealloc more kasan test: kmalloc_oob_krealloc_less out-of-bounds after krealloc less kasan test: kmalloc_oob_16 kmalloc out-of-bounds for 16-bytes access kasan test: kmalloc_oob_in_memset out-of-bounds in memset kasan test: kmalloc_uaf use-after-free kasan test: kmalloc_uaf_memset use-after-free in memset ============================================================================= BUG kmalloc-64 (Tainted: G S B ): Poison overwritten ----------------------------------------------------------------------------- INFO: 0xffffffc0666e3c08-0xffffffc0666e3c08. First byte 0x78 instead of 0x6b INFO: Allocated in kmalloc_uaf+0x40/0x8c age=0 cpu=1 pid=1 alloc_debug_processing+0x170/0x17c __slab_alloc.isra.59.constprop.61+0x354/0x374 kmem_cache_alloc+0x1a4/0x1e0 kmalloc_uaf+0x3c/0x8c kmalloc_tests_init+0x28/0x4c do_one_initcall+0x88/0x1a0 kernel_init_freeable+0x16c/0x210 kernel_init+0xc/0xd8 ret_from_fork+0xc/0x50 INFO: Freed in kmalloc_uaf+0x74/0x8c age=0 cpu=1 pid=1 free_debug_processing+0x214/0x30c __slab_free+0x2b0/0x3f8 kfree+0x1a4/0x1dc kmalloc_uaf+0x70/0x8c kmalloc_tests_init+0x28/0x4c do_one_initcall+0x88/0x1a0 kernel_init_freeable+0x16c/0x210 kernel_init+0xc/0xd8 ret_from_fork+0xc/0x50 INFO: Slab 0xffffffbdc399b880 objects=18 used=18 fp=0x (null) flags=0x4080 INFO: Object 0xffffffc0666e3c00 @offset=7168 fp=0xffffffc0666e3a40 Bytes b4 ffffffc0666e3bf0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Object ffffffc0666e3c00: 6b 6b 6b 6b 6b 6b 6b 6b 78 6b 6b 6b 6b 6b 6b 6b kkkkkkkkxkkkkkkk Object ffffffc0666e3c10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffffffc0666e3c20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffffffc0666e3c30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. Redzone ffffffc0666e3c40: bb bb bb bb bb bb bb bb ........ Padding ffffffc0666e3d80: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding ffffffc0666e3d90: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding ffffffc0666e3da0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding ffffffc0666e3db0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ (...) So it works nicely on emulated hardware it seems. I wonder were the problem lies, any hints where to start looking to fix this? Yours, Linus Walleij --- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 39f24d6721e5..b3353dbe5f58 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -45,7 +45,7 @@ endchoice config TEST_KASAN tristate "Module for testing kasan for bug detection" - depends on m && KASAN + depends on KASAN help This is a test module doing various nasty things like out of bounds accesses, use after free. It is useful for testing diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 098c08eddfab..fb54486eacd6 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -273,5 +273,5 @@ static int __init kmalloc_tests_init(void) return -EAGAIN; } -module_init(kmalloc_tests_init); +late_initcall(kmalloc_tests_init); MODULE_LICENSE("GPL");