Re: [PATCH v3 1/3] kasan: support backing vmalloc space with real shadow memory
From: Daniel Axtens
Date: Sun Aug 11 2019 - 22:53:35 EST
Mark Rutland <mark.rutland@xxxxxxx> writes:
> On Thu, Aug 08, 2019 at 06:43:25PM +0100, Mark Rutland wrote:
>> On Thu, Aug 08, 2019 at 02:50:37PM +0100, Mark Rutland wrote:
>> > Hi Daniel,
>> >
>> > This is looking really good!
>> >
>> > I spotted a few more things we need to deal with, so I've suggested some
>> > (not even compile-tested) code for that below. Mostly that's just error
>> > handling, and using helpers to avoid things getting too verbose.
>>
>> FWIW, I had a quick go at that, and I've pushed the (corrected) results
>> to my git repo, along with an initial stab at arm64 support (which is
>> currently broken):
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kasan/vmalloc
>
> I've fixed my arm64 patch now, and that appears to work in basic tests
> (example below), so I'll throw my arm64 Syzkaller instance at that today
> to shake out anything major that we've missed or that I've botched.
>
> I'm very excited to see this!
>
> Are you happy to pick up my modified patch 1 for v4?
Thanks, I'll do that.
I'll also have a crack at poisioning on free - I know I did that in an
early draft and then dropped it, so I don't think it was painful at all.
Regards,
Daniel
>
> Thanks,
> Mark.
>
> # echo STACK_GUARD_PAGE_LEADING > DIRECT
> [ 107.453162] lkdtm: Performing direct entry STACK_GUARD_PAGE_LEADING
> [ 107.454672] lkdtm: attempting bad read from page below current stack
> [ 107.456672] ==================================================================
> [ 107.457929] BUG: KASAN: vmalloc-out-of-bounds in lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.459398] Read of size 1 at addr ffff20001515ffff by task sh/214
> [ 107.460864]
> [ 107.461271] CPU: 0 PID: 214 Comm: sh Not tainted 5.3.0-rc3-00004-g84f902ca9396-dirty #7
> [ 107.463101] Hardware name: linux,dummy-virt (DT)
> [ 107.464407] Call trace:
> [ 107.464951] dump_backtrace+0x0/0x1e8
> [ 107.465781] show_stack+0x14/0x20
> [ 107.466824] dump_stack+0xbc/0xf4
> [ 107.467780] print_address_description+0x60/0x33c
> [ 107.469221] __kasan_report+0x140/0x1a0
> [ 107.470388] kasan_report+0xc/0x18
> [ 107.471439] __asan_load1+0x4c/0x58
> [ 107.472428] lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.473908] lkdtm_do_action+0x40/0x50
> [ 107.475255] direct_entry+0x128/0x1b0
> [ 107.476348] full_proxy_write+0x90/0xc8
> [ 107.477595] __vfs_write+0x54/0xa8
> [ 107.478780] vfs_write+0xd0/0x230
> [ 107.479762] ksys_write+0xc4/0x170
> [ 107.480738] __arm64_sys_write+0x40/0x50
> [ 107.481888] el0_svc_common.constprop.0+0xc0/0x1c0
> [ 107.483240] el0_svc_handler+0x34/0x88
> [ 107.484211] el0_svc+0x8/0xc
> [ 107.484996]
> [ 107.485429]
> [ 107.485895] Memory state around the buggy address:
> [ 107.487107] ffff20001515fe80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
> [ 107.489162] ffff20001515ff00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
> [ 107.491157] >ffff20001515ff80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
> [ 107.493193] ^
> [ 107.494973] ffff200015160000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 107.497103] ffff200015160080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 107.498795] ==================================================================
> [ 107.500495] Disabling lock debugging due to kernel taint
> [ 107.503212] Unable to handle kernel paging request at virtual address ffff20001515ffff
> [ 107.505177] Mem abort info:
> [ 107.505797] ESR = 0x96000007
> [ 107.506554] Exception class = DABT (current EL), IL = 32 bits
> [ 107.508031] SET = 0, FnV = 0
> [ 107.508547] EA = 0, S1PTW = 0
> [ 107.509125] Data abort info:
> [ 107.509704] ISV = 0, ISS = 0x00000007
> [ 107.510388] CM = 0, WnR = 0
> [ 107.511089] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041c65000
> [ 107.513221] [ffff20001515ffff] pgd=00000000bdfff003, pud=00000000bdffe003, pmd=00000000aa31e003, pte=0000000000000000
> [ 107.515915] Internal error: Oops: 96000007 [#1] PREEMPT SMP
> [ 107.517295] Modules linked in:
> [ 107.518074] CPU: 0 PID: 214 Comm: sh Tainted: G B 5.3.0-rc3-00004-g84f902ca9396-dirty #7
> [ 107.520755] Hardware name: linux,dummy-virt (DT)
> [ 107.522208] pstate: 60400005 (nZCv daif +PAN -UAO)
> [ 107.523670] pc : lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.525176] lr : lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.526809] sp : ffff200015167b90
> [ 107.527856] x29: ffff200015167b90 x28: ffff800002294740
> [ 107.529728] x27: 0000000000000000 x26: 0000000000000000
> [ 107.531523] x25: ffff200015167df0 x24: ffff2000116e8400
> [ 107.533234] x23: ffff200015160000 x22: dfff200000000000
> [ 107.534694] x21: ffff040002a2cf7a x20: ffff2000116e9ee0
> [ 107.536238] x19: 1fffe40002a2cf7a x18: 0000000000000000
> [ 107.537699] x17: 0000000000000000 x16: 0000000000000000
> [ 107.539288] x15: 0000000000000000 x14: 0000000000000000
> [ 107.540584] x13: 0000000000000000 x12: ffff10000d672bb9
> [ 107.541920] x11: 1ffff0000d672bb8 x10: ffff10000d672bb8
> [ 107.543438] x9 : 1ffff0000d672bb8 x8 : dfff200000000000
> [ 107.545008] x7 : ffff10000d672bb9 x6 : ffff80006b395dc0
> [ 107.546570] x5 : 0000000000000001 x4 : dfff200000000000
> [ 107.547936] x3 : ffff20001113274c x2 : 0000000000000007
> [ 107.549121] x1 : eb957a6c7b3ab400 x0 : 0000000000000000
> [ 107.550220] Call trace:
> [ 107.551017] lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.552288] lkdtm_do_action+0x40/0x50
> [ 107.553302] direct_entry+0x128/0x1b0
> [ 107.554290] full_proxy_write+0x90/0xc8
> [ 107.555332] __vfs_write+0x54/0xa8
> [ 107.556278] vfs_write+0xd0/0x230
> [ 107.557000] ksys_write+0xc4/0x170
> [ 107.557834] __arm64_sys_write+0x40/0x50
> [ 107.558980] el0_svc_common.constprop.0+0xc0/0x1c0
> [ 107.560111] el0_svc_handler+0x34/0x88
> [ 107.560936] el0_svc+0x8/0xc
> [ 107.561580] Code: 91140280 97ded9e3 d10006e0 97e4672e (385ff2e1)
> [ 107.563208] ---[ end trace 9e69aa587e1dc0cc ]---