From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04634C38142 for ; Mon, 23 Jan 2023 21:47:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 32DBA6B0071; Mon, 23 Jan 2023 16:47:12 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2DE146B0072; Mon, 23 Jan 2023 16:47:12 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1CD4C6B0074; Mon, 23 Jan 2023 16:47:12 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 0E7946B0071 for ; Mon, 23 Jan 2023 16:47:12 -0500 (EST) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id BAA24A0421 for ; Mon, 23 Jan 2023 21:47:11 +0000 (UTC) X-FDA: 80387399862.14.5BE7FA6 Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) by imf27.hostedemail.com (Postfix) with ESMTP id E14A840003 for ; Mon, 23 Jan 2023 21:47:08 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=I7B2lxMU; spf=pass (imf27.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.215.175 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674510428; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bNWIhXG5Qs/cS/Kge9YI8j6hmkwjT8WYdLmFW/zVK4w=; b=lgKEIEyjvqQ2o4CGJm+MulXlWD0WnxNXJICdxknut7SR6SoExotvfWo2oLS5rB6hzOYs4e AjbiPUeeWl7DpoU1V/gV0IcmWEc3FGNo+wQsVmC/rNOwNTEI1vj/JuGYU3GCP1meliCXFC 8OkOeCA4t23D0Gh0vWA+IMw+Xd0mk0w= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=I7B2lxMU; spf=pass (imf27.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.215.175 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674510429; a=rsa-sha256; cv=none; b=B6pupE8KU+Hh2mRWkdZ65Xc9bs75bC62/rjNKgeF5v3NzxCJJUnHgIHhupbMI/CAB/SXo3 dXUmL7/wQ9BOdd4AaybWKmoJEt7DDvJm0mp1M+9MnGjuCbDiE0R3apVAsyxQccj/OWIXQM 1YIh3UcFI9AeaXFUhZV4OjFB3wH++1o= Received: by mail-pg1-f175.google.com with SMTP id d10so10029093pgm.13 for ; Mon, 23 Jan 2023 13:47:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bNWIhXG5Qs/cS/Kge9YI8j6hmkwjT8WYdLmFW/zVK4w=; b=I7B2lxMUcvQhT40X7gb4E9g8d/+2yvoIvQPsuzDkL4AA4cW1bqp6w343ARp6DQfbwT HB3U72WxKcK+giXl0xs5676UFA9XgjB12Odip1XalFk/e5vF+mKLP4nOGNRroaNvaIR8 bQULc65y7O643vmUGcx+yKNipka0DSjwXaUKRpFQQFUEMxNB40VjNcSx4PKmzwB8DVEw 1tEQqvBnLTQR0eatpxCtHczDL+04sl34/X+XQhYhjCu+HOTafB2jcAMv4xtZ0SeBDdrK al/LEtk4+dRBBpVsUDSvLPYOYFIGdYO2xUdpySykEuAp4oqMQ8oqJUiC37vEOaowR6iR Lr1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bNWIhXG5Qs/cS/Kge9YI8j6hmkwjT8WYdLmFW/zVK4w=; b=N/vfmB+jH0fMJJp84J2UD4UZik+bHGd9LOYJQvbsEiltC+/M2lDUqVJW6Hj9Ch8FIy U426lPXbKr8k0iP9vqKOU01wJXZbQBHrki73Le4EGloU4+K7UgzhadOCsXTIaGm17B3U 6cbBbHc99QY3BmsKzkXuCCpo1emzHcQaGH6aJuqQdOeloawJibtqpWqj1jv/jiI93QZX WZ3JVwVPeyemqLWha0MFeTBj8l+19F0Y+1I6tly7zSkmnlzbXrVowI/wbiwNwQrpxLKk mWFCGD+iXr3VaSbg4rWcXd44LuQmgQFbISbHKUNuD35nzCVt1xX5WRkZ6xsUkEJd47zJ btkw== X-Gm-Message-State: AFqh2kpY2HCQRGgPjhPsRNyqFQjQ19CFzQ1LuysqNCMyJAq2JvtqoGYd GaP72iW+tVALs3ILWjjONrpGBEbHnXvaTuV2Sxw= X-Google-Smtp-Source: AMrXdXvCLUy1D+cqvlpSTKtU8PocxDNbqF6QFj2+8HllzwfzDCIJYpNZr9tmlhT2ybfJ9Z/22mQD7n4/o1qCikRXNcE= X-Received: by 2002:a05:6a00:3496:b0:576:f9e2:a968 with SMTP id cp22-20020a056a00349600b00576f9e2a968mr3320171pfb.84.1674510427720; Mon, 23 Jan 2023 13:47:07 -0800 (PST) MIME-Version: 1.0 References: <20230118093832.1945-1-Kuan-Ying.Lee@mediatek.com> In-Reply-To: <20230118093832.1945-1-Kuan-Ying.Lee@mediatek.com> From: Andrey Konovalov Date: Mon, 23 Jan 2023 22:46:56 +0100 Message-ID: Subject: Re: [PATCH v2] kasan: infer the requested size by scanning shadow memory To: Kuan-Ying Lee Cc: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Matthias Brugger , chinwen.chang@mediatek.com, qun-wei.lin@mediatek.com, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: cxzzopncxwctdc6erdpeoz6fnbxzbsd1 X-Rspam-User: X-Rspamd-Queue-Id: E14A840003 X-Rspamd-Server: rspam06 X-HE-Tag: 1674510428-572379 X-HE-Meta: U2FsdGVkX18sfWnHWt6biNF5QR1Q7ISBuCGlrgHyMFI1OG6XGCXFdSPL/xzPl2+N2LdfqyNeHUtq1tcxnVco4a5SoXEW7FsXu8YvN4/jG/lFKQUkfH1pwwGSpfJ14wLEFv85ysmFd0xSgLvXRp5ArtL+OSF3VMyHg1THqADywbfjMHO/k81x1N7RzQa/GPz0/QQxMMB1WwmS/4FJb/ksQzbHA7dv19O21OF0Z79EmGPwZiIO1PSpgwsp1nKSZuSe0o5oKSaDhHpG1KLmqKA7u+LSY42/DRGuoG5tAVK0gjwLAQdCUrhcFRYWU8OyLkaBu/FHfL95+23wYu5va9GEsBxT1DdQWHBqUSqNhuKcN959DCLXH54Hy94ZQfNpdZNfu0J3eeXMp5s+WhIORIPcm7IZnByGBcyFggBWkgUO2FUBW9g5qLMHX2+WGdnooe3En/MwcQh/IENqJg9wvj3YWmadWzpNzRlmUQZkWWOKvH8iL08MbXwQ/5H7ywx9HS0pMS5zfufooAb55b/rlmtXBycZ2KsouCBdGK+6eUEPp4Wd8EhfOd3BsMV3BE1gpetKzeTLxE9DvMMgaDRQGmn5mSZlYajYErBV8JNFDuwQ6nch/5PUQlBiShf+1Yep/jllsSbsjqbXQKxPtNaOEriizh/BzHIKwZgXj8KIFJug5TFOFd8KSQR/U6mn+6Ja+Zz1FC8yTUqaV7JepiYLEJVPNWGxQfP/tmxgwO57UjUlMOv2F/G7x9YyVSttsCXeumYvXwwfEYsHDoxUM+uBkFb2zE5iahQilFs0dz7TCQf13KeBGBV9vhv6hAkBvgDqf4aIBw6YMGJfgNFHraGhIbSEptN2BxyB1wzJ/DJrSdBkcN2hFl9G7GFBNqpo9r/6DGB/OZsRzwgQk6Dtx2qz90o41YsitqZ13oDCalFn9G68L1Fy3xvNaIhBNn32InyJsfhWLYXo9fB3n1DqevInYnA nzqGM3Xb w96Q38GA2zzjuPqpan9FZmyCYhQs/PYLZ/3WRJA5usZTHoVkiDPoxW3yzYuBUypr/DIjPneASjyK9fYXM2O7R3iWGgKpxOAew2fDApLGJ+sh9M0ZZyg/JVEaSf7+ihKy67ph3rbwk7cIXkMK1HlJ5HHE0A+zYsjskO08QeDDQ8GsfRA1Sf2+INUsNYO6OEByq4TR9Ag7A5ioc8HOWwaIpXY8kiKsDgZmpahKyblaqml18VmmcLCKBIiiVwbRONDyXD7vQzxpYFl3YL66e0M9Sk97bKHRol2VVQ9byWwwK2IVG8riamKLbruGdct3qf4b7u37l9iu2HV8e2n82GCz/q4lYpyc4eSEyaRjFl9iHePIKMap9oSTTc/4wx0i9Kg6faQFfoy+gfhmuyYcatNFYhbUvQmrkJfCqRQJ0kwZ3iCYbrK8ouFtJLM0k1pmstG2v+6uuUC0dY0ZbWTj++Zx7US0tUyRQJnXDfrDKhpG+IzhCJMTweU7Ih7oxbrOQ9qNFv5B8ezBdVLRrvd0dsxo+4vVZ5vftMb8N63Vz/XCatxIGrz0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000015, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jan 18, 2023 at 10:39 AM Kuan-Ying Lee wrote: > > We scan the shadow memory to infer the requested size instead of > printing cache->object_size directly. > > This patch will fix the confusing kasan slab-out-of-bounds > report like below. [1] > Report shows "cache kmalloc-192 of size 192", but user > actually kmalloc(184). > > ================================================================== > BUG: KASAN: slab-out-of-bounds in _find_next_bit+0x143/0x160 lib/find_bit.c:109 > Read of size 8 at addr ffff8880175766b8 by task kworker/1:1/26 > ... > The buggy address belongs to the object at ffff888017576600 > which belongs to the cache kmalloc-192 of size 192 > The buggy address is located 184 bytes inside of > 192-byte region [ffff888017576600, ffff8880175766c0) > ... > Memory state around the buggy address: > ffff888017576580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888017576600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff888017576680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc > ^ > ffff888017576700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888017576780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > After this patch, slab-out-of-bounds report will show as below. > ================================================================== > ... > The buggy address belongs to the object at ffff888017576600 > which belongs to the cache kmalloc-192 of size 192 > The buggy address is located 0 bytes right of > allocated 184-byte region [ffff888017576600, ffff8880175766b8) > ... > ================================================================== > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=216457 [1] > > Signed-off-by: Kuan-Ying Lee > --- > V1 -> V2: > - Implement getting allocated size of object for tag-based kasan. > - Refine the kasan report. > - Check if it is slab-out-of-bounds report type. > - Thanks for Andrey and Dmitry suggestion. Hi Kuan-Ying, I came up with a few more things to fix while testing your patch and decided to address them myself. Please check the v3 here: https://github.com/xairy/linux/commit/012a584a9f11ba08a6051b075f7fd0a0eb54c719 The significant changes are to print "freed" for a slab-use-after-free and only print the region state for the Generic mode (printing it for Tag-Based modes doesn't work properly atm, see the comment in the code). The rest is clean-ups and a few added comments. See the full list of changes in the commit message. Please check whether this v3 looks good to you, and then feel free to submit it. Thank you!