From: Dmitry Vyukov <dvyukov@google.com>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
kasan-dev <kasan-dev@googlegroups.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH v2 0/9] kasan: improve error reports
Date: Thu, 2 Mar 2017 14:57:39 +0100 [thread overview]
Message-ID: <CACT4Y+awkYcr_z3RzYg=rQYVR2mQQ_EoUh40oOqB6WOq_Diwvw@mail.gmail.com> (raw)
In-Reply-To: <20170302134851.101218-1-andreyknvl@google.com>
On Thu, Mar 2, 2017 at 2:48 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> This patchset improves KASAN reports by making them easier to read
> and a little more detailed.
> Also improves mm/kasan/report.c readability.
Acked-by: Dmitry Vyukov <dvyukov@google.com>
> Effectively changes a use-after-free report to:
>
> ==================================================================
> BUG: KASAN: use-after-free in kmalloc_uaf+0xaa/0xb6 [test_kasan]
> Write of size 1 at addr ffff88006aa59da8 by task insmod/3951
>
> CPU: 1 PID: 3951 Comm: insmod Tainted: G B 4.10.0+ #84
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> dump_stack+0x292/0x398
> print_address_description+0x73/0x280
> kasan_report.part.2+0x207/0x2f0
> __asan_report_store1_noabort+0x2c/0x30
> kmalloc_uaf+0xaa/0xb6 [test_kasan]
> kmalloc_tests_init+0x4f/0xa48 [test_kasan]
> do_one_initcall+0xf3/0x390
> do_init_module+0x215/0x5d0
> load_module+0x54de/0x82b0
> SYSC_init_module+0x3be/0x430
> SyS_init_module+0x9/0x10
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> RIP: 0033:0x7f22cfd0b9da
> RSP: 002b:00007ffe69118a78 EFLAGS: 00000206 ORIG_RAX: 00000000000000af
> RAX: ffffffffffffffda RBX: 0000555671242090 RCX: 00007f22cfd0b9da
> RDX: 00007f22cffcaf88 RSI: 000000000004df7e RDI: 00007f22d0399000
> RBP: 00007f22cffcaf88 R08: 0000000000000003 R09: 0000000000000000
> R10: 00007f22cfd07d0a R11: 0000000000000206 R12: 0000555671243190
> R13: 000000000001fe81 R14: 0000000000000000 R15: 0000000000000004
>
> Allocated by task 3951:
> save_stack_trace+0x16/0x20
> save_stack+0x43/0xd0
> kasan_kmalloc+0xad/0xe0
> kmem_cache_alloc_trace+0x82/0x270
> kmalloc_uaf+0x56/0xb6 [test_kasan]
> kmalloc_tests_init+0x4f/0xa48 [test_kasan]
> do_one_initcall+0xf3/0x390
> do_init_module+0x215/0x5d0
> load_module+0x54de/0x82b0
> SYSC_init_module+0x3be/0x430
> SyS_init_module+0x9/0x10
> entry_SYSCALL_64_fastpath+0x1f/0xc2
>
> Freed by task 3951:
> save_stack_trace+0x16/0x20
> save_stack+0x43/0xd0
> kasan_slab_free+0x72/0xc0
> kfree+0xe8/0x2b0
> kmalloc_uaf+0x85/0xb6 [test_kasan]
> kmalloc_tests_init+0x4f/0xa48 [test_kasan]
> do_one_initcall+0xf3/0x390
> do_init_module+0x215/0x5d0
> load_module+0x54de/0x82b0
> SYSC_init_module+0x3be/0x430
> SyS_init_module+0x9/0x10
> entry_SYSCALL_64_fastpath+0x1f/0xc
>
> The buggy address belongs to the object at ffff88006aa59da0
> which belongs to the cache kmalloc-16 of size 16
> The buggy address is located 8 bytes inside of
> 16-byte region [ffff88006aa59da0, ffff88006aa59db0)
> The buggy address belongs to the page:
> page:ffffea0001aa9640 count:1 mapcount:0 mapping: (null) index:0x0
> flags: 0x100000000000100(slab)
> raw: 0100000000000100 0000000000000000 0000000000000000 0000000180800080
> raw: ffffea0001abe380 0000000700000007 ffff88006c401b40 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88006aa59c80: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
> ffff88006aa59d00: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
>>ffff88006aa59d80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> ^
> ffff88006aa59e00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> ffff88006aa59e80: fb fb fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
> ==================================================================
>
> from:
>
> ==================================================================
> BUG: KASAN: use-after-free in kmalloc_uaf+0xaa/0xb6 [test_kasan] at addr ffff88006c4dcb28
> Write of size 1 by task insmod/3984
> CPU: 1 PID: 3984 Comm: insmod Tainted: G B 4.10.0+ #83
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> dump_stack+0x292/0x398
> kasan_object_err+0x1c/0x70
> kasan_report.part.1+0x20e/0x4e0
> __asan_report_store1_noabort+0x2c/0x30
> kmalloc_uaf+0xaa/0xb6 [test_kasan]
> kmalloc_tests_init+0x4f/0xa48 [test_kasan]
> do_one_initcall+0xf3/0x390
> do_init_module+0x215/0x5d0
> load_module+0x54de/0x82b0
> SYSC_init_module+0x3be/0x430
> SyS_init_module+0x9/0x10
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> RIP: 0033:0x7feca0f779da
> RSP: 002b:00007ffdfeae5218 EFLAGS: 00000206 ORIG_RAX: 00000000000000af
> RAX: ffffffffffffffda RBX: 000055a064c13090 RCX: 00007feca0f779da
> RDX: 00007feca1236f88 RSI: 000000000004df7e RDI: 00007feca1605000
> RBP: 00007feca1236f88 R08: 0000000000000003 R09: 0000000000000000
> R10: 00007feca0f73d0a R11: 0000000000000206 R12: 000055a064c14190
> R13: 000000000001fe81 R14: 0000000000000000 R15: 0000000000000004
> Object at ffff88006c4dcb20, in cache kmalloc-16 size: 16
> Allocated:
> PID = 3984
> save_stack_trace+0x16/0x20
> save_stack+0x43/0xd0
> kasan_kmalloc+0xad/0xe0
> kmem_cache_alloc_trace+0x82/0x270
> kmalloc_uaf+0x56/0xb6 [test_kasan]
> kmalloc_tests_init+0x4f/0xa48 [test_kasan]
> do_one_initcall+0xf3/0x390
> do_init_module+0x215/0x5d0
> load_module+0x54de/0x82b0
> SYSC_init_module+0x3be/0x430
> SyS_init_module+0x9/0x10
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> Freed:
> PID = 3984
> save_stack_trace+0x16/0x20
> save_stack+0x43/0xd0
> kasan_slab_free+0x73/0xc0
> kfree+0xe8/0x2b0
> kmalloc_uaf+0x85/0xb6 [test_kasan]
> kmalloc_tests_init+0x4f/0xa48 [test_kasan]
> do_one_initcall+0xf3/0x390
> do_init_module+0x215/0x5d0
> load_module+0x54de/0x82b0
> SYSC_init_module+0x3be/0x430
> SyS_init_module+0x9/0x10
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> Memory state around the buggy address:
> ffff88006c4dca00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> ffff88006c4dca80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
>>ffff88006c4dcb00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> ^
> ffff88006c4dcb80: fb fb fc fc 00 00 fc fc fb fb fc fc fb fb fc fc
> ffff88006c4dcc00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> ==================================================================
>
> Changes in v2:
> - split patch in multiple smaller ones
> - improve double-free reports
>
> Andrey Konovalov (9):
> kasan: introduce helper functions for determining bug type
> kasan: unify report headers
> kasan: change allocation and freeing stack traces headers
> kasan: simplify address description logic
> kasan: change report header
> kasan: improve slab object description
> kasan: print page description after stacks
> kasan: improve double-free report format
> kasan: separate report parts by empty lines
>
> mm/kasan/kasan.c | 3 +-
> mm/kasan/kasan.h | 2 +-
> mm/kasan/report.c | 187 ++++++++++++++++++++++++++++++++++++------------------
> 3 files changed, 127 insertions(+), 65 deletions(-)
>
> --
> 2.12.0.rc1.440.g5b76565f74-goog
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
prev parent reply other threads:[~2017-03-02 13:58 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-02 13:48 Andrey Konovalov
2017-03-02 13:48 ` [PATCH v2 1/9] kasan: introduce helper functions for determining bug type Andrey Konovalov
2017-03-02 17:19 ` Alexander Potapenko
2017-03-03 13:15 ` Andrey Ryabinin
2017-03-02 13:48 ` [PATCH v2 2/9] kasan: unify report headers Andrey Konovalov
2017-03-02 13:48 ` [PATCH v2 3/9] kasan: change allocation and freeing stack traces headers Andrey Konovalov
2017-03-02 13:48 ` [PATCH v2 4/9] kasan: simplify address description logic Andrey Konovalov
2017-03-03 13:37 ` Andrey Ryabinin
2017-03-02 13:48 ` [PATCH v2 5/9] kasan: change report header Andrey Konovalov
2017-03-03 13:21 ` Andrey Ryabinin
2017-03-03 14:18 ` Andrey Konovalov
2017-03-03 14:18 ` Andrey Konovalov
2017-03-02 13:48 ` [PATCH v2 6/9] kasan: improve slab object description Andrey Konovalov
2017-03-03 13:31 ` Andrey Ryabinin
2017-03-03 13:52 ` Alexander Potapenko
2017-03-03 14:39 ` Andrey Ryabinin
2017-03-06 13:45 ` Andrey Konovalov
2017-03-06 16:12 ` Andrey Ryabinin
2017-03-06 17:05 ` Andrey Konovalov
2017-03-06 17:16 ` Andrey Konovalov
2017-03-09 12:56 ` Andrey Ryabinin
2017-03-14 17:15 ` Andrey Konovalov
2017-03-20 15:39 ` Andrey Ryabinin
2017-03-24 19:31 ` Andrey Konovalov
2017-03-02 13:48 ` [PATCH v2 7/9] kasan: print page description after stacks Andrey Konovalov
2017-03-02 13:48 ` [PATCH v2 8/9] kasan: improve double-free report format Andrey Konovalov
2017-03-02 13:48 ` [PATCH v2 9/9] kasan: separate report parts by empty lines Andrey Konovalov
2017-03-02 13:57 ` Dmitry Vyukov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+awkYcr_z3RzYg=rQYVR2mQQ_EoUh40oOqB6WOq_Diwvw@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=aryabinin@virtuozzo.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox