From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f71.google.com (mail-wm0-f71.google.com [74.125.82.71]) by kanga.kvack.org (Postfix) with ESMTP id EC6D96B0069 for ; Tue, 8 Nov 2016 14:38:13 -0500 (EST) Received: by mail-wm0-f71.google.com with SMTP id m203so88693890wma.2 for ; Tue, 08 Nov 2016 11:38:13 -0800 (PST) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com. [2a00:1450:400c:c09::22e]) by mx.google.com with ESMTPS id ec14si12676562wjb.87.2016.11.08.11.38.12 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Nov 2016 11:38:12 -0800 (PST) Received: by mail-wm0-x22e.google.com with SMTP id f82so201597861wmf.1 for ; Tue, 08 Nov 2016 11:38:12 -0800 (PST) From: Andrey Konovalov Subject: [PATCH 0/2] kasan,stacktrace: improve error reports Date: Tue, 8 Nov 2016 20:37:48 +0100 Message-Id: Sender: owner-linux-mm@kvack.org List-ID: To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, mingo@redhat.com Cc: kcc@google.com, Andrey Konovalov This patchset improves KASAN reports by making the following changes: 1. Changes header format from: [ 24.247214] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan] at addr ffff88006bbb38a8 [ 24.247301] Write of size 1 by task insmod/3852 to [ 19.338308] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan] [ 19.338387] Write of size 1 at addr ffff88006af77968 by task insmod/3840 2. Unifies header format between different kinds of bad accesses. 3. Adds empty lines between parts of the report to improve readability. 4. Improves slab object description, before: [ 24.247301] Object at ffff88006bbb38a0, in cache kmalloc-16 size: 16 now: [ 19.338387] The buggy address belongs to the object at ffff88006af77960 [ 19.338387] which belongs to the cache kmalloc-16 of size 16 [ 19.338387] The buggy address ffff88006af77968 is located 8 bytes inside [ 19.338387] of 16-byte region [ffff88006af77960, ffff88006af77970) 5. Fixes printing timeframes twice in alloc and free stack traces. 6. Improves mm/kasan/report.c readability. This is what a test use-after-free report looks like now: [ 19.337402] ================================================================== [ 19.338308] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan] [ 19.338387] Write of size 1 at addr ffff88006af77968 by task insmod/3840 [ 19.338387] [ 19.338387] page:ffffea0001abddc0 count:1 mapcount:0 mapping: (null) index:0x0 [ 19.338387] flags: 0x100000000000080(slab) [ 19.338387] page dumped because: kasan: bad access detected [ 19.338387] [ 19.338387] CPU: 0 PID: 3840 Comm: insmod Tainted: G B 4.9.0-rc4+ #394 [ 19.338387] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 19.338387] ffff880063d6f9a8 ffffffff81b46b74 ffff880063d6fa38 ffff88006af77968 [ 19.338387] 00000000000000fa 00000000000000fb ffff880063d6fa28 ffffffff8150aa92 [ 19.338387] ffffffff8120812d ffff880063d6fa00 0000000000000282 0000000000000296 [ 19.338387] Call Trace: [ 19.338387] [] dump_stack+0xb3/0x10f [ 19.338387] [] kasan_report_error+0x122/0x560 [ 19.338387] [] ? trace_hardirqs_on+0xd/0x10 [ 19.338387] [] ? copy_user_test+0x24f/0x24f [test_kasan] [ 19.338387] [] __asan_report_store1_noabort+0x3e/0x40 [ 19.338387] [] ? kmalloc_uaf+0xad/0xb9 [test_kasan] [ 19.338387] [] kmalloc_uaf+0xad/0xb9 [test_kasan] [ 19.338387] [] kmalloc_tests_init+0x4f/0x79 [test_kasan] [ 19.338387] [] do_one_initcall+0xa0/0x230 [ 19.338387] [] ? initcall_blacklisted+0x170/0x170 [ 19.338387] [] ? kasan_kmalloc+0xab/0xe0 [ 19.338387] [] ? kasan_unpoison_shadow+0x35/0x50 [ 19.338387] [] ? __asan_register_globals+0x7c/0xa0 [ 19.338387] [] do_init_module+0x1c1/0x516 [ 19.338387] [] load_module+0x65ed/0x8f90 [ 19.338387] [] ? __symbol_put+0xb0/0xb0 [ 19.338387] [] ? __UNIQUE_ID_vermagic8+0x36ff9f20d843/0x36ff9f20d846 [test_kasan] [ 19.338387] [] ? module_frob_arch_sections+0x20/0x20 [ 19.338387] [] ? retint_kernel+0x10/0x10 [ 19.338387] [] ? trace_hardirqs_on_caller+0x420/0x5b0 [ 19.338387] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 19.338387] [] ? retint_kernel+0x10/0x10 [ 19.338387] [] SYSC_init_module+0x1bc/0x1d0 [ 19.338387] [] ? load_module+0x8f90/0x8f90 [ 19.338387] [] ? trace_hardirqs_on_caller+0x420/0x5b0 [ 19.338387] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 19.338387] [] SyS_init_module+0x9/0x10 [ 19.338387] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 19.338387] [ 19.338387] The buggy address belongs to the object at ffff88006af77960 [ 19.338387] which belongs to the cache kmalloc-16 of size 16 [ 19.338387] The buggy address ffff88006af77968 is located 8 bytes inside [ 19.338387] of 16-byte region [ffff88006af77960, ffff88006af77970) [ 19.338387] [ 19.338387] Freed by task 3840: [ 19.338387] [] save_stack_trace+0x16/0x20 [ 19.338387] [] save_stack+0x46/0xd0 [ 19.338387] [] kasan_slab_free+0x73/0xc0 [ 19.338387] [] kfree+0xe8/0x2b0 [ 19.338387] [] kmalloc_uaf+0x85/0xb9 [test_kasan] [ 19.338387] [] kmalloc_tests_init+0x4f/0x79 [test_kasan] [ 19.338387] [] do_one_initcall+0xa0/0x230 [ 19.338387] [] do_init_module+0x1c1/0x516 [ 19.338387] [] load_module+0x65ed/0x8f90 [ 19.338387] [] SYSC_init_module+0x1bc/0x1d0 [ 19.338387] [] SyS_init_module+0x9/0x10 [ 19.338387] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 19.338387] [ 19.338387] Allocated by task 3840: [ 19.338387] [] save_stack_trace+0x16/0x20 [ 19.338387] [] save_stack+0x46/0xd0 [ 19.338387] [] kasan_kmalloc+0xab/0xe0 [ 19.338387] [] kmem_cache_alloc_trace+0xec/0x270 [ 19.338387] [] kmalloc_uaf+0x56/0xb9 [test_kasan] [ 19.338387] [] kmalloc_tests_init+0x4f/0x79 [test_kasan] [ 19.338387] [] do_one_initcall+0xa0/0x230 [ 19.338387] [] do_init_module+0x1c1/0x516 [ 19.338387] [] load_module+0x65ed/0x8f90 [ 19.338387] [] SYSC_init_module+0x1bc/0x1d0 [ 19.338387] [] SyS_init_module+0x9/0x10 [ 19.338387] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 19.338387] [ 19.338387] Memory state around the buggy address: [ 19.338387] ffff88006af77800: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc [ 19.338387] ffff88006af77880: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc [ 19.338387] >ffff88006af77900: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc [ 19.338387] ^ [ 19.338387] ffff88006af77980: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc [ 19.338387] ffff88006af77a00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc [ 19.338387] ================================================================== This is what a test use-after-free report looked like before: [ 24.246351] ================================================================== [ 24.247214] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan] at addr ffff88006bbb38a8 [ 24.247301] Write of size 1 by task insmod/3852 [ 24.247301] CPU: 1 PID: 3852 Comm: insmod Tainted: G B 4.9.0-rc4+ #393 [ 24.247301] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 24.247301] ffff88006a647980 ffffffff81b46a64 ffff88006c801b40 ffff88006bbb38a0 [ 24.247301] ffff88006bbb38b0 ffff88006bbb38a0 ffff88006a6479a8 ffffffff8150a86c [ 24.247301] ffff88006a647a38 ffff88006c801b40 ffff8800ebbb38a8 ffff88006a647a28 [ 24.247301] Call Trace: [ 24.247301] [] dump_stack+0xb3/0x10f [ 24.247301] [] kasan_object_err+0x1c/0x70 [ 24.247301] [] kasan_report_error+0x1f7/0x4d0 [ 24.247301] [] ? trace_hardirqs_on+0xd/0x10 [ 24.247301] [] ? copy_user_test+0x24f/0x24f [test_kasan] [ 24.247301] [] __asan_report_store1_noabort+0x3e/0x40 [ 24.247301] [] ? kmalloc_uaf+0xad/0xb9 [test_kasan] [ 24.247301] [] kmalloc_uaf+0xad/0xb9 [test_kasan] [ 24.247301] [] kmalloc_tests_init+0x4f/0x79 [test_kasan] [ 24.247301] [] do_one_initcall+0xa0/0x230 [ 24.247301] [] ? initcall_blacklisted+0x170/0x170 [ 24.247301] [] ? kasan_kmalloc+0xab/0xe0 [ 24.247301] [] ? kasan_unpoison_shadow+0x35/0x50 [ 24.247301] [] ? __asan_register_globals+0x7c/0xa0 [ 24.247301] [] do_init_module+0x1c1/0x516 [ 24.247301] [] load_module+0x65ed/0x8f90 [ 24.247301] [] ? __symbol_put+0xb0/0xb0 [ 24.247301] [] ? __UNIQUE_ID_vermagic8+0x36ff9f26d843/0x36ff9f26d846 [test_kasan] [ 24.247301] [] ? module_frob_arch_sections+0x20/0x20 [ 24.247301] [] ? retint_kernel+0x10/0x10 [ 24.247301] [] ? trace_hardirqs_on_caller+0x420/0x5b0 [ 24.247301] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.247301] [] ? retint_kernel+0x10/0x10 [ 24.247301] [] SYSC_init_module+0x1bc/0x1d0 [ 24.247301] [] ? load_module+0x8f90/0x8f90 [ 24.247301] [] ? trace_hardirqs_on_caller+0x420/0x5b0 [ 24.247301] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.247301] [] SyS_init_module+0x9/0x10 [ 24.247301] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 24.247301] Object at ffff88006bbb38a0, in cache kmalloc-16 size: 16 [ 24.247301] Allocated: [ 24.247301] PID = 3852 [ 24.247301] [ 24.247301] [] save_stack_trace+0x16/0x20 [ 24.247301] [ 24.247301] [] save_stack+0x46/0xd0 [ 24.247301] [ 24.247301] [] kasan_kmalloc+0xab/0xe0 [ 24.247301] [ 24.247301] [] kmem_cache_alloc_trace+0xec/0x270 [ 24.247301] [ 24.247301] [] kmalloc_uaf+0x56/0xb9 [test_kasan] [ 24.247301] [ 24.247301] [] kmalloc_tests_init+0x4f/0x79 [test_kasan] [ 24.247301] [ 24.247301] [] do_one_initcall+0xa0/0x230 [ 24.247301] [ 24.247301] [] do_init_module+0x1c1/0x516 [ 24.247301] [ 24.247301] [] load_module+0x65ed/0x8f90 [ 24.247301] [ 24.247301] [] SYSC_init_module+0x1bc/0x1d0 [ 24.247301] [ 24.247301] [] SyS_init_module+0x9/0x10 [ 24.247301] [ 24.247301] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 24.247301] Freed: [ 24.247301] PID = 3852 [ 24.247301] [ 24.247301] [] save_stack_trace+0x16/0x20 [ 24.247301] [ 24.247301] [] save_stack+0x46/0xd0 [ 24.247301] [ 24.247301] [] kasan_slab_free+0x73/0xc0 [ 24.247301] [ 24.247301] [] kfree+0xe8/0x2b0 [ 24.247301] [ 24.247301] [] kmalloc_uaf+0x85/0xb9 [test_kasan] [ 24.247301] [ 24.247301] [] kmalloc_tests_init+0x4f/0x79 [test_kasan] [ 24.247301] [ 24.247301] [] do_one_initcall+0xa0/0x230 [ 24.247301] [ 24.247301] [] do_init_module+0x1c1/0x516 [ 24.247301] [ 24.247301] [] load_module+0x65ed/0x8f90 [ 24.247301] [ 24.247301] [] SYSC_init_module+0x1bc/0x1d0 [ 24.247301] [ 24.247301] [] SyS_init_module+0x9/0x10 [ 24.247301] [ 24.247301] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 24.247301] Memory state around the buggy address: [ 24.247301] ffff88006bbb3780: fb fb fc fc fb fb fc fc 00 00 fc fc 00 00 fc fc [ 24.247301] ffff88006bbb3800: 00 00 fc fc fb fb fc fc fb fb fc fc fb fb fc fc [ 24.247301] >ffff88006bbb3880: fb fb fc fc fb fb fc fc 00 00 fc fc fb fb fc fc [ 24.247301] ^ [ 24.247301] ffff88006bbb3900: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc [ 24.247301] ffff88006bbb3980: 00 00 fc fc 00 00 fc fc fb fb fc fc 00 00 fc fc [ 24.247301] ================================================================== Andrey Konovalov (2): stacktrace: fix print_stack_trace printing timestamp twice kasan: improve error reports kernel/stacktrace.c | 6 +- mm/kasan/report.c | 246 +++++++++++++++++++++++++++++++++++----------------- 2 files changed, 169 insertions(+), 83 deletions(-) -- 2.8.0.rc3.226.g39d4020 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org