| From: Haibo Li <haibo.li@mediatek.com> |
| Subject: kasan: print the original fault addr when access invalid shadow |
| Date: Mon, 9 Oct 2023 15:37:48 +0800 |
| |
| when the checked address is illegal,the corresponding shadow address from |
| kasan_mem_to_shadow may have no mapping in mmu table. Access such shadow |
| address causes kernel oops. Here is a sample about oops on arm64(VA |
| 39bit) with KASAN_SW_TAGS and KASAN_OUTLINE on: |
| |
| [ffffffb80aaaaaaa] pgd=000000005d3ce003, p4d=000000005d3ce003, |
| pud=000000005d3ce003, pmd=0000000000000000 |
| Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP |
| Modules linked in: |
| CPU: 3 PID: 100 Comm: sh Not tainted 6.6.0-rc1-dirty #43 |
| Hardware name: linux,dummy-virt (DT) |
| pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) |
| pc : __hwasan_load8_noabort+0x5c/0x90 |
| lr : do_ib_ob+0xf4/0x110 |
| ffffffb80aaaaaaa is the shadow address for efffff80aaaaaaaa. |
| The problem is reading invalid shadow in kasan_check_range. |
| |
| The generic kasan also has similar oops. |
| |
| It only reports the shadow address which causes oops but not |
| the original address. |
| |
| Commit 2f004eea0fc8("x86/kasan: Print original address on #GP") |
| introduce to kasan_non_canonical_hook but limit it to KASAN_INLINE. |
| |
| This patch extends it to KASAN_OUTLINE mode. |
| |
| Link: https://lkml.kernel.org/r/20231009073748.159228-1-haibo.li@mediatek.com |
| Fixes: 2f004eea0fc8("x86/kasan: Print original address on #GP") |
| Signed-off-by: Haibo Li <haibo.li@mediatek.com> |
| Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com> |
| Cc: Alexander Potapenko <glider@google.com> |
| Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> |
| Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> |
| Cc: Dmitry Vyukov <dvyukov@google.com> |
| Cc: Haibo Li <haibo.li@mediatek.com> |
| Cc: Matthias Brugger <matthias.bgg@gmail.com> |
| Cc: Vincenzo Frascino <vincenzo.frascino@arm.com> |
| Cc: Arnd Bergmann <arnd@arndb.de> |
| Cc: Kees Cook <keescook@chromium.org> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| --- |
| |
| include/linux/kasan.h | 6 +++--- |
| mm/kasan/report.c | 4 +--- |
| 2 files changed, 4 insertions(+), 6 deletions(-) |
| |
| --- a/include/linux/kasan.h~kasan-print-the-original-fault-addr-when-access-invalid-shadow |
| +++ a/include/linux/kasan.h |
| @@ -466,10 +466,10 @@ static inline void kasan_free_module_sha |
| |
| #endif /* (CONFIG_KASAN_GENERIC || CONFIG_KASAN_SW_TAGS) && !CONFIG_KASAN_VMALLOC */ |
| |
| -#ifdef CONFIG_KASAN_INLINE |
| +#ifdef CONFIG_KASAN |
| void kasan_non_canonical_hook(unsigned long addr); |
| -#else /* CONFIG_KASAN_INLINE */ |
| +#else /* CONFIG_KASAN */ |
| static inline void kasan_non_canonical_hook(unsigned long addr) { } |
| -#endif /* CONFIG_KASAN_INLINE */ |
| +#endif /* CONFIG_KASAN */ |
| |
| #endif /* LINUX_KASAN_H */ |
| --- a/mm/kasan/report.c~kasan-print-the-original-fault-addr-when-access-invalid-shadow |
| +++ a/mm/kasan/report.c |
| @@ -621,9 +621,8 @@ void kasan_report_async(void) |
| } |
| #endif /* CONFIG_KASAN_HW_TAGS */ |
| |
| -#ifdef CONFIG_KASAN_INLINE |
| /* |
| - * With CONFIG_KASAN_INLINE, accesses to bogus pointers (outside the high |
| + * With CONFIG_KASAN, accesses to bogus pointers (outside the high |
| * canonical half of the address space) cause out-of-bounds shadow memory reads |
| * before the actual access. For addresses in the low canonical half of the |
| * address space, as well as most non-canonical addresses, that out-of-bounds |
| @@ -659,4 +658,3 @@ void kasan_non_canonical_hook(unsigned l |
| pr_alert("KASAN: %s in range [0x%016lx-0x%016lx]\n", bug_type, |
| orig_addr, orig_addr + KASAN_GRANULE_SIZE - 1); |
| } |
| -#endif |
| _ |
