report.c 12 KB
Newer Older
1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * This file contains common KASAN error reporting code.
4
5
 *
 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
6
 * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
7
 *
8
 * Some code borrowed from https://github.com/xairy/kasan-prototype by
9
 *        Andrey Konovalov <andreyknvl@gmail.com>
10
11
 */

12
#include <linux/bitops.h>
13
#include <linux/ftrace.h>
14
#include <linux/init.h>
15
16
17
18
19
#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/printk.h>
#include <linux/sched.h>
#include <linux/slab.h>
20
#include <linux/stackdepot.h>
21
22
23
24
#include <linux/stacktrace.h>
#include <linux/string.h>
#include <linux/types.h>
#include <linux/kasan.h>
25
#include <linux/module.h>
26
#include <linux/sched/task_stack.h>
27
#include <linux/uaccess.h>
28

29
30
#include <asm/sections.h>

Patricia Alfonso's avatar
Patricia Alfonso committed
31
32
#include <kunit/test.h>

33
#include "kasan.h"
34
#include "../slab.h"
35

36
static unsigned long kasan_flags;
37

38
39
#define KASAN_BIT_REPORTED	0
#define KASAN_BIT_MULTI_SHOT	1
40

41
bool kasan_save_enable_multi_shot(void)
42
{
43
	return test_and_set_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags);
44
}
45
EXPORT_SYMBOL_GPL(kasan_save_enable_multi_shot);
46

47
void kasan_restore_multi_shot(bool enabled)
48
{
49
50
	if (!enabled)
		clear_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags);
51
}
52
EXPORT_SYMBOL_GPL(kasan_restore_multi_shot);
53

54
static int __init kasan_set_multi_shot(char *str)
Andrey Konovalov's avatar
Andrey Konovalov committed
55
{
56
57
	set_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags);
	return 1;
Andrey Konovalov's avatar
Andrey Konovalov committed
58
}
59
__setup("kasan_multi_shot", kasan_set_multi_shot);
Andrey Konovalov's avatar
Andrey Konovalov committed
60

61
static void print_error_description(struct kasan_access_info *info)
62
{
Andrey Konovalov's avatar
Andrey Konovalov committed
63
	pr_err("BUG: KASAN: %s in %pS\n",
64
		get_bug_type(info), (void *)info->ip);
65
66
67
68
69
70
71
72
	if (info->access_size)
		pr_err("%s of size %zu at addr %px by task %s/%d\n",
			info->is_write ? "Write" : "Read", info->access_size,
			info->access_addr, current->comm, task_pid_nr(current));
	else
		pr_err("%s at addr %px by task %s/%d\n",
			info->is_write ? "Write" : "Read",
			info->access_addr, current->comm, task_pid_nr(current));
73
74
}

75
76
static DEFINE_SPINLOCK(report_lock);

77
static void start_report(unsigned long *flags)
78
79
80
81
82
83
84
85
86
{
	/*
	 * Make sure we don't end up in loop.
	 */
	kasan_disable_current();
	spin_lock_irqsave(&report_lock, *flags);
	pr_err("==================================================================\n");
}

87
static void end_report(unsigned long *flags)
88
89
90
91
{
	pr_err("==================================================================\n");
	add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
	spin_unlock_irqrestore(&report_lock, *flags);
92
	if (panic_on_warn && !test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags)) {
93
94
95
96
97
98
99
		/*
		 * This thread may hit another WARN() in the panic path.
		 * Resetting this prevents additional WARN() from panicking the
		 * system on this thread.  Other threads are blocked by the
		 * panic_mutex in panic().
		 */
		panic_on_warn = 0;
Dmitry Vyukov's avatar
Dmitry Vyukov committed
100
		panic("panic_on_warn set ...\n");
101
	}
102
103
104
105
#ifdef CONFIG_KASAN_HW_TAGS
	if (kasan_flag_panic)
		panic("kasan.fault=panic set ...\n");
#endif
106
107
108
	kasan_enable_current();
}

109
110
111
112
113
114
115
116
117
static void print_stack(depot_stack_handle_t stack)
{
	unsigned long *entries;
	unsigned int nr_entries;

	nr_entries = stack_depot_fetch(stack, &entries);
	stack_trace_print(entries, nr_entries, 0);
}

118
static void print_track(struct kasan_track *track, const char *prefix)
Alexander Potapenko's avatar
Alexander Potapenko committed
119
{
120
	pr_err("%s by task %u:\n", prefix, track->pid);
121
	if (track->stack) {
122
		print_stack(track->stack);
123
124
125
	} else {
		pr_err("(stack is not available)\n");
	}
Alexander Potapenko's avatar
Alexander Potapenko committed
126
127
}

128
struct page *kasan_addr_to_page(const void *addr)
129
130
131
132
133
134
135
{
	if ((addr >= (void *)PAGE_OFFSET) &&
			(addr < high_memory))
		return virt_to_head_page(addr);
	return NULL;
}

136
137
static void describe_object_addr(struct kmem_cache *cache, void *object,
				const void *addr)
Alexander Potapenko's avatar
Alexander Potapenko committed
138
{
139
140
141
142
	unsigned long access_addr = (unsigned long)addr;
	unsigned long object_addr = (unsigned long)object;
	const char *rel_type;
	int rel_bytes;
Alexander Potapenko's avatar
Alexander Potapenko committed
143

144
	pr_err("The buggy address belongs to the object at %px\n"
145
146
	       " which belongs to the cache %s of size %d\n",
		object, cache->name, cache->object_size);
147

148
	if (!addr)
Alexander Potapenko's avatar
Alexander Potapenko committed
149
		return;
150

151
152
153
154
155
156
157
158
159
160
161
162
	if (access_addr < object_addr) {
		rel_type = "to the left";
		rel_bytes = object_addr - access_addr;
	} else if (access_addr >= object_addr + cache->object_size) {
		rel_type = "to the right";
		rel_bytes = access_addr - (object_addr + cache->object_size);
	} else {
		rel_type = "inside";
		rel_bytes = access_addr - object_addr;
	}

	pr_err("The buggy address is located %d bytes %s of\n"
163
	       " %d-byte region [%px, %px)\n",
164
165
166
167
		rel_bytes, rel_type, cache->object_size, (void *)object_addr,
		(void *)(object_addr + cache->object_size));
}

168
169
static void describe_object_stacks(struct kmem_cache *cache, void *object,
					const void *addr, u8 tag)
170
{
171
172
	struct kasan_alloc_meta *alloc_meta;
	struct kasan_track *free_track;
173

174
175
	alloc_meta = kasan_get_alloc_meta(cache, object);
	if (alloc_meta) {
176
		print_track(&alloc_meta->alloc_track, "Allocated");
177
		pr_err("\n");
178
179
180
181
182
183
184
	}

	free_track = kasan_get_free_track(cache, object, tag);
	if (free_track) {
		print_track(free_track, "Freed");
		pr_err("\n");
	}
185
186

#ifdef CONFIG_KASAN_GENERIC
187
188
189
190
191
192
	if (!alloc_meta)
		return;
	if (alloc_meta->aux_stack[0]) {
		pr_err("Last call_rcu():\n");
		print_stack(alloc_meta->aux_stack[0]);
		pr_err("\n");
193
	}
194
195
196
197
198
199
	if (alloc_meta->aux_stack[1]) {
		pr_err("Second to last call_rcu():\n");
		print_stack(alloc_meta->aux_stack[1]);
		pr_err("\n");
	}
#endif
200
}
201

202
203
204
205
206
static void describe_object(struct kmem_cache *cache, void *object,
				const void *addr, u8 tag)
{
	if (kasan_stack_collection_enabled())
		describe_object_stacks(cache, object, addr, tag);
207
	describe_object_addr(cache, object, addr);
Alexander Potapenko's avatar
Alexander Potapenko committed
208
209
}

210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
static inline bool kernel_or_module_addr(const void *addr)
{
	if (addr >= (void *)_stext && addr < (void *)_end)
		return true;
	if (is_module_address((unsigned long)addr))
		return true;
	return false;
}

static inline bool init_task_stack_addr(const void *addr)
{
	return addr >= (void *)&init_thread_union.stack &&
		(addr <= (void *)&init_thread_union.stack +
			sizeof(init_thread_union.stack));
}

226
static void print_address_description(void *addr, u8 tag)
227
{
228
	struct page *page = kasan_addr_to_page(addr);
229

230
	dump_stack();
231
	pr_err("\n");
232
233
234

	if (page && PageSlab(page)) {
		struct kmem_cache *cache = page->slab_cache;
235
		void *object = nearest_obj(cache, page,	addr);
236

237
		describe_object(cache, object, addr, tag);
238
239
	}

240
241
242
243
244
245
246
247
	if (kernel_or_module_addr(addr) && !init_task_stack_addr(addr)) {
		pr_err("The buggy address belongs to the variable:\n");
		pr_err(" %pS\n", addr);
	}

	if (page) {
		pr_err("The buggy address belongs to the page:\n");
		dump_page(page, "kasan: bad access detected");
248
	}
249
250

	print_address_stack_frame(addr);
251
252
}

253
static bool meta_row_is_guilty(const void *row, const void *addr)
254
{
255
	return (row <= addr) && (addr < row + META_MEM_BYTES_PER_ROW);
256
257
}

258
static int meta_pointer_offset(const void *row, const void *addr)
259
{
260
261
262
263
264
265
266
267
268
	/*
	 * Memory state around the buggy address:
	 *  ff00ff00ff00ff00: 00 00 00 05 fe fe fe fe fe fe fe fe fe fe fe fe
	 *  ...
	 *
	 * The length of ">ff00ff00ff00ff00: " is
	 *    3 + (BITS_PER_LONG / 8) * 2 chars.
	 * The length of each granule metadata is 2 bytes
	 *    plus 1 byte for space.
269
	 */
270
271
	return 3 + (BITS_PER_LONG / 8) * 2 +
		(addr - row) / KASAN_GRANULE_SIZE * 3 + 1;
272
273
}

274
static void print_memory_metadata(const void *addr)
275
276
{
	int i;
277
	void *row;
278

279
280
	row = (void *)round_down((unsigned long)addr, META_MEM_BYTES_PER_ROW)
			- META_ROWS_AROUND_ADDR * META_MEM_BYTES_PER_ROW;
281
282
283

	pr_err("Memory state around the buggy address:\n");

284
	for (i = -META_ROWS_AROUND_ADDR; i <= META_ROWS_AROUND_ADDR; i++) {
285
286
		char buffer[4 + (BITS_PER_LONG / 8) * 2];
		char metadata[META_BYTES_PER_ROW];
287
288

		snprintf(buffer, sizeof(buffer),
289
290
				(i == 0) ? ">%px: " : " %px: ", row);

291
292
293
294
295
		/*
		 * We should not pass a shadow pointer to generic
		 * function, because generic functions may try to
		 * access kasan mapping for the passed address.
		 */
296
297
		metadata_fetch_row(&metadata[0], row);

298
		print_hex_dump(KERN_ERR, buffer,
299
			DUMP_PREFIX_NONE, META_BYTES_PER_ROW, 1,
300
			metadata, META_BYTES_PER_ROW, 0);
301

302
303
		if (meta_row_is_guilty(row, addr))
			pr_err("%*c\n", meta_pointer_offset(row, addr), '^');
304

305
		row += META_MEM_BYTES_PER_ROW;
306
307
308
	}
}

309
static bool report_enabled(void)
310
{
311
#if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
312
313
	if (current->kasan_depth)
		return false;
314
#endif
315
316
317
318
319
	if (test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags))
		return true;
	return !test_and_set_bit(KASAN_BIT_REPORTED, &kasan_flags);
}

Patricia Alfonso's avatar
Patricia Alfonso committed
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
#if IS_ENABLED(CONFIG_KUNIT)
static void kasan_update_kunit_status(struct kunit *cur_test)
{
	struct kunit_resource *resource;
	struct kunit_kasan_expectation *kasan_data;

	resource = kunit_find_named_resource(cur_test, "kasan_data");

	if (!resource) {
		kunit_set_failure(cur_test);
		return;
	}

	kasan_data = (struct kunit_kasan_expectation *)resource->data;
	kasan_data->report_found = true;
	kunit_put_resource(resource);
}
#endif /* IS_ENABLED(CONFIG_KUNIT) */

339
void kasan_report_invalid_free(void *object, unsigned long ip)
340
341
{
	unsigned long flags;
342
	u8 tag = get_tag(object);
343

344
	object = kasan_reset_tag(object);
Patricia Alfonso's avatar
Patricia Alfonso committed
345
346
347
348
349
350

#if IS_ENABLED(CONFIG_KUNIT)
	if (current->kunit_test)
		kasan_update_kunit_status(current->kunit_test);
#endif /* IS_ENABLED(CONFIG_KUNIT) */

351
	start_report(&flags);
352
	pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip);
353
	print_tags(tag, object);
354
	pr_err("\n");
355
	print_address_description(object, tag);
356
	pr_err("\n");
357
	print_memory_metadata(object);
358
	end_report(&flags);
359
360
}

361
362
static void __kasan_report(unsigned long addr, size_t size, bool is_write,
				unsigned long ip)
363
364
{
	struct kasan_access_info info;
365
366
367
	void *tagged_addr;
	void *untagged_addr;
	unsigned long flags;
368

Patricia Alfonso's avatar
Patricia Alfonso committed
369
370
371
372
373
#if IS_ENABLED(CONFIG_KUNIT)
	if (current->kunit_test)
		kasan_update_kunit_status(current->kunit_test);
#endif /* IS_ENABLED(CONFIG_KUNIT) */

374
375
	disable_trace_on_warning();

376
	tagged_addr = (void *)addr;
377
	untagged_addr = kasan_reset_tag(tagged_addr);
378
379

	info.access_addr = tagged_addr;
380
	if (addr_has_metadata(untagged_addr))
381
382
383
		info.first_bad_addr = find_first_bad_addr(tagged_addr, size);
	else
		info.first_bad_addr = untagged_addr;
384
385
386
	info.access_size = size;
	info.is_write = is_write;
	info.ip = ip;
387

388
389
390
	start_report(&flags);

	print_error_description(&info);
391
	if (addr_has_metadata(untagged_addr))
392
393
394
		print_tags(get_tag(tagged_addr), info.first_bad_addr);
	pr_err("\n");

395
	if (addr_has_metadata(untagged_addr)) {
396
		print_address_description(untagged_addr, get_tag(tagged_addr));
397
		pr_err("\n");
398
		print_memory_metadata(info.first_bad_addr);
399
400
401
402
403
	} else {
		dump_stack();
	}

	end_report(&flags);
404
}
405

406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
bool kasan_report(unsigned long addr, size_t size, bool is_write,
			unsigned long ip)
{
	unsigned long flags = user_access_save();
	bool ret = false;

	if (likely(report_enabled())) {
		__kasan_report(addr, size, is_write, ip);
		ret = true;
	}

	user_access_restore(flags);

	return ret;
}

422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
#ifdef CONFIG_KASAN_INLINE
/*
 * With CONFIG_KASAN_INLINE, accesses to bogus pointers (outside the high
 * canonical half of the address space) cause out-of-bounds shadow memory reads
 * before the actual access. For addresses in the low canonical half of the
 * address space, as well as most non-canonical addresses, that out-of-bounds
 * shadow memory access lands in the non-canonical part of the address space.
 * Help the user figure out what the original bogus pointer was.
 */
void kasan_non_canonical_hook(unsigned long addr)
{
	unsigned long orig_addr;
	const char *bug_type;

	if (addr < KASAN_SHADOW_OFFSET)
		return;

	orig_addr = (addr - KASAN_SHADOW_OFFSET) << KASAN_SHADOW_SCALE_SHIFT;
	/*
	 * For faults near the shadow address for NULL, we can be fairly certain
	 * that this is a KASAN shadow memory access.
	 * For faults that correspond to shadow for low canonical addresses, we
	 * can still be pretty sure - that shadow region is a fairly narrow
	 * chunk of the non-canonical address space.
	 * But faults that look like shadow for non-canonical addresses are a
	 * really large chunk of the address space. In that case, we still
	 * print the decoded address, but make it clear that this is not
	 * necessarily what's actually going on.
	 */
	if (orig_addr < PAGE_SIZE)
		bug_type = "null-ptr-deref";
	else if (orig_addr < TASK_SIZE)
		bug_type = "probably user-memory-access";
	else
		bug_type = "maybe wild-memory-access";
	pr_alert("KASAN: %s in range [0x%016lx-0x%016lx]\n", bug_type,
458
		 orig_addr, orig_addr + KASAN_GRANULE_SIZE - 1);
459
460
}
#endif