• Alexander Potapenko's avatar
    mm: kasan: initial memory quarantine implementation · 55834c59
    Alexander Potapenko authored
    Quarantine isolates freed objects in a separate queue.  The objects are
    returned to the allocator later, which helps to detect use-after-free
    errors.
    
    When the object is freed, its state changes from KASAN_STATE_ALLOC to
    KASAN_STATE_QUARANTINE.  The object is poisoned and put into quarantine
    instead of being returned to the allocator, therefore every subsequent
    access to that object triggers a KASAN error, and the error handler is
    able to say where the object has been allocated and deallocated.
    
    When it's time for the object to leave quarantine, its state becomes
    KASAN_STATE_FREE and it's returned to the allocator.  From now on the
    allocator may reuse it for another allocation.  Before that happens,
    it's still possible to detect a use-after free on that object (it
    retains the allocation/deallocation stacks).
    
    When the allocator reuses this object, the shadow is unpoisoned and old
    allocation/deallocation stacks are wiped.  Therefore a use of this
    object, even an incorrect one, won't trigger ASan warning.
    
    Without the quarantine, it's not guaranteed that the objects aren't
    reused immediately, that's why the probability of catching a
    use-after-free is lower than with quarantine in place.
    
    Quarantine isolates freed objects in a separate queue.  The objects are
    returned to the allocator later, which helps to detect use-after-free
    errors.
    
    Freed objects are first added to per-cpu quarantine queues.  When a
    cache is destroyed or memory shrinking is requested, the objects are
    moved into the global quarantine queue.  Whenever a kmalloc call allows
    memory reclaiming, the oldest objects are popped out of the global queue
    until the total size of objects in quarantine is less than 3/4 of the
    maximum quarantine size (which is a fraction of installed physical
    memory).
    
    As long as an object remains in the quarantine, KASAN is able to report
    accesses to it, so the chance of reporting a use-after-free is
    increased.  Once the object leaves quarantine, the allocator may reuse
    it, in which case the object is unpoisoned and KASAN can't detect
    incorrect accesses to it.
    
    Right now quarantine support is only enabled in SLAB allocator.
    Unification of KASAN features in SLAB and SLUB will be done later.
    
    This patch is based on the "mm: kasan: quarantine" patch originally
    prepared by Dmitry Chernenkov.  A number of improvements have been
    suggested by Andrey Ryabinin.
    
    [glider@google.com: v9]
      Link: http://lkml.kernel.org/r/1462987130-144092-1-git-send-email-glider@google.com
    
    Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Cc: Andrey Konovalov <adech.fo@gmail.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Konstantin Serebryany <kcc@google.com>
    Cc: Dmitry Chernenkov <dmitryc@google.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    55834c59