Commit 342061ee authored by Paul Lawrence's avatar Paul Lawrence Committed by Linus Torvalds
Browse files

kasan: support alloca() poisoning 

clang's AddressSanitizer implementation adds redzones on either side of
alloca()ed buffers.  These redzones are 32-byte aligned and at least 32
bytes long.

__asan_alloca_poison() is passed the size and address of the allocated
buffer, *excluding* the redzones on either side.  The left redzone will
always be to the immediate left of this buffer; but AddressSanitizer may
need to add padding between the end of the buffer and the right redzone.
If there are any 8-byte chunks inside this padding, we should poison
those too.

__asan_allocas_unpoison() is just passed the top and bottom of the dynamic
stack area, so unpoisoning is simpler.

Link: http://lkml.kernel.org/r/20171204191735.132544-4-paullawrence@google.com


Signed-off-by: default avatarGreg Hackmann <ghackmann@google.com>
Signed-off-by: default avatarPaul Lawrence <paullawrence@google.com>
Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 1a69e7ce

mm/kasan/kasan.c

+34 −0
Original line number Diff line number Diff line
@@ -736,6 +736,40 @@ void __asan_unpoison_stack_memory(const void *addr, size_t size) 
}

EXPORT_SYMBOL(__asan_unpoison_stack_memory);



/* Emitted by compiler to poison alloca()ed objects. */

void __asan_alloca_poison(unsigned long addr, size_t size)

{

	size_t rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);

	size_t padding_size = round_up(size, KASAN_ALLOCA_REDZONE_SIZE) -

			rounded_up_size;

	size_t rounded_down_size = round_down(size, KASAN_SHADOW_SCALE_SIZE);



	const void *left_redzone = (const void *)(addr -

			KASAN_ALLOCA_REDZONE_SIZE);

	const void *right_redzone = (const void *)(addr + rounded_up_size);



	WARN_ON(!IS_ALIGNED(addr, KASAN_ALLOCA_REDZONE_SIZE));



	kasan_unpoison_shadow((const void *)(addr + rounded_down_size),

			      size - rounded_down_size);

	kasan_poison_shadow(left_redzone, KASAN_ALLOCA_REDZONE_SIZE,

			KASAN_ALLOCA_LEFT);

	kasan_poison_shadow(right_redzone,

			padding_size + KASAN_ALLOCA_REDZONE_SIZE,

			KASAN_ALLOCA_RIGHT);

}

EXPORT_SYMBOL(__asan_alloca_poison);



/* Emitted by compiler to unpoison alloca()ed areas when the stack unwinds. */

void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom)

{

	if (unlikely(!stack_top || stack_top > stack_bottom))

		return;



	kasan_unpoison_shadow(stack_top, stack_bottom - stack_top);

}

EXPORT_SYMBOL(__asan_allocas_unpoison);



#ifdef CONFIG_MEMORY_HOTPLUG

static int __meminit kasan_mem_notifier(struct notifier_block *nb,

			unsigned long action, void *data)

mm/kasan/kasan.h

+8 −0
Original line number Diff line number Diff line
@@ -24,6 +24,14 @@ 
#define KASAN_STACK_PARTIAL     0xF4

#define KASAN_USE_AFTER_SCOPE   0xF8



/*

 * alloca redzone shadow values

 */

#define KASAN_ALLOCA_LEFT	0xCA

#define KASAN_ALLOCA_RIGHT	0xCB



#define KASAN_ALLOCA_REDZONE_SIZE	32



/* Don't break randconfig/all*config builds */

#ifndef KASAN_ABI_VERSION

#define KASAN_ABI_VERSION 1

mm/kasan/report.c

+4 −0
Original line number Diff line number Diff line
@@ -102,6 +102,10 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info) 
	case KASAN_USE_AFTER_SCOPE:

		bug_type = "use-after-scope";

		break;

	case KASAN_ALLOCA_LEFT:

	case KASAN_ALLOCA_RIGHT:

		bug_type = "alloca-out-of-bounds";

		break;

	}



	return bug_type;

scripts/Makefile.kasan

+2 −1
Original line number Diff line number Diff line
@@ -32,7 +32,8 @@ else 
	$(call cc-param,asan-globals=1) \

	$(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \

	$(call cc-param,asan-stack=1) \

	$(call cc-param,asan-use-after-scope=1)

	$(call cc-param,asan-use-after-scope=1) \

	$(call cc-param,asan-instrument-allocas=1)

   endif



endif

CRA Git | Maintained and supported by SUSTech CRA and CCSE