xref: /linux/mm/kasan/report_generic.c (revision 4e73826089ce899357580bbf6e0afe4e6f9900b7)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This file contains generic KASAN specific error reporting code.
4  *
5  * Copyright (c) 2014 Samsung Electronics Co., Ltd.
6  * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
7  *
8  * Some code borrowed from https://github.com/xairy/kasan-prototype by
9  *        Andrey Konovalov <andreyknvl@gmail.com>
10  */
11 
12 #include <linux/bitops.h>
13 #include <linux/ftrace.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/mm.h>
17 #include <linux/printk.h>
18 #include <linux/sched.h>
19 #include <linux/sched/task_stack.h>
20 #include <linux/slab.h>
21 #include <linux/stackdepot.h>
22 #include <linux/stacktrace.h>
23 #include <linux/string.h>
24 #include <linux/types.h>
25 #include <linux/kasan.h>
26 #include <linux/module.h>
27 
28 #include <asm/sections.h>
29 
30 #include "kasan.h"
31 #include "../slab.h"
32 
33 const void *kasan_find_first_bad_addr(const void *addr, size_t size)
34 {
35 	const void *p = addr;
36 
37 	if (!addr_has_metadata(p))
38 		return p;
39 
40 	while (p < addr + size && !(*(u8 *)kasan_mem_to_shadow(p)))
41 		p += KASAN_GRANULE_SIZE;
42 
43 	return p;
44 }
45 
46 size_t kasan_get_alloc_size(void *object, struct kmem_cache *cache)
47 {
48 	size_t size = 0;
49 	u8 *shadow;
50 
51 	/*
52 	 * Skip the addr_has_metadata check, as this function only operates on
53 	 * slab memory, which must have metadata.
54 	 */
55 
56 	/*
57 	 * The loop below returns 0 for freed objects, for which KASAN cannot
58 	 * calculate the allocation size based on the metadata.
59 	 */
60 	shadow = (u8 *)kasan_mem_to_shadow(object);
61 	while (size < cache->object_size) {
62 		if (*shadow == 0)
63 			size += KASAN_GRANULE_SIZE;
64 		else if (*shadow >= 1 && *shadow <= KASAN_GRANULE_SIZE - 1)
65 			return size + *shadow;
66 		else
67 			return size;
68 		shadow++;
69 	}
70 
71 	return cache->object_size;
72 }
73 
74 static const char *get_shadow_bug_type(struct kasan_report_info *info)
75 {
76 	const char *bug_type = "unknown-crash";
77 	u8 *shadow_addr;
78 
79 	shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);
80 
81 	/*
82 	 * If shadow byte value is in [0, KASAN_GRANULE_SIZE) we can look
83 	 * at the next shadow byte to determine the type of the bad access.
84 	 */
85 	if (*shadow_addr > 0 && *shadow_addr <= KASAN_GRANULE_SIZE - 1)
86 		shadow_addr++;
87 
88 	switch (*shadow_addr) {
89 	case 0 ... KASAN_GRANULE_SIZE - 1:
90 		/*
91 		 * In theory it's still possible to see these shadow values
92 		 * due to a data race in the kernel code.
93 		 */
94 		bug_type = "out-of-bounds";
95 		break;
96 	case KASAN_PAGE_REDZONE:
97 	case KASAN_SLAB_REDZONE:
98 		bug_type = "slab-out-of-bounds";
99 		break;
100 	case KASAN_GLOBAL_REDZONE:
101 		bug_type = "global-out-of-bounds";
102 		break;
103 	case KASAN_STACK_LEFT:
104 	case KASAN_STACK_MID:
105 	case KASAN_STACK_RIGHT:
106 	case KASAN_STACK_PARTIAL:
107 		bug_type = "stack-out-of-bounds";
108 		break;
109 	case KASAN_PAGE_FREE:
110 		bug_type = "use-after-free";
111 		break;
112 	case KASAN_SLAB_FREE:
113 	case KASAN_SLAB_FREE_META:
114 		bug_type = "slab-use-after-free";
115 		break;
116 	case KASAN_ALLOCA_LEFT:
117 	case KASAN_ALLOCA_RIGHT:
118 		bug_type = "alloca-out-of-bounds";
119 		break;
120 	case KASAN_VMALLOC_INVALID:
121 		bug_type = "vmalloc-out-of-bounds";
122 		break;
123 	}
124 
125 	return bug_type;
126 }
127 
128 static const char *get_wild_bug_type(struct kasan_report_info *info)
129 {
130 	const char *bug_type = "unknown-crash";
131 
132 	if ((unsigned long)info->access_addr < PAGE_SIZE)
133 		bug_type = "null-ptr-deref";
134 	else if ((unsigned long)info->access_addr < TASK_SIZE)
135 		bug_type = "user-memory-access";
136 	else
137 		bug_type = "wild-memory-access";
138 
139 	return bug_type;
140 }
141 
142 static const char *get_bug_type(struct kasan_report_info *info)
143 {
144 	/*
145 	 * If access_size is a negative number, then it has reason to be
146 	 * defined as out-of-bounds bug type.
147 	 *
148 	 * Casting negative numbers to size_t would indeed turn up as
149 	 * a large size_t and its value will be larger than ULONG_MAX/2,
150 	 * so that this can qualify as out-of-bounds.
151 	 */
152 	if (info->access_addr + info->access_size < info->access_addr)
153 		return "out-of-bounds";
154 
155 	if (addr_has_metadata(info->access_addr))
156 		return get_shadow_bug_type(info);
157 	return get_wild_bug_type(info);
158 }
159 
160 void kasan_complete_mode_report_info(struct kasan_report_info *info)
161 {
162 	struct kasan_alloc_meta *alloc_meta;
163 	struct kasan_free_meta *free_meta;
164 
165 	if (!info->bug_type)
166 		info->bug_type = get_bug_type(info);
167 
168 	if (!info->cache || !info->object)
169 		return;
170 
171 	alloc_meta = kasan_get_alloc_meta(info->cache, info->object);
172 	if (alloc_meta)
173 		memcpy(&info->alloc_track, &alloc_meta->alloc_track,
174 		       sizeof(info->alloc_track));
175 
176 	if (*(u8 *)kasan_mem_to_shadow(info->object) == KASAN_SLAB_FREE_META) {
177 		/* Free meta must be present with KASAN_SLAB_FREE_META. */
178 		free_meta = kasan_get_free_meta(info->cache, info->object);
179 		memcpy(&info->free_track, &free_meta->free_track,
180 		       sizeof(info->free_track));
181 	}
182 }
183 
184 void kasan_metadata_fetch_row(char *buffer, void *row)
185 {
186 	memcpy(buffer, kasan_mem_to_shadow(row), META_BYTES_PER_ROW);
187 }
188 
189 void kasan_print_aux_stacks(struct kmem_cache *cache, const void *object)
190 {
191 	struct kasan_alloc_meta *alloc_meta;
192 
193 	alloc_meta = kasan_get_alloc_meta(cache, object);
194 	if (!alloc_meta)
195 		return;
196 
197 	if (alloc_meta->aux_stack[0]) {
198 		pr_err("Last potentially related work creation:\n");
199 		stack_depot_print(alloc_meta->aux_stack[0]);
200 		pr_err("\n");
201 	}
202 	if (alloc_meta->aux_stack[1]) {
203 		pr_err("Second to last potentially related work creation:\n");
204 		stack_depot_print(alloc_meta->aux_stack[1]);
205 		pr_err("\n");
206 	}
207 }
208 
209 #ifdef CONFIG_KASAN_STACK
210 static bool __must_check tokenize_frame_descr(const char **frame_descr,
211 					      char *token, size_t max_tok_len,
212 					      unsigned long *value)
213 {
214 	const char *sep = strchr(*frame_descr, ' ');
215 
216 	if (sep == NULL)
217 		sep = *frame_descr + strlen(*frame_descr);
218 
219 	if (token != NULL) {
220 		const size_t tok_len = sep - *frame_descr;
221 
222 		if (tok_len + 1 > max_tok_len) {
223 			pr_err("internal error: frame description too long: %s\n",
224 			       *frame_descr);
225 			return false;
226 		}
227 
228 		/* Copy token (+ 1 byte for '\0'). */
229 		strscpy(token, *frame_descr, tok_len + 1);
230 	}
231 
232 	/* Advance frame_descr past separator. */
233 	*frame_descr = sep + 1;
234 
235 	if (value != NULL && kstrtoul(token, 10, value)) {
236 		pr_err("internal error: not a valid number: %s\n", token);
237 		return false;
238 	}
239 
240 	return true;
241 }
242 
243 static void print_decoded_frame_descr(const char *frame_descr)
244 {
245 	/*
246 	 * We need to parse the following string:
247 	 *    "n alloc_1 alloc_2 ... alloc_n"
248 	 * where alloc_i looks like
249 	 *    "offset size len name"
250 	 * or "offset size len name:line".
251 	 */
252 
253 	char token[64];
254 	unsigned long num_objects;
255 
256 	if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
257 				  &num_objects))
258 		return;
259 
260 	pr_err("\n");
261 	pr_err("This frame has %lu %s:\n", num_objects,
262 	       num_objects == 1 ? "object" : "objects");
263 
264 	while (num_objects--) {
265 		unsigned long offset;
266 		unsigned long size;
267 
268 		/* access offset */
269 		if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
270 					  &offset))
271 			return;
272 		/* access size */
273 		if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
274 					  &size))
275 			return;
276 		/* name length (unused) */
277 		if (!tokenize_frame_descr(&frame_descr, NULL, 0, NULL))
278 			return;
279 		/* object name */
280 		if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
281 					  NULL))
282 			return;
283 
284 		/* Strip line number; without filename it's not very helpful. */
285 		strreplace(token, ':', '\0');
286 
287 		/* Finally, print object information. */
288 		pr_err(" [%lu, %lu) '%s'", offset, offset + size, token);
289 	}
290 }
291 
292 /* Returns true only if the address is on the current task's stack. */
293 static bool __must_check get_address_stack_frame_info(const void *addr,
294 						      unsigned long *offset,
295 						      const char **frame_descr,
296 						      const void **frame_pc)
297 {
298 	unsigned long aligned_addr;
299 	unsigned long mem_ptr;
300 	const u8 *shadow_bottom;
301 	const u8 *shadow_ptr;
302 	const unsigned long *frame;
303 
304 	BUILD_BUG_ON(IS_ENABLED(CONFIG_STACK_GROWSUP));
305 
306 	aligned_addr = round_down((unsigned long)addr, sizeof(long));
307 	mem_ptr = round_down(aligned_addr, KASAN_GRANULE_SIZE);
308 	shadow_ptr = kasan_mem_to_shadow((void *)aligned_addr);
309 	shadow_bottom = kasan_mem_to_shadow(end_of_stack(current));
310 
311 	while (shadow_ptr >= shadow_bottom && *shadow_ptr != KASAN_STACK_LEFT) {
312 		shadow_ptr--;
313 		mem_ptr -= KASAN_GRANULE_SIZE;
314 	}
315 
316 	while (shadow_ptr >= shadow_bottom && *shadow_ptr == KASAN_STACK_LEFT) {
317 		shadow_ptr--;
318 		mem_ptr -= KASAN_GRANULE_SIZE;
319 	}
320 
321 	if (shadow_ptr < shadow_bottom)
322 		return false;
323 
324 	frame = (const unsigned long *)(mem_ptr + KASAN_GRANULE_SIZE);
325 	if (frame[0] != KASAN_CURRENT_STACK_FRAME_MAGIC) {
326 		pr_err("internal error: frame has invalid marker: %lu\n",
327 		       frame[0]);
328 		return false;
329 	}
330 
331 	*offset = (unsigned long)addr - (unsigned long)frame;
332 	*frame_descr = (const char *)frame[1];
333 	*frame_pc = (void *)frame[2];
334 
335 	return true;
336 }
337 
338 void kasan_print_address_stack_frame(const void *addr)
339 {
340 	unsigned long offset;
341 	const char *frame_descr;
342 	const void *frame_pc;
343 
344 	if (WARN_ON(!object_is_on_stack(addr)))
345 		return;
346 
347 	pr_err("The buggy address belongs to stack of task %s/%d\n",
348 	       current->comm, task_pid_nr(current));
349 
350 	if (!get_address_stack_frame_info(addr, &offset, &frame_descr,
351 					  &frame_pc))
352 		return;
353 
354 	pr_err(" and is located at offset %lu in frame:\n", offset);
355 	pr_err(" %pS\n", frame_pc);
356 
357 	if (!frame_descr)
358 		return;
359 
360 	print_decoded_frame_descr(frame_descr);
361 }
362 #endif /* CONFIG_KASAN_STACK */
363 
364 #define DEFINE_ASAN_REPORT_LOAD(size)                     \
365 void __asan_report_load##size##_noabort(void *addr) \
366 {                                                         \
367 	kasan_report(addr, size, false, _RET_IP_);	  \
368 }                                                         \
369 EXPORT_SYMBOL(__asan_report_load##size##_noabort)
370 
371 #define DEFINE_ASAN_REPORT_STORE(size)                     \
372 void __asan_report_store##size##_noabort(void *addr) \
373 {                                                          \
374 	kasan_report(addr, size, true, _RET_IP_);	   \
375 }                                                          \
376 EXPORT_SYMBOL(__asan_report_store##size##_noabort)
377 
378 DEFINE_ASAN_REPORT_LOAD(1);
379 DEFINE_ASAN_REPORT_LOAD(2);
380 DEFINE_ASAN_REPORT_LOAD(4);
381 DEFINE_ASAN_REPORT_LOAD(8);
382 DEFINE_ASAN_REPORT_LOAD(16);
383 DEFINE_ASAN_REPORT_STORE(1);
384 DEFINE_ASAN_REPORT_STORE(2);
385 DEFINE_ASAN_REPORT_STORE(4);
386 DEFINE_ASAN_REPORT_STORE(8);
387 DEFINE_ASAN_REPORT_STORE(16);
388 
389 void __asan_report_load_n_noabort(void *addr, ssize_t size)
390 {
391 	kasan_report(addr, size, false, _RET_IP_);
392 }
393 EXPORT_SYMBOL(__asan_report_load_n_noabort);
394 
395 void __asan_report_store_n_noabort(void *addr, ssize_t size)
396 {
397 	kasan_report(addr, size, true, _RET_IP_);
398 }
399 EXPORT_SYMBOL(__asan_report_store_n_noabort);
400