Commit | Line | Data |
---|---|---|
e886bf9d | 1 | // SPDX-License-Identifier: GPL-2.0 |
11cd3cd6 AK |
2 | /* |
3 | * This file contains generic KASAN specific error reporting code. | |
4 | * | |
5 | * Copyright (c) 2014 Samsung Electronics Co., Ltd. | |
6 | * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com> | |
7 | * | |
8 | * Some code borrowed from https://github.com/xairy/kasan-prototype by | |
9 | * Andrey Konovalov <andreyknvl@gmail.com> | |
11cd3cd6 AK |
10 | */ |
11 | ||
12 | #include <linux/bitops.h> | |
13 | #include <linux/ftrace.h> | |
14 | #include <linux/init.h> | |
15 | #include <linux/kernel.h> | |
16 | #include <linux/mm.h> | |
17 | #include <linux/printk.h> | |
18 | #include <linux/sched.h> | |
97fc7122 | 19 | #include <linux/sched/task_stack.h> |
11cd3cd6 AK |
20 | #include <linux/slab.h> |
21 | #include <linux/stackdepot.h> | |
22 | #include <linux/stacktrace.h> | |
23 | #include <linux/string.h> | |
24 | #include <linux/types.h> | |
25 | #include <linux/kasan.h> | |
26 | #include <linux/module.h> | |
27 | ||
28 | #include <asm/sections.h> | |
29 | ||
30 | #include "kasan.h" | |
31 | #include "../slab.h" | |
32 | ||
f00748bf | 33 | void *kasan_find_first_bad_addr(void *addr, size_t size) |
11cd3cd6 | 34 | { |
121e8f81 | 35 | void *p = addr; |
11cd3cd6 | 36 | |
b9132800 AK |
37 | if (!addr_has_metadata(p)) |
38 | return p; | |
39 | ||
121e8f81 | 40 | while (p < addr + size && !(*(u8 *)kasan_mem_to_shadow(p))) |
1f600626 | 41 | p += KASAN_GRANULE_SIZE; |
b9132800 | 42 | |
121e8f81 | 43 | return p; |
11cd3cd6 AK |
44 | } |
45 | ||
c965cdd6 | 46 | static const char *get_shadow_bug_type(struct kasan_report_info *info) |
11cd3cd6 AK |
47 | { |
48 | const char *bug_type = "unknown-crash"; | |
49 | u8 *shadow_addr; | |
50 | ||
11cd3cd6 AK |
51 | shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr); |
52 | ||
53 | /* | |
1f600626 | 54 | * If shadow byte value is in [0, KASAN_GRANULE_SIZE) we can look |
11cd3cd6 AK |
55 | * at the next shadow byte to determine the type of the bad access. |
56 | */ | |
1f600626 | 57 | if (*shadow_addr > 0 && *shadow_addr <= KASAN_GRANULE_SIZE - 1) |
11cd3cd6 AK |
58 | shadow_addr++; |
59 | ||
60 | switch (*shadow_addr) { | |
1f600626 | 61 | case 0 ... KASAN_GRANULE_SIZE - 1: |
11cd3cd6 AK |
62 | /* |
63 | * In theory it's still possible to see these shadow values | |
64 | * due to a data race in the kernel code. | |
65 | */ | |
66 | bug_type = "out-of-bounds"; | |
67 | break; | |
68 | case KASAN_PAGE_REDZONE: | |
06bc4cf6 | 69 | case KASAN_SLAB_REDZONE: |
11cd3cd6 AK |
70 | bug_type = "slab-out-of-bounds"; |
71 | break; | |
72 | case KASAN_GLOBAL_REDZONE: | |
73 | bug_type = "global-out-of-bounds"; | |
74 | break; | |
75 | case KASAN_STACK_LEFT: | |
76 | case KASAN_STACK_MID: | |
77 | case KASAN_STACK_RIGHT: | |
78 | case KASAN_STACK_PARTIAL: | |
79 | bug_type = "stack-out-of-bounds"; | |
80 | break; | |
06bc4cf6 AK |
81 | case KASAN_PAGE_FREE: |
82 | case KASAN_SLAB_FREE: | |
83 | case KASAN_SLAB_FREETRACK: | |
11cd3cd6 AK |
84 | bug_type = "use-after-free"; |
85 | break; | |
11cd3cd6 AK |
86 | case KASAN_ALLOCA_LEFT: |
87 | case KASAN_ALLOCA_RIGHT: | |
88 | bug_type = "alloca-out-of-bounds"; | |
89 | break; | |
3c5c3cfb DA |
90 | case KASAN_VMALLOC_INVALID: |
91 | bug_type = "vmalloc-out-of-bounds"; | |
92 | break; | |
11cd3cd6 AK |
93 | } |
94 | ||
95 | return bug_type; | |
96 | } | |
97 | ||
c965cdd6 | 98 | static const char *get_wild_bug_type(struct kasan_report_info *info) |
11cd3cd6 AK |
99 | { |
100 | const char *bug_type = "unknown-crash"; | |
101 | ||
102 | if ((unsigned long)info->access_addr < PAGE_SIZE) | |
103 | bug_type = "null-ptr-deref"; | |
104 | else if ((unsigned long)info->access_addr < TASK_SIZE) | |
105 | bug_type = "user-memory-access"; | |
106 | else | |
107 | bug_type = "wild-memory-access"; | |
108 | ||
109 | return bug_type; | |
110 | } | |
111 | ||
c965cdd6 | 112 | const char *kasan_get_bug_type(struct kasan_report_info *info) |
11cd3cd6 | 113 | { |
8cceeff4 WW |
114 | /* |
115 | * If access_size is a negative number, then it has reason to be | |
116 | * defined as out-of-bounds bug type. | |
117 | * | |
118 | * Casting negative numbers to size_t would indeed turn up as | |
119 | * a large size_t and its value will be larger than ULONG_MAX/2, | |
120 | * so that this can qualify as out-of-bounds. | |
121 | */ | |
122 | if (info->access_addr + info->access_size < info->access_addr) | |
123 | return "out-of-bounds"; | |
124 | ||
6882464f | 125 | if (addr_has_metadata(info->access_addr)) |
11cd3cd6 AK |
126 | return get_shadow_bug_type(info); |
127 | return get_wild_bug_type(info); | |
128 | } | |
129 | ||
f00748bf | 130 | void kasan_metadata_fetch_row(char *buffer, void *row) |
96e0279d AK |
131 | { |
132 | memcpy(buffer, kasan_mem_to_shadow(row), META_BYTES_PER_ROW); | |
133 | } | |
134 | ||
02c58773 | 135 | #ifdef CONFIG_KASAN_STACK |
97fc7122 AK |
136 | static bool __must_check tokenize_frame_descr(const char **frame_descr, |
137 | char *token, size_t max_tok_len, | |
138 | unsigned long *value) | |
139 | { | |
140 | const char *sep = strchr(*frame_descr, ' '); | |
141 | ||
142 | if (sep == NULL) | |
143 | sep = *frame_descr + strlen(*frame_descr); | |
144 | ||
145 | if (token != NULL) { | |
146 | const size_t tok_len = sep - *frame_descr; | |
147 | ||
148 | if (tok_len + 1 > max_tok_len) { | |
149 | pr_err("KASAN internal error: frame description too long: %s\n", | |
150 | *frame_descr); | |
151 | return false; | |
152 | } | |
153 | ||
154 | /* Copy token (+ 1 byte for '\0'). */ | |
f76e0c41 | 155 | strscpy(token, *frame_descr, tok_len + 1); |
97fc7122 AK |
156 | } |
157 | ||
158 | /* Advance frame_descr past separator. */ | |
159 | *frame_descr = sep + 1; | |
160 | ||
161 | if (value != NULL && kstrtoul(token, 10, value)) { | |
162 | pr_err("KASAN internal error: not a valid number: %s\n", token); | |
163 | return false; | |
164 | } | |
165 | ||
166 | return true; | |
167 | } | |
168 | ||
169 | static void print_decoded_frame_descr(const char *frame_descr) | |
170 | { | |
171 | /* | |
172 | * We need to parse the following string: | |
173 | * "n alloc_1 alloc_2 ... alloc_n" | |
174 | * where alloc_i looks like | |
175 | * "offset size len name" | |
176 | * or "offset size len name:line". | |
177 | */ | |
178 | ||
179 | char token[64]; | |
180 | unsigned long num_objects; | |
181 | ||
182 | if (!tokenize_frame_descr(&frame_descr, token, sizeof(token), | |
183 | &num_objects)) | |
184 | return; | |
185 | ||
186 | pr_err("\n"); | |
16347c31 | 187 | pr_err("This frame has %lu %s:\n", num_objects, |
97fc7122 AK |
188 | num_objects == 1 ? "object" : "objects"); |
189 | ||
190 | while (num_objects--) { | |
191 | unsigned long offset; | |
192 | unsigned long size; | |
193 | ||
194 | /* access offset */ | |
195 | if (!tokenize_frame_descr(&frame_descr, token, sizeof(token), | |
196 | &offset)) | |
197 | return; | |
198 | /* access size */ | |
199 | if (!tokenize_frame_descr(&frame_descr, token, sizeof(token), | |
200 | &size)) | |
201 | return; | |
202 | /* name length (unused) */ | |
203 | if (!tokenize_frame_descr(&frame_descr, NULL, 0, NULL)) | |
204 | return; | |
205 | /* object name */ | |
206 | if (!tokenize_frame_descr(&frame_descr, token, sizeof(token), | |
207 | NULL)) | |
208 | return; | |
209 | ||
210 | /* Strip line number; without filename it's not very helpful. */ | |
211 | strreplace(token, ':', '\0'); | |
212 | ||
213 | /* Finally, print object information. */ | |
214 | pr_err(" [%lu, %lu) '%s'", offset, offset + size, token); | |
215 | } | |
216 | } | |
217 | ||
0f9b35f3 | 218 | /* Returns true only if the address is on the current task's stack. */ |
97fc7122 AK |
219 | static bool __must_check get_address_stack_frame_info(const void *addr, |
220 | unsigned long *offset, | |
221 | const char **frame_descr, | |
222 | const void **frame_pc) | |
223 | { | |
224 | unsigned long aligned_addr; | |
225 | unsigned long mem_ptr; | |
226 | const u8 *shadow_bottom; | |
227 | const u8 *shadow_ptr; | |
228 | const unsigned long *frame; | |
229 | ||
230 | BUILD_BUG_ON(IS_ENABLED(CONFIG_STACK_GROWSUP)); | |
231 | ||
97fc7122 AK |
232 | aligned_addr = round_down((unsigned long)addr, sizeof(long)); |
233 | mem_ptr = round_down(aligned_addr, KASAN_GRANULE_SIZE); | |
234 | shadow_ptr = kasan_mem_to_shadow((void *)aligned_addr); | |
235 | shadow_bottom = kasan_mem_to_shadow(end_of_stack(current)); | |
236 | ||
237 | while (shadow_ptr >= shadow_bottom && *shadow_ptr != KASAN_STACK_LEFT) { | |
238 | shadow_ptr--; | |
239 | mem_ptr -= KASAN_GRANULE_SIZE; | |
240 | } | |
241 | ||
242 | while (shadow_ptr >= shadow_bottom && *shadow_ptr == KASAN_STACK_LEFT) { | |
243 | shadow_ptr--; | |
244 | mem_ptr -= KASAN_GRANULE_SIZE; | |
245 | } | |
246 | ||
247 | if (shadow_ptr < shadow_bottom) | |
248 | return false; | |
249 | ||
250 | frame = (const unsigned long *)(mem_ptr + KASAN_GRANULE_SIZE); | |
251 | if (frame[0] != KASAN_CURRENT_STACK_FRAME_MAGIC) { | |
252 | pr_err("KASAN internal error: frame info validation failed; invalid marker: %lu\n", | |
253 | frame[0]); | |
254 | return false; | |
255 | } | |
256 | ||
257 | *offset = (unsigned long)addr - (unsigned long)frame; | |
258 | *frame_descr = (const char *)frame[1]; | |
259 | *frame_pc = (void *)frame[2]; | |
260 | ||
261 | return true; | |
262 | } | |
263 | ||
f00748bf | 264 | void kasan_print_address_stack_frame(const void *addr) |
97fc7122 AK |
265 | { |
266 | unsigned long offset; | |
267 | const char *frame_descr; | |
268 | const void *frame_pc; | |
269 | ||
0f9b35f3 AK |
270 | if (WARN_ON(!object_is_on_stack(addr))) |
271 | return; | |
272 | ||
16347c31 AK |
273 | pr_err("The buggy address belongs to stack of task %s/%d\n", |
274 | current->comm, task_pid_nr(current)); | |
275 | ||
97fc7122 AK |
276 | if (!get_address_stack_frame_info(addr, &offset, &frame_descr, |
277 | &frame_pc)) | |
278 | return; | |
279 | ||
16347c31 | 280 | pr_err(" and is located at offset %lu in frame:\n", offset); |
97fc7122 AK |
281 | pr_err(" %pS\n", frame_pc); |
282 | ||
283 | if (!frame_descr) | |
284 | return; | |
285 | ||
286 | print_decoded_frame_descr(frame_descr); | |
287 | } | |
288 | #endif /* CONFIG_KASAN_STACK */ | |
289 | ||
11cd3cd6 AK |
290 | #define DEFINE_ASAN_REPORT_LOAD(size) \ |
291 | void __asan_report_load##size##_noabort(unsigned long addr) \ | |
292 | { \ | |
293 | kasan_report(addr, size, false, _RET_IP_); \ | |
294 | } \ | |
295 | EXPORT_SYMBOL(__asan_report_load##size##_noabort) | |
296 | ||
297 | #define DEFINE_ASAN_REPORT_STORE(size) \ | |
298 | void __asan_report_store##size##_noabort(unsigned long addr) \ | |
299 | { \ | |
300 | kasan_report(addr, size, true, _RET_IP_); \ | |
301 | } \ | |
302 | EXPORT_SYMBOL(__asan_report_store##size##_noabort) | |
303 | ||
304 | DEFINE_ASAN_REPORT_LOAD(1); | |
305 | DEFINE_ASAN_REPORT_LOAD(2); | |
306 | DEFINE_ASAN_REPORT_LOAD(4); | |
307 | DEFINE_ASAN_REPORT_LOAD(8); | |
308 | DEFINE_ASAN_REPORT_LOAD(16); | |
309 | DEFINE_ASAN_REPORT_STORE(1); | |
310 | DEFINE_ASAN_REPORT_STORE(2); | |
311 | DEFINE_ASAN_REPORT_STORE(4); | |
312 | DEFINE_ASAN_REPORT_STORE(8); | |
313 | DEFINE_ASAN_REPORT_STORE(16); | |
314 | ||
315 | void __asan_report_load_n_noabort(unsigned long addr, size_t size) | |
316 | { | |
317 | kasan_report(addr, size, false, _RET_IP_); | |
318 | } | |
319 | EXPORT_SYMBOL(__asan_report_load_n_noabort); | |
320 | ||
321 | void __asan_report_store_n_noabort(unsigned long addr, size_t size) | |
322 | { | |
323 | kasan_report(addr, size, true, _RET_IP_); | |
324 | } | |
325 | EXPORT_SYMBOL(__asan_report_store_n_noabort); |