[linux-block.git] / mm / kasan / report_generic.c

// SPDX-License-Identifier: GPL-2.0
/*
 * This file contains generic KASAN specific error reporting code.
 *
 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
 * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
 *
 * Some code borrowed from https://github.com/xairy/kasan-prototype by
 *        Andrey Konovalov <andreyknvl@gmail.com>
 */

#include <linux/bitops.h>
#include <linux/ftrace.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/printk.h>
#include <linux/sched.h>
#include <linux/sched/task_stack.h>
#include <linux/slab.h>
#include <linux/stackdepot.h>
#include <linux/stacktrace.h>
#include <linux/string.h>
#include <linux/types.h>
#include <linux/kasan.h>
#include <linux/module.h>

#include <asm/sections.h>

#include "kasan.h"
#include "../slab.h"

void *kasan_find_first_bad_addr(void *addr, size_t size)
{
	void *p = addr;

	if (!addr_has_metadata(p))
		return p;

	while (p < addr + size && !(*(u8 *)kasan_mem_to_shadow(p)))
		p += KASAN_GRANULE_SIZE;

	return p;
}

static const char *get_shadow_bug_type(struct kasan_report_info *info)
{
	const char *bug_type = "unknown-crash";
	u8 *shadow_addr;

	shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);

	/*
	 * If shadow byte value is in [0, KASAN_GRANULE_SIZE) we can look
	 * at the next shadow byte to determine the type of the bad access.
	 */
	if (*shadow_addr > 0 && *shadow_addr <= KASAN_GRANULE_SIZE - 1)
		shadow_addr++;

	switch (*shadow_addr) {
	case 0 ... KASAN_GRANULE_SIZE - 1:
		/*
		 * In theory it's still possible to see these shadow values
		 * due to a data race in the kernel code.
		 */
		bug_type = "out-of-bounds";
		break;
	case KASAN_PAGE_REDZONE:
	case KASAN_SLAB_REDZONE:
		bug_type = "slab-out-of-bounds";
		break;
	case KASAN_GLOBAL_REDZONE:
		bug_type = "global-out-of-bounds";
		break;
	case KASAN_STACK_LEFT:
	case KASAN_STACK_MID:
	case KASAN_STACK_RIGHT:
	case KASAN_STACK_PARTIAL:
		bug_type = "stack-out-of-bounds";
		break;
	case KASAN_PAGE_FREE:
	case KASAN_SLAB_FREE:
	case KASAN_SLAB_FREETRACK:
		bug_type = "use-after-free";
		break;
	case KASAN_ALLOCA_LEFT:
	case KASAN_ALLOCA_RIGHT:
		bug_type = "alloca-out-of-bounds";
		break;
	case KASAN_VMALLOC_INVALID:
		bug_type = "vmalloc-out-of-bounds";
		break;
	}

	return bug_type;
}

static const char *get_wild_bug_type(struct kasan_report_info *info)
{
	const char *bug_type = "unknown-crash";

	if ((unsigned long)info->access_addr < PAGE_SIZE)
		bug_type = "null-ptr-deref";
	else if ((unsigned long)info->access_addr < TASK_SIZE)
		bug_type = "user-memory-access";
	else
		bug_type = "wild-memory-access";

	return bug_type;
}

const char *kasan_get_bug_type(struct kasan_report_info *info)
{
	/*
	 * If access_size is a negative number, then it has reason to be
	 * defined as out-of-bounds bug type.
	 *
	 * Casting negative numbers to size_t would indeed turn up as
	 * a large size_t and its value will be larger than ULONG_MAX/2,
	 * so that this can qualify as out-of-bounds.
	 */
	if (info->access_addr + info->access_size < info->access_addr)
		return "out-of-bounds";

	if (addr_has_metadata(info->access_addr))
		return get_shadow_bug_type(info);
	return get_wild_bug_type(info);
}

void kasan_metadata_fetch_row(char *buffer, void *row)
{
	memcpy(buffer, kasan_mem_to_shadow(row), META_BYTES_PER_ROW);
}

#ifdef CONFIG_KASAN_STACK
static bool __must_check tokenize_frame_descr(const char **frame_descr,
					      char *token, size_t max_tok_len,
					      unsigned long *value)
{
	const char *sep = strchr(*frame_descr, ' ');

	if (sep == NULL)
		sep = *frame_descr + strlen(*frame_descr);

	if (token != NULL) {
		const size_t tok_len = sep - *frame_descr;

		if (tok_len + 1 > max_tok_len) {
			pr_err("KASAN internal error: frame description too long: %s\n",
			       *frame_descr);
			return false;
		}

		/* Copy token (+ 1 byte for '\0'). */
		strscpy(token, *frame_descr, tok_len + 1);
	}

	/* Advance frame_descr past separator. */
	*frame_descr = sep + 1;

	if (value != NULL && kstrtoul(token, 10, value)) {
		pr_err("KASAN internal error: not a valid number: %s\n", token);
		return false;
	}

	return true;
}

static void print_decoded_frame_descr(const char *frame_descr)
{
	/*
	 * We need to parse the following string:
	 *    "n alloc_1 alloc_2 ... alloc_n"
	 * where alloc_i looks like
	 *    "offset size len name"
	 * or "offset size len name:line".
	 */

	char token[64];
	unsigned long num_objects;

	if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
				  &num_objects))
		return;

	pr_err("\n");
	pr_err("This frame has %lu %s:\n", num_objects,
	       num_objects == 1 ? "object" : "objects");

	while (num_objects--) {
		unsigned long offset;
		unsigned long size;

		/* access offset */
		if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
					  &offset))
			return;
		/* access size */
		if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
					  &size))
			return;
		/* name length (unused) */
		if (!tokenize_frame_descr(&frame_descr, NULL, 0, NULL))
			return;
		/* object name */
		if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
					  NULL))
			return;

		/* Strip line number; without filename it's not very helpful. */
		strreplace(token, ':', '\0');

		/* Finally, print object information. */
		pr_err(" [%lu, %lu) '%s'", offset, offset + size, token);
	}
}

/* Returns true only if the address is on the current task's stack. */
static bool __must_check get_address_stack_frame_info(const void *addr,
						      unsigned long *offset,
						      const char **frame_descr,
						      const void **frame_pc)
{
	unsigned long aligned_addr;
	unsigned long mem_ptr;
	const u8 *shadow_bottom;
	const u8 *shadow_ptr;
	const unsigned long *frame;

	BUILD_BUG_ON(IS_ENABLED(CONFIG_STACK_GROWSUP));

	aligned_addr = round_down((unsigned long)addr, sizeof(long));
	mem_ptr = round_down(aligned_addr, KASAN_GRANULE_SIZE);
	shadow_ptr = kasan_mem_to_shadow((void *)aligned_addr);
	shadow_bottom = kasan_mem_to_shadow(end_of_stack(current));

	while (shadow_ptr >= shadow_bottom && *shadow_ptr != KASAN_STACK_LEFT) {
		shadow_ptr--;
		mem_ptr -= KASAN_GRANULE_SIZE;
	}

	while (shadow_ptr >= shadow_bottom && *shadow_ptr == KASAN_STACK_LEFT) {
		shadow_ptr--;
		mem_ptr -= KASAN_GRANULE_SIZE;
	}

	if (shadow_ptr < shadow_bottom)
		return false;

	frame = (const unsigned long *)(mem_ptr + KASAN_GRANULE_SIZE);
	if (frame[0] != KASAN_CURRENT_STACK_FRAME_MAGIC) {
		pr_err("KASAN internal error: frame info validation failed; invalid marker: %lu\n",
		       frame[0]);
		return false;
	}

	*offset = (unsigned long)addr - (unsigned long)frame;
	*frame_descr = (const char *)frame[1];
	*frame_pc = (void *)frame[2];

	return true;
}

void kasan_print_address_stack_frame(const void *addr)
{
	unsigned long offset;
	const char *frame_descr;
	const void *frame_pc;

	if (WARN_ON(!object_is_on_stack(addr)))
		return;

	pr_err("The buggy address belongs to stack of task %s/%d\n",
	       current->comm, task_pid_nr(current));

	if (!get_address_stack_frame_info(addr, &offset, &frame_descr,
					  &frame_pc))
		return;

	pr_err(" and is located at offset %lu in frame:\n", offset);
	pr_err(" %pS\n", frame_pc);

	if (!frame_descr)
		return;

	print_decoded_frame_descr(frame_descr);
}
#endif /* CONFIG_KASAN_STACK */

#define DEFINE_ASAN_REPORT_LOAD(size)                     \
void __asan_report_load##size##_noabort(unsigned long addr) \
{                                                         \
	kasan_report(addr, size, false, _RET_IP_);	  \
}                                                         \
EXPORT_SYMBOL(__asan_report_load##size##_noabort)

#define DEFINE_ASAN_REPORT_STORE(size)                     \
void __asan_report_store##size##_noabort(unsigned long addr) \
{                                                          \
	kasan_report(addr, size, true, _RET_IP_);	   \
}                                                          \
EXPORT_SYMBOL(__asan_report_store##size##_noabort)

DEFINE_ASAN_REPORT_LOAD(1);
DEFINE_ASAN_REPORT_LOAD(2);
DEFINE_ASAN_REPORT_LOAD(4);
DEFINE_ASAN_REPORT_LOAD(8);
DEFINE_ASAN_REPORT_LOAD(16);
DEFINE_ASAN_REPORT_STORE(1);
DEFINE_ASAN_REPORT_STORE(2);
DEFINE_ASAN_REPORT_STORE(4);
DEFINE_ASAN_REPORT_STORE(8);
DEFINE_ASAN_REPORT_STORE(16);

void __asan_report_load_n_noabort(unsigned long addr, size_t size)
{
	kasan_report(addr, size, false, _RET_IP_);
}
EXPORT_SYMBOL(__asan_report_load_n_noabort);

void __asan_report_store_n_noabort(unsigned long addr, size_t size)
{
	kasan_report(addr, size, true, _RET_IP_);
}
EXPORT_SYMBOL(__asan_report_store_n_noabort);
Commit	Line	Data
e886bf9d	1	// SPDX-License-Identifier: GPL-2.0
11cd3cd6 AK	2	/*
	3	* This file contains generic KASAN specific error reporting code.
	4	*
	5	* Copyright (c) 2014 Samsung Electronics Co., Ltd.
	6	* Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
	7	*
	8	* Some code borrowed from https://github.com/xairy/kasan-prototype by
	9	* Andrey Konovalov <andreyknvl@gmail.com>
11cd3cd6 AK	10	*/
	11
	12	#include <linux/bitops.h>
	13	#include <linux/ftrace.h>
	14	#include <linux/init.h>
	15	#include <linux/kernel.h>
	16	#include <linux/mm.h>
	17	#include <linux/printk.h>
	18	#include <linux/sched.h>
97fc7122	19	#include <linux/sched/task_stack.h>
11cd3cd6 AK	20	#include <linux/slab.h>
	21	#include <linux/stackdepot.h>
	22	#include <linux/stacktrace.h>
	23	#include <linux/string.h>
	24	#include <linux/types.h>
	25	#include <linux/kasan.h>
	26	#include <linux/module.h>
	27
	28	#include <asm/sections.h>
	29
	30	#include "kasan.h"
	31	#include "../slab.h"
	32
f00748bf	33	void kasan_find_first_bad_addr(void addr, size_t size)
11cd3cd6	34	{
121e8f81	35	void *p = addr;
11cd3cd6	36
b9132800 AK	37	if (!addr_has_metadata(p))
	38	return p;
	39
121e8f81	40	while (p < addr + size && !((u8 )kasan_mem_to_shadow(p)))
1f600626	41	p += KASAN_GRANULE_SIZE;
b9132800	42
121e8f81	43	return p;
11cd3cd6 AK	44	}
11cd3cd6 AK	45
c965cdd6	46	static const char get_shadow_bug_type(struct kasan_report_info info)
11cd3cd6 AK	47	{
	48	const char *bug_type = "unknown-crash";
	49	u8 *shadow_addr;
	50
11cd3cd6 AK	51	shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);
	52
	53	/*
1f600626	54	* If shadow byte value is in [0, KASAN_GRANULE_SIZE) we can look
11cd3cd6 AK	55	* at the next shadow byte to determine the type of the bad access.
11cd3cd6 AK	56	*/
1f600626	57	if (shadow_addr > 0 && shadow_addr <= KASAN_GRANULE_SIZE - 1)
11cd3cd6 AK	58	shadow_addr++;
	59
	60	switch (*shadow_addr) {
1f600626	61	case 0 ... KASAN_GRANULE_SIZE - 1:
11cd3cd6 AK	62	/*
	63	* In theory it's still possible to see these shadow values
	64	* due to a data race in the kernel code.
	65	*/
	66	bug_type = "out-of-bounds";
	67	break;
	68	case KASAN_PAGE_REDZONE:
06bc4cf6	69	case KASAN_SLAB_REDZONE:
11cd3cd6 AK	70	bug_type = "slab-out-of-bounds";
	71	break;
	72	case KASAN_GLOBAL_REDZONE:
	73	bug_type = "global-out-of-bounds";
	74	break;
	75	case KASAN_STACK_LEFT:
	76	case KASAN_STACK_MID:
	77	case KASAN_STACK_RIGHT:
	78	case KASAN_STACK_PARTIAL:
	79	bug_type = "stack-out-of-bounds";
	80	break;
06bc4cf6 AK	81	case KASAN_PAGE_FREE:
	82	case KASAN_SLAB_FREE:
	83	case KASAN_SLAB_FREETRACK:
11cd3cd6 AK	84	bug_type = "use-after-free";
11cd3cd6 AK	85	break;
11cd3cd6 AK	86	case KASAN_ALLOCA_LEFT:
	87	case KASAN_ALLOCA_RIGHT:
	88	bug_type = "alloca-out-of-bounds";
	89	break;
3c5c3cfb DA	90	case KASAN_VMALLOC_INVALID:
	91	bug_type = "vmalloc-out-of-bounds";
	92	break;
11cd3cd6 AK	93	}
	94
	95	return bug_type;
	96	}
	97
c965cdd6	98	static const char get_wild_bug_type(struct kasan_report_info info)
11cd3cd6 AK	99	{
	100	const char *bug_type = "unknown-crash";
	101
	102	if ((unsigned long)info->access_addr < PAGE_SIZE)
	103	bug_type = "null-ptr-deref";
	104	else if ((unsigned long)info->access_addr < TASK_SIZE)
	105	bug_type = "user-memory-access";
	106	else
	107	bug_type = "wild-memory-access";
	108
	109	return bug_type;
	110	}
	111
c965cdd6	112	const char kasan_get_bug_type(struct kasan_report_info info)
11cd3cd6	113	{
8cceeff4 WW	114	/*
	115	* If access_size is a negative number, then it has reason to be
	116	* defined as out-of-bounds bug type.
	117	*
	118	* Casting negative numbers to size_t would indeed turn up as
	119	* a large size_t and its value will be larger than ULONG_MAX/2,
	120	* so that this can qualify as out-of-bounds.
	121	*/
	122	if (info->access_addr + info->access_size < info->access_addr)
	123	return "out-of-bounds";
	124
6882464f	125	if (addr_has_metadata(info->access_addr))
11cd3cd6 AK	126	return get_shadow_bug_type(info);
	127	return get_wild_bug_type(info);
	128	}
	129
f00748bf	130	void kasan_metadata_fetch_row(char buffer, void row)
96e0279d AK	131	{
	132	memcpy(buffer, kasan_mem_to_shadow(row), META_BYTES_PER_ROW);
	133	}
	134
02c58773	135	#ifdef CONFIG_KASAN_STACK
97fc7122 AK	136	static bool __must_check tokenize_frame_descr(const char **frame_descr,
	137	char *token, size_t max_tok_len,
	138	unsigned long *value)
	139	{
	140	const char sep = strchr(frame_descr, ' ');
	141
	142	if (sep == NULL)
	143	sep = frame_descr + strlen(frame_descr);
	144
	145	if (token != NULL) {
	146	const size_t tok_len = sep - *frame_descr;
	147
	148	if (tok_len + 1 > max_tok_len) {
	149	pr_err("KASAN internal error: frame description too long: %s\n",
	150	*frame_descr);
	151	return false;
	152	}
	153
	154	/* Copy token (+ 1 byte for '\0'). */
f76e0c41	155	strscpy(token, *frame_descr, tok_len + 1);
97fc7122 AK	156	}
	157
	158	/* Advance frame_descr past separator. */
	159	*frame_descr = sep + 1;
	160
	161	if (value != NULL && kstrtoul(token, 10, value)) {
	162	pr_err("KASAN internal error: not a valid number: %s\n", token);
	163	return false;
	164	}
	165
	166	return true;
	167	}
	168
	169	static void print_decoded_frame_descr(const char *frame_descr)
	170	{
	171	/*
	172	* We need to parse the following string:
	173	* "n alloc_1 alloc_2 ... alloc_n"
	174	* where alloc_i looks like
	175	* "offset size len name"
	176	* or "offset size len name:line".
	177	*/
	178
	179	char token[64];
	180	unsigned long num_objects;
	181
	182	if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
	183	&num_objects))
	184	return;
	185
	186	pr_err("\n");
16347c31	187	pr_err("This frame has %lu %s:\n", num_objects,
97fc7122 AK	188	num_objects == 1 ? "object" : "objects");
	189
	190	while (num_objects--) {
	191	unsigned long offset;
	192	unsigned long size;
	193
	194	/* access offset */
	195	if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
	196	&offset))
	197	return;
	198	/* access size */
	199	if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
	200	&size))
	201	return;
	202	/* name length (unused) */
	203	if (!tokenize_frame_descr(&frame_descr, NULL, 0, NULL))
	204	return;
	205	/* object name */
	206	if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
	207	NULL))
	208	return;
	209
	210	/* Strip line number; without filename it's not very helpful. */
	211	strreplace(token, ':', '\0');
	212
	213	/* Finally, print object information. */
	214	pr_err(" [%lu, %lu) '%s'", offset, offset + size, token);
	215	}
	216	}
	217
0f9b35f3	218	/* Returns true only if the address is on the current task's stack. */
97fc7122 AK	219	static bool __must_check get_address_stack_frame_info(const void *addr,
	220	unsigned long *offset,
	221	const char **frame_descr,
	222	const void **frame_pc)
	223	{
	224	unsigned long aligned_addr;
	225	unsigned long mem_ptr;
	226	const u8 *shadow_bottom;
	227	const u8 *shadow_ptr;
	228	const unsigned long *frame;
	229
	230	BUILD_BUG_ON(IS_ENABLED(CONFIG_STACK_GROWSUP));
	231
97fc7122 AK	232	aligned_addr = round_down((unsigned long)addr, sizeof(long));
	233	mem_ptr = round_down(aligned_addr, KASAN_GRANULE_SIZE);
	234	shadow_ptr = kasan_mem_to_shadow((void *)aligned_addr);
	235	shadow_bottom = kasan_mem_to_shadow(end_of_stack(current));
	236
	237	while (shadow_ptr >= shadow_bottom && *shadow_ptr != KASAN_STACK_LEFT) {
	238	shadow_ptr--;
	239	mem_ptr -= KASAN_GRANULE_SIZE;
	240	}
	241
	242	while (shadow_ptr >= shadow_bottom && *shadow_ptr == KASAN_STACK_LEFT) {
	243	shadow_ptr--;
	244	mem_ptr -= KASAN_GRANULE_SIZE;
	245	}
	246
	247	if (shadow_ptr < shadow_bottom)
	248	return false;
	249
	250	frame = (const unsigned long *)(mem_ptr + KASAN_GRANULE_SIZE);
	251	if (frame[0] != KASAN_CURRENT_STACK_FRAME_MAGIC) {
	252	pr_err("KASAN internal error: frame info validation failed; invalid marker: %lu\n",
	253	frame[0]);
	254	return false;
	255	}
	256
	257	*offset = (unsigned long)addr - (unsigned long)frame;
	258	frame_descr = (const char )frame[1];
	259	frame_pc = (void )frame[2];
	260
	261	return true;
	262	}
	263
f00748bf	264	void kasan_print_address_stack_frame(const void *addr)
97fc7122 AK	265	{
	266	unsigned long offset;
	267	const char *frame_descr;
	268	const void *frame_pc;
	269
0f9b35f3 AK	270	if (WARN_ON(!object_is_on_stack(addr)))
	271	return;
	272
16347c31 AK	273	pr_err("The buggy address belongs to stack of task %s/%d\n",
	274	current->comm, task_pid_nr(current));
	275
97fc7122 AK	276	if (!get_address_stack_frame_info(addr, &offset, &frame_descr,
	277	&frame_pc))
	278	return;
	279
16347c31	280	pr_err(" and is located at offset %lu in frame:\n", offset);
97fc7122 AK	281	pr_err(" %pS\n", frame_pc);
	282
	283	if (!frame_descr)
	284	return;
	285
	286	print_decoded_frame_descr(frame_descr);
	287	}
	288	#endif /* CONFIG_KASAN_STACK */
	289
11cd3cd6 AK	290	#define DEFINE_ASAN_REPORT_LOAD(size) \
	291	void __asan_report_load##size##_noabort(unsigned long addr) \
	292	{ \
	293	kasan_report(addr, size, false, _RET_IP_); \
	294	} \
	295	EXPORT_SYMBOL(__asan_report_load##size##_noabort)
	296
	297	#define DEFINE_ASAN_REPORT_STORE(size) \
	298	void __asan_report_store##size##_noabort(unsigned long addr) \
	299	{ \
	300	kasan_report(addr, size, true, _RET_IP_); \
	301	} \
	302	EXPORT_SYMBOL(__asan_report_store##size##_noabort)
	303
	304	DEFINE_ASAN_REPORT_LOAD(1);
	305	DEFINE_ASAN_REPORT_LOAD(2);
	306	DEFINE_ASAN_REPORT_LOAD(4);
	307	DEFINE_ASAN_REPORT_LOAD(8);
	308	DEFINE_ASAN_REPORT_LOAD(16);
	309	DEFINE_ASAN_REPORT_STORE(1);
	310	DEFINE_ASAN_REPORT_STORE(2);
	311	DEFINE_ASAN_REPORT_STORE(4);
	312	DEFINE_ASAN_REPORT_STORE(8);
	313	DEFINE_ASAN_REPORT_STORE(16);
	314
	315	void __asan_report_load_n_noabort(unsigned long addr, size_t size)
	316	{
	317	kasan_report(addr, size, false, _RET_IP_);
	318	}
	319	EXPORT_SYMBOL(__asan_report_load_n_noabort);
	320
	321	void __asan_report_store_n_noabort(unsigned long addr, size_t size)
	322	{
	323	kasan_report(addr, size, true, _RET_IP_);
	324	}
	325	EXPORT_SYMBOL(__asan_report_store_n_noabort);