search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'io_uring-5.11-2021-01-16' of git://git.kernel.dk/linux-block
[linux/fpc-iii.git] / mm / kasan / report_generic.c
blob8a9c889872da3041c31eba2e41b7920aa582c288
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * This file contains generic KASAN specific error reporting code.
4 *
5 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
6 * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
7 *
8 * Some code borrowed from https://github.com/xairy/kasan-prototype by
9 * Andrey Konovalov <andreyknvl@gmail.com>
10 */
11
12 #include <linux/bitops.h>
13 #include <linux/ftrace.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/mm.h>
17 #include <linux/printk.h>
18 #include <linux/sched.h>
19 #include <linux/sched/task_stack.h>
20 #include <linux/slab.h>
21 #include <linux/stackdepot.h>
22 #include <linux/stacktrace.h>
23 #include <linux/string.h>
24 #include <linux/types.h>
25 #include <linux/kasan.h>
26 #include <linux/module.h>
27
28 #include <asm/sections.h>
29
30 #include "kasan.h"
31 #include "../slab.h"
32
33 void *find_first_bad_addr(void *addr, size_t size)
34 {
35 void *p = addr;
36
37 while (p < addr + size && !(*(u8 *)kasan_mem_to_shadow(p)))
38 p += KASAN_GRANULE_SIZE;
39 return p;
40 }
41
42 static const char *get_shadow_bug_type(struct kasan_access_info *info)
43 {
44 const char *bug_type = "unknown-crash";
45 u8 *shadow_addr;
46
47 shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);
48
49 /*
50 * If shadow byte value is in [0, KASAN_GRANULE_SIZE) we can look
51 * at the next shadow byte to determine the type of the bad access.
52 */
53 if (*shadow_addr > 0 && *shadow_addr <= KASAN_GRANULE_SIZE - 1)
54 shadow_addr++;
55
56 switch (*shadow_addr) {
57 case 0 ... KASAN_GRANULE_SIZE - 1:
58 /*
59 * In theory it's still possible to see these shadow values
60 * due to a data race in the kernel code.
61 */
62 bug_type = "out-of-bounds";
63 break;
64 case KASAN_PAGE_REDZONE:
65 case KASAN_KMALLOC_REDZONE:
66 bug_type = "slab-out-of-bounds";
67 break;
68 case KASAN_GLOBAL_REDZONE:
69 bug_type = "global-out-of-bounds";
70 break;
71 case KASAN_STACK_LEFT:
72 case KASAN_STACK_MID:
73 case KASAN_STACK_RIGHT:
74 case KASAN_STACK_PARTIAL:
75 bug_type = "stack-out-of-bounds";
76 break;
77 case KASAN_FREE_PAGE:
78 case KASAN_KMALLOC_FREE:
79 case KASAN_KMALLOC_FREETRACK:
80 bug_type = "use-after-free";
81 break;
82 case KASAN_ALLOCA_LEFT:
83 case KASAN_ALLOCA_RIGHT:
84 bug_type = "alloca-out-of-bounds";
85 break;
86 case KASAN_VMALLOC_INVALID:
87 bug_type = "vmalloc-out-of-bounds";
88 break;
89 }
90
91 return bug_type;
92 }
93
94 static const char *get_wild_bug_type(struct kasan_access_info *info)
95 {
96 const char *bug_type = "unknown-crash";
97
98 if ((unsigned long)info->access_addr < PAGE_SIZE)
99 bug_type = "null-ptr-deref";
100 else if ((unsigned long)info->access_addr < TASK_SIZE)
101 bug_type = "user-memory-access";
102 else
103 bug_type = "wild-memory-access";
104
105 return bug_type;
106 }
107
108 const char *get_bug_type(struct kasan_access_info *info)
109 {
110 /*
111 * If access_size is a negative number, then it has reason to be
112 * defined as out-of-bounds bug type.
113 *
114 * Casting negative numbers to size_t would indeed turn up as
115 * a large size_t and its value will be larger than ULONG_MAX/2,
116 * so that this can qualify as out-of-bounds.
117 */
118 if (info->access_addr + info->access_size < info->access_addr)
119 return "out-of-bounds";
120
121 if (addr_has_metadata(info->access_addr))
122 return get_shadow_bug_type(info);
123 return get_wild_bug_type(info);
124 }
125
126 void metadata_fetch_row(char *buffer, void *row)
127 {
128 memcpy(buffer, kasan_mem_to_shadow(row), META_BYTES_PER_ROW);
129 }
130
131 #if CONFIG_KASAN_STACK
132 static bool __must_check tokenize_frame_descr(const char **frame_descr,
133 char *token, size_t max_tok_len,
134 unsigned long *value)
135 {
136 const char *sep = strchr(*frame_descr, ' ');
137
138 if (sep == NULL)
139 sep = *frame_descr + strlen(*frame_descr);
140
141 if (token != NULL) {
142 const size_t tok_len = sep - *frame_descr;
143
144 if (tok_len + 1 > max_tok_len) {
145 pr_err("KASAN internal error: frame description too long: %s\n",
146 *frame_descr);
147 return false;
148 }
149
150 /* Copy token (+ 1 byte for '\0'). */
151 strlcpy(token, *frame_descr, tok_len + 1);
152 }
153
154 /* Advance frame_descr past separator. */
155 *frame_descr = sep + 1;
156
157 if (value != NULL && kstrtoul(token, 10, value)) {
158 pr_err("KASAN internal error: not a valid number: %s\n", token);
159 return false;
160 }
161
162 return true;
163 }
164
165 static void print_decoded_frame_descr(const char *frame_descr)
166 {
167 /*
168 * We need to parse the following string:
169 * "n alloc_1 alloc_2 ... alloc_n"
170 * where alloc_i looks like
171 * "offset size len name"
172 * or "offset size len name:line".
173 */
174
175 char token[64];
176 unsigned long num_objects;
177
178 if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
179 &num_objects))
180 return;
181
182 pr_err("\n");
183 pr_err("this frame has %lu %s:\n", num_objects,
184 num_objects == 1 ? "object" : "objects");
185
186 while (num_objects--) {
187 unsigned long offset;
188 unsigned long size;
189
190 /* access offset */
191 if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
192 &offset))
193 return;
194 /* access size */
195 if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
196 &size))
197 return;
198 /* name length (unused) */
199 if (!tokenize_frame_descr(&frame_descr, NULL, 0, NULL))
200 return;
201 /* object name */
202 if (!tokenize_frame_descr(&frame_descr, token, sizeof(token),
203 NULL))
204 return;
205
206 /* Strip line number; without filename it's not very helpful. */
207 strreplace(token, ':', '\0');
208
209 /* Finally, print object information. */
210 pr_err(" [%lu, %lu) '%s'", offset, offset + size, token);
211 }
212 }
213
214 static bool __must_check get_address_stack_frame_info(const void *addr,
215 unsigned long *offset,
216 const char **frame_descr,
217 const void **frame_pc)
218 {
219 unsigned long aligned_addr;
220 unsigned long mem_ptr;
221 const u8 *shadow_bottom;
222 const u8 *shadow_ptr;
223 const unsigned long *frame;
224
225 BUILD_BUG_ON(IS_ENABLED(CONFIG_STACK_GROWSUP));
226
227 /*
228 * NOTE: We currently only support printing frame information for
229 * accesses to the task's own stack.
230 */
231 if (!object_is_on_stack(addr))
232 return false;
233
234 aligned_addr = round_down((unsigned long)addr, sizeof(long));
235 mem_ptr = round_down(aligned_addr, KASAN_GRANULE_SIZE);
236 shadow_ptr = kasan_mem_to_shadow((void *)aligned_addr);
237 shadow_bottom = kasan_mem_to_shadow(end_of_stack(current));
238
239 while (shadow_ptr >= shadow_bottom && *shadow_ptr != KASAN_STACK_LEFT) {
240 shadow_ptr--;
241 mem_ptr -= KASAN_GRANULE_SIZE;
242 }
243
244 while (shadow_ptr >= shadow_bottom && *shadow_ptr == KASAN_STACK_LEFT) {
245 shadow_ptr--;
246 mem_ptr -= KASAN_GRANULE_SIZE;
247 }
248
249 if (shadow_ptr < shadow_bottom)
250 return false;
251
252 frame = (const unsigned long *)(mem_ptr + KASAN_GRANULE_SIZE);
253 if (frame[0] != KASAN_CURRENT_STACK_FRAME_MAGIC) {
254 pr_err("KASAN internal error: frame info validation failed; invalid marker: %lu\n",
255 frame[0]);
256 return false;
257 }
258
259 *offset = (unsigned long)addr - (unsigned long)frame;
260 *frame_descr = (const char *)frame[1];
261 *frame_pc = (void *)frame[2];
262
263 return true;
264 }
265
266 void print_address_stack_frame(const void *addr)
267 {
268 unsigned long offset;
269 const char *frame_descr;
270 const void *frame_pc;
271
272 if (!get_address_stack_frame_info(addr, &offset, &frame_descr,
273 &frame_pc))
274 return;
275
276 /*
277 * get_address_stack_frame_info only returns true if the given addr is
278 * on the current task's stack.
279 */
280 pr_err("\n");
281 pr_err("addr %px is located in stack of task %s/%d at offset %lu in frame:\n",
282 addr, current->comm, task_pid_nr(current), offset);
283 pr_err(" %pS\n", frame_pc);
284
285 if (!frame_descr)
286 return;
287
288 print_decoded_frame_descr(frame_descr);
289 }
290 #endif /* CONFIG_KASAN_STACK */
291
292 #define DEFINE_ASAN_REPORT_LOAD(size) \
293 void __asan_report_load##size##_noabort(unsigned long addr) \
294 { \
295 kasan_report(addr, size, false, _RET_IP_); \
296 } \
297 EXPORT_SYMBOL(__asan_report_load##size##_noabort)
298
299 #define DEFINE_ASAN_REPORT_STORE(size) \
300 void __asan_report_store##size##_noabort(unsigned long addr) \
301 { \
302 kasan_report(addr, size, true, _RET_IP_); \
303 } \
304 EXPORT_SYMBOL(__asan_report_store##size##_noabort)
305
306 DEFINE_ASAN_REPORT_LOAD(1);
307 DEFINE_ASAN_REPORT_LOAD(2);
308 DEFINE_ASAN_REPORT_LOAD(4);
309 DEFINE_ASAN_REPORT_LOAD(8);
310 DEFINE_ASAN_REPORT_LOAD(16);
311 DEFINE_ASAN_REPORT_STORE(1);
312 DEFINE_ASAN_REPORT_STORE(2);
313 DEFINE_ASAN_REPORT_STORE(4);
314 DEFINE_ASAN_REPORT_STORE(8);
315 DEFINE_ASAN_REPORT_STORE(16);
316
317 void __asan_report_load_n_noabort(unsigned long addr, size_t size)
318 {
319 kasan_report(addr, size, false, _RET_IP_);
320 }
321 EXPORT_SYMBOL(__asan_report_load_n_noabort);
322
323 void __asan_report_store_n_noabort(unsigned long addr, size_t size)
324 {
325 kasan_report(addr, size, true, _RET_IP_);
326 }
327 EXPORT_SYMBOL(__asan_report_store_n_noabort);
Linux with added FPC-III support