x86/kasan: Print original address on #GP

author Jann Horn <jannh@google.com>

Wed, 18 Dec 2019 23:11:50 +0000 (00:11 +0100)

committer Borislav Petkov <bp@suse.de>

Tue, 31 Dec 2019 12:15:38 +0000 (13:15 +0100)
author Jann Horn <jannh@google.com>
Wed, 18 Dec 2019 23:11:50 +0000 (00:11 +0100)
committer Borislav Petkov <bp@suse.de>
Tue, 31 Dec 2019 12:15:38 +0000 (13:15 +0100)
diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c

index 8995bf10c97c6a394cae6a846dcef6c2b9fe52ca..ae64ec7f752f401f970d9d3cd3e7722aeb72d60e 100644 (file)
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -427,6 +427,8 @@ void die_addr(const char *str, struct pt_regs *regs, long err, long gp_addr)
         int sig = SIGSEGV;
  
         __die_header(str, regs, err);
+       if (gp_addr)
+               kasan_non_canonical_hook(gp_addr);
         if (__die_body(str, regs, err))
                 sig = 0;
         oops_end(flags, regs, sig);
diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c

index cf5bc37c90ac0bcad59ea7ed7f3954c7f4c8ecb0..763e71abc0fec7d4083feae66f73f49161c781bb 100644 (file)
--- a/arch/x86/mm/kasan_init_64.c
+++ b/arch/x86/mm/kasan_init_64.c
@@ -288,23 +288,6 @@ static void __init kasan_shallow_populate_pgds(void *start, void *end)
         } while (pgd++, addr = next, addr != (unsigned long)end);
  }
  
-#ifdef CONFIG_KASAN_INLINE
-static int kasan_die_handler(struct notifier_block *self,
-                            unsigned long val,
-                            void *data)
-{
-       if (val == DIE_GPF) {
-               pr_emerg("CONFIG_KASAN_INLINE enabled\n");
-               pr_emerg("GPF could be caused by NULL-ptr deref or user memory access\n");
-       }
-       return NOTIFY_OK;
-}
-
-static struct notifier_block kasan_die_notifier = {
-       .notifier_call = kasan_die_handler,
-};
-#endif
-
  void __init kasan_early_init(void)
  {
         int i;
@@ -341,10 +324,6 @@ void __init kasan_init(void)
         int i;
         void *shadow_cpu_entry_begin, *shadow_cpu_entry_end;
  
-#ifdef CONFIG_KASAN_INLINE
-       register_die_notifier(&kasan_die_notifier);
-#endif
-
         memcpy(early_top_pgt, init_top_pgt, sizeof(early_top_pgt));
  
         /*
diff --git a/include/linux/kasan.h b/include/linux/kasan.h

index e18fe54969e97ede27c426277d84601d0c6aec6b..5cde9e7c26640ab904b99cab31bac94f9cf54afe 100644 (file)
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -228,4 +228,10 @@ static inline void kasan_release_vmalloc(unsigned long start,
                                          unsigned long free_region_end) {}
  #endif
  
+#ifdef CONFIG_KASAN_INLINE
+void kasan_non_canonical_hook(unsigned long addr);
+#else /* CONFIG_KASAN_INLINE */
+static inline void kasan_non_canonical_hook(unsigned long addr) { }
+#endif /* CONFIG_KASAN_INLINE */
+
  #endif /* LINUX_KASAN_H */
diff --git a/mm/kasan/report.c b/mm/kasan/report.c

index 621782100eaa0f81d930799c6899d598db390550..5ef9f24f566b438a3a8de742fbf20dc0ccca8e75 100644 (file)
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -512,3 +512,43 @@ void __kasan_report(unsigned long addr, size_t size, bool is_write, unsigned lon
  
         end_report(&flags);
  }
+
+#ifdef CONFIG_KASAN_INLINE
+/*
+ * With CONFIG_KASAN_INLINE, accesses to bogus pointers (outside the high
+ * canonical half of the address space) cause out-of-bounds shadow memory reads
+ * before the actual access. For addresses in the low canonical half of the
+ * address space, as well as most non-canonical addresses, that out-of-bounds
+ * shadow memory access lands in the non-canonical part of the address space.
+ * Help the user figure out what the original bogus pointer was.
+ */
+void kasan_non_canonical_hook(unsigned long addr)
+{
+       unsigned long orig_addr;
+       const char *bug_type;
+
+       if (addr < KASAN_SHADOW_OFFSET)
+               return;
+
+       orig_addr = (addr - KASAN_SHADOW_OFFSET) << KASAN_SHADOW_SCALE_SHIFT;
+       /*
+        * For faults near the shadow address for NULL, we can be fairly certain
+        * that this is a KASAN shadow memory access.
+        * For faults that correspond to shadow for low canonical addresses, we
+        * can still be pretty sure - that shadow region is a fairly narrow
+        * chunk of the non-canonical address space.
+        * But faults that look like shadow for non-canonical addresses are a
+        * really large chunk of the address space. In that case, we still
+        * print the decoded address, but make it clear that this is not
+        * necessarily what's actually going on.
+        */
+       if (orig_addr < PAGE_SIZE)
+               bug_type = "null-ptr-deref";
+       else if (orig_addr < TASK_SIZE)
+               bug_type = "probably user-memory-access";
+       else
+               bug_type = "maybe wild-memory-access";
+       pr_alert("KASAN: %s in range [0x%016lx-0x%016lx]\n", bug_type,
+                orig_addr, orig_addr + KASAN_SHADOW_MASK);
+}
+#endif
author	Jann Horn <jannh@google.com>
	Wed, 18 Dec 2019 23:11:50 +0000 (00:11 +0100)
committer	Borislav Petkov <bp@suse.de>
	Tue, 31 Dec 2019 12:15:38 +0000 (13:15 +0100)
arch/x86/kernel/dumpstack.c		patch \| blob \| blame \| history
arch/x86/mm/kasan_init_64.c		patch \| blob \| blame \| history
include/linux/kasan.h		patch \| blob \| blame \| history
mm/kasan/report.c		patch \| blob \| blame \| history