mm/kasan/generic_report.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * This file contains generic KASAN specific error reporting code.
   4  *
   5  * Copyright (c) 2014 Samsung Electronics Co., Ltd.
   6  * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
   7  *
   8  * Some code borrowed from https://github.com/xairy/kasan-prototype by
   9  *        Andrey Konovalov <andreyknvl@gmail.com>
  10  *
  11  * This program is free software; you can redistribute it and/or modify
  12  * it under the terms of the GNU General Public License version 2 as
  13  * published by the Free Software Foundation.
  14  *
  15  */
  16
  17 #include <linux/bitops.h>
  18 #include <linux/ftrace.h>
  19 #include <linux/init.h>
  20 #include <linux/kernel.h>
  21 #include <linux/mm.h>
  22 #include <linux/printk.h>
  23 #include <linux/sched.h>
  24 #include <linux/slab.h>
  25 #include <linux/stackdepot.h>
  26 #include <linux/stacktrace.h>
  27 #include <linux/string.h>
  28 #include <linux/types.h>
  29 #include <linux/kasan.h>
  30 #include <linux/module.h>
  31
  32 #include <asm/sections.h>
  33
  34 #include "kasan.h"
  35 #include "../slab.h"
  36
  37 void *find_first_bad_addr(void *addr, size_t size)
  38 {
  39         void *p = addr;
  40
  41         while (p < addr + size && !(*(u8 *)kasan_mem_to_shadow(p)))
  42                 p += KASAN_SHADOW_SCALE_SIZE;
  43         return p;
  44 }
  45
  46 static const char *get_shadow_bug_type(struct kasan_access_info *info)
  47 {
  48         const char *bug_type = "unknown-crash";
  49         u8 *shadow_addr;
  50
  51         shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);
  52
  53         /*
  54          * If shadow byte value is in [0, KASAN_SHADOW_SCALE_SIZE) we can look
  55          * at the next shadow byte to determine the type of the bad access.
  56          */
  57         if (*shadow_addr > 0 && *shadow_addr <= KASAN_SHADOW_SCALE_SIZE - 1)
  58                 shadow_addr++;
  59
  60         switch (*shadow_addr) {
  61         case 0 ... KASAN_SHADOW_SCALE_SIZE - 1:
  62                 /*
  63                  * In theory it's still possible to see these shadow values
  64                  * due to a data race in the kernel code.
  65                  */
  66                 bug_type = "out-of-bounds";
  67                 break;
  68         case KASAN_PAGE_REDZONE:
  69         case KASAN_KMALLOC_REDZONE:
  70                 bug_type = "slab-out-of-bounds";
  71                 break;
  72         case KASAN_GLOBAL_REDZONE:
  73                 bug_type = "global-out-of-bounds";
  74                 break;
  75         case KASAN_STACK_LEFT:
  76         case KASAN_STACK_MID:
  77         case KASAN_STACK_RIGHT:
  78         case KASAN_STACK_PARTIAL:
  79                 bug_type = "stack-out-of-bounds";
  80                 break;
  81         case KASAN_FREE_PAGE:
  82         case KASAN_KMALLOC_FREE:
  83         case KASAN_KMALLOC_FREETRACK:
  84                 bug_type = "use-after-free";
  85                 break;
  86         case KASAN_ALLOCA_LEFT:
  87         case KASAN_ALLOCA_RIGHT:
  88                 bug_type = "alloca-out-of-bounds";
  89                 break;
  90         case KASAN_VMALLOC_INVALID:
  91                 bug_type = "vmalloc-out-of-bounds";
  92                 break;
  93         }
  94
  95         return bug_type;
  96 }
  97
  98 static const char *get_wild_bug_type(struct kasan_access_info *info)
  99 {
 100         const char *bug_type = "unknown-crash";
 101
 102         if ((unsigned long)info->access_addr < PAGE_SIZE)
 103                 bug_type = "null-ptr-deref";
 104         else if ((unsigned long)info->access_addr < TASK_SIZE)
 105                 bug_type = "user-memory-access";
 106         else
 107                 bug_type = "wild-memory-access";
 108
 109         return bug_type;
 110 }
 111
 112 const char *get_bug_type(struct kasan_access_info *info)
 113 {
 114         /*
 115          * If access_size is a negative number, then it has reason to be
 116          * defined as out-of-bounds bug type.
 117          *
 118          * Casting negative numbers to size_t would indeed turn up as
 119          * a large size_t and its value will be larger than ULONG_MAX/2,
 120          * so that this can qualify as out-of-bounds.
 121          */
 122         if (info->access_addr + info->access_size < info->access_addr)
 123                 return "out-of-bounds";
 124
 125         if (addr_has_shadow(info->access_addr))
 126                 return get_shadow_bug_type(info);
 127         return get_wild_bug_type(info);
 128 }
 129
 130 #define DEFINE_ASAN_REPORT_LOAD(size)                     \
 131 void __asan_report_load##size##_noabort(unsigned long addr) \
 132 {                                                         \
 133         kasan_report(addr, size, false, _RET_IP_);        \
 134 }                                                         \
 135 EXPORT_SYMBOL(__asan_report_load##size##_noabort)
 136
 137 #define DEFINE_ASAN_REPORT_STORE(size)                     \
 138 void __asan_report_store##size##_noabort(unsigned long addr) \
 139 {                                                          \
 140         kasan_report(addr, size, true, _RET_IP_);          \
 141 }                                                          \
 142 EXPORT_SYMBOL(__asan_report_store##size##_noabort)
 143
 144 DEFINE_ASAN_REPORT_LOAD(1);
 145 DEFINE_ASAN_REPORT_LOAD(2);
 146 DEFINE_ASAN_REPORT_LOAD(4);
 147 DEFINE_ASAN_REPORT_LOAD(8);
 148 DEFINE_ASAN_REPORT_LOAD(16);
 149 DEFINE_ASAN_REPORT_STORE(1);
 150 DEFINE_ASAN_REPORT_STORE(2);
 151 DEFINE_ASAN_REPORT_STORE(4);
 152 DEFINE_ASAN_REPORT_STORE(8);
 153 DEFINE_ASAN_REPORT_STORE(16);
 154
 155 void __asan_report_load_n_noabort(unsigned long addr, size_t size)
 156 {
 157         kasan_report(addr, size, false, _RET_IP_);
 158 }
 159 EXPORT_SYMBOL(__asan_report_load_n_noabort);
 160
 161 void __asan_report_store_n_noabort(unsigned long addr, size_t size)
 162 {
 163         kasan_report(addr, size, true, _RET_IP_);
 164 }
 165 EXPORT_SYMBOL(__asan_report_store_n_noabort);