mm/kasan/generic_report.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * This file contains generic KASAN specific error reporting code.
   4  *
   5  * Copyright (c) 2014 Samsung Electronics Co., Ltd.
   6  * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
   7  *
   8  * Some code borrowed from https://github.com/xairy/kasan-prototype by
   9  *        Andrey Konovalov <andreyknvl@gmail.com>
  10  *
  11  * This program is free software; you can redistribute it and/or modify
  12  * it under the terms of the GNU General Public License version 2 as
  13  * published by the Free Software Foundation.
  14  *
  15  */
  16
  17 #include <linux/bitops.h>
  18 #include <linux/ftrace.h>
  19 #include <linux/init.h>
  20 #include <linux/kernel.h>
  21 #include <linux/mm.h>
  22 #include <linux/printk.h>
  23 #include <linux/sched.h>
  24 #include <linux/slab.h>
  25 #include <linux/stackdepot.h>
  26 #include <linux/stacktrace.h>
  27 #include <linux/string.h>
  28 #include <linux/types.h>
  29 #include <linux/kasan.h>
  30 #include <linux/module.h>
  31
  32 #include <asm/sections.h>
  33
  34 #include "kasan.h"
  35 #include "../slab.h"
  36
  37 void *find_first_bad_addr(void *addr, size_t size)
  38 {
  39         void *p = addr;
  40
  41         while (p < addr + size && !(*(u8 *)kasan_mem_to_shadow(p)))
  42                 p += KASAN_SHADOW_SCALE_SIZE;
  43         return p;
  44 }
  45
  46 static const char *get_shadow_bug_type(struct kasan_access_info *info)
  47 {
  48         const char *bug_type = "unknown-crash";
  49         u8 *shadow_addr;
  50
  51         shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);
  52
  53         /*
  54          * If shadow byte value is in [0, KASAN_SHADOW_SCALE_SIZE) we can look
  55          * at the next shadow byte to determine the type of the bad access.
  56          */
  57         if (*shadow_addr > 0 && *shadow_addr <= KASAN_SHADOW_SCALE_SIZE - 1)
  58                 shadow_addr++;
  59
  60         switch (*shadow_addr) {
  61         case 0 ... KASAN_SHADOW_SCALE_SIZE - 1:
  62                 /*
  63                  * In theory it's still possible to see these shadow values
  64                  * due to a data race in the kernel code.
  65                  */
  66                 bug_type = "out-of-bounds";
  67                 break;
  68         case KASAN_PAGE_REDZONE:
  69         case KASAN_KMALLOC_REDZONE:
  70                 bug_type = "slab-out-of-bounds";
  71                 break;
  72         case KASAN_GLOBAL_REDZONE:
  73                 bug_type = "global-out-of-bounds";
  74                 break;
  75         case KASAN_STACK_LEFT:
  76         case KASAN_STACK_MID:
  77         case KASAN_STACK_RIGHT:
  78         case KASAN_STACK_PARTIAL:
  79                 bug_type = "stack-out-of-bounds";
  80                 break;
  81         case KASAN_FREE_PAGE:
  82         case KASAN_KMALLOC_FREE:
  83                 bug_type = "use-after-free";
  84                 break;
  85         case KASAN_ALLOCA_LEFT:
  86         case KASAN_ALLOCA_RIGHT:
  87                 bug_type = "alloca-out-of-bounds";
  88                 break;
  89         case KASAN_VMALLOC_INVALID:
  90                 bug_type = "vmalloc-out-of-bounds";
  91                 break;
  92         }
  93
  94         return bug_type;
  95 }
  96
  97 static const char *get_wild_bug_type(struct kasan_access_info *info)
  98 {
  99         const char *bug_type = "unknown-crash";
 100
 101         if ((unsigned long)info->access_addr < PAGE_SIZE)
 102                 bug_type = "null-ptr-deref";
 103         else if ((unsigned long)info->access_addr < TASK_SIZE)
 104                 bug_type = "user-memory-access";
 105         else
 106                 bug_type = "wild-memory-access";
 107
 108         return bug_type;
 109 }
 110
 111 const char *get_bug_type(struct kasan_access_info *info)
 112 {
 113         /*
 114          * If access_size is a negative number, then it has reason to be
 115          * defined as out-of-bounds bug type.
 116          *
 117          * Casting negative numbers to size_t would indeed turn up as
 118          * a large size_t and its value will be larger than ULONG_MAX/2,
 119          * so that this can qualify as out-of-bounds.
 120          */
 121         if (info->access_addr + info->access_size < info->access_addr)
 122                 return "out-of-bounds";
 123
 124         if (addr_has_shadow(info->access_addr))
 125                 return get_shadow_bug_type(info);
 126         return get_wild_bug_type(info);
 127 }
 128
 129 #define DEFINE_ASAN_REPORT_LOAD(size)                     \
 130 void __asan_report_load##size##_noabort(unsigned long addr) \
 131 {                                                         \
 132         kasan_report(addr, size, false, _RET_IP_);        \
 133 }                                                         \
 134 EXPORT_SYMBOL(__asan_report_load##size##_noabort)
 135
 136 #define DEFINE_ASAN_REPORT_STORE(size)                     \
 137 void __asan_report_store##size##_noabort(unsigned long addr) \
 138 {                                                          \
 139         kasan_report(addr, size, true, _RET_IP_);          \
 140 }                                                          \
 141 EXPORT_SYMBOL(__asan_report_store##size##_noabort)
 142
 143 DEFINE_ASAN_REPORT_LOAD(1);
 144 DEFINE_ASAN_REPORT_LOAD(2);
 145 DEFINE_ASAN_REPORT_LOAD(4);
 146 DEFINE_ASAN_REPORT_LOAD(8);
 147 DEFINE_ASAN_REPORT_LOAD(16);
 148 DEFINE_ASAN_REPORT_STORE(1);
 149 DEFINE_ASAN_REPORT_STORE(2);
 150 DEFINE_ASAN_REPORT_STORE(4);
 151 DEFINE_ASAN_REPORT_STORE(8);
 152 DEFINE_ASAN_REPORT_STORE(16);
 153
 154 void __asan_report_load_n_noabort(unsigned long addr, size_t size)
 155 {
 156         kasan_report(addr, size, false, _RET_IP_);
 157 }
 158 EXPORT_SYMBOL(__asan_report_load_n_noabort);
 159
 160 void __asan_report_store_n_noabort(unsigned long addr, size_t size)
 161 {
 162         kasan_report(addr, size, true, _RET_IP_);
 163 }
 164 EXPORT_SYMBOL(__asan_report_store_n_noabort);