projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
kasan: add kernel address sanitizer infrastructure
[deliverable/linux.git] / mm / kasan / kasan.c
CommitLineData
0b24becc
AR		 1/*
2 * This file contains shadow memory manipulation code.
3 *
4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
6 *
7 * Some of code borrowed from https://github.com/xairy/linux by
8 * Andrey Konovalov <adech.fo@gmail.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
13 *
14 */
15
16#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
17#define DISABLE_BRANCH_PROFILING
18
19#include <linux/export.h>
20#include <linux/init.h>
21#include <linux/kernel.h>
22#include <linux/memblock.h>
23#include <linux/mm.h>
24#include <linux/printk.h>
25#include <linux/sched.h>
26#include <linux/slab.h>
27#include <linux/stacktrace.h>
28#include <linux/string.h>
29#include <linux/types.h>
30#include <linux/kasan.h>
31
32#include "kasan.h"
33
34/*
35 * Poisons the shadow memory for 'size' bytes starting from 'addr'.
36 * Memory addresses should be aligned to KASAN_SHADOW_SCALE_SIZE.
37 */
38static void kasan_poison_shadow(const void *address, size_t size, u8 value)
39{
40 void *shadow_start, *shadow_end;
41
42 shadow_start = kasan_mem_to_shadow(address);
43 shadow_end = kasan_mem_to_shadow(address + size);
44
45 memset(shadow_start, value, shadow_end - shadow_start);
46}
47
48void kasan_unpoison_shadow(const void *address, size_t size)
49{
50 kasan_poison_shadow(address, size, 0);
51
52 if (size & KASAN_SHADOW_MASK) {
53 u8 *shadow = (u8 *)kasan_mem_to_shadow(address + size);
54 *shadow = size & KASAN_SHADOW_MASK;
55 }
56}
57
58
59/*
60 * All functions below always inlined so compiler could
61 * perform better optimizations in each of __asan_loadX/__assn_storeX
62 * depending on memory access size X.
63 */
64
65static __always_inline bool memory_is_poisoned_1(unsigned long addr)
66{
67 s8 shadow_value = *(s8 *)kasan_mem_to_shadow((void *)addr);
68
69 if (unlikely(shadow_value)) {
70 s8 last_accessible_byte = addr & KASAN_SHADOW_MASK;
71 return unlikely(last_accessible_byte >= shadow_value);
72 }
73
74 return false;
75}
76
77static __always_inline bool memory_is_poisoned_2(unsigned long addr)
78{
79 u16 *shadow_addr = (u16 *)kasan_mem_to_shadow((void *)addr);
80
81 if (unlikely(*shadow_addr)) {
82 if (memory_is_poisoned_1(addr + 1))
83 return true;
84
85 if (likely(((addr + 1) & KASAN_SHADOW_MASK) != 0))
86 return false;
87
88 return unlikely(*(u8 *)shadow_addr);
89 }
90
91 return false;
92}
93
94static __always_inline bool memory_is_poisoned_4(unsigned long addr)
95{
96 u16 *shadow_addr = (u16 *)kasan_mem_to_shadow((void *)addr);
97
98 if (unlikely(*shadow_addr)) {
99 if (memory_is_poisoned_1(addr + 3))
100 return true;
101
102 if (likely(((addr + 3) & KASAN_SHADOW_MASK) >= 3))
103 return false;
104
105 return unlikely(*(u8 *)shadow_addr);
106 }
107
108 return false;
109}
110
111static __always_inline bool memory_is_poisoned_8(unsigned long addr)
112{
113 u16 *shadow_addr = (u16 *)kasan_mem_to_shadow((void *)addr);
114
115 if (unlikely(*shadow_addr)) {
116 if (memory_is_poisoned_1(addr + 7))
117 return true;
118
119 if (likely(((addr + 7) & KASAN_SHADOW_MASK) >= 7))
120 return false;
121
122 return unlikely(*(u8 *)shadow_addr);
123 }
124
125 return false;
126}
127
128static __always_inline bool memory_is_poisoned_16(unsigned long addr)
129{
130 u32 *shadow_addr = (u32 *)kasan_mem_to_shadow((void *)addr);
131
132 if (unlikely(*shadow_addr)) {
133 u16 shadow_first_bytes = *(u16 *)shadow_addr;
134 s8 last_byte = (addr + 15) & KASAN_SHADOW_MASK;
135
136 if (unlikely(shadow_first_bytes))
137 return true;
138
139 if (likely(!last_byte))
140 return false;
141
142 return memory_is_poisoned_1(addr + 15);
143 }
144
145 return false;
146}
147
148static __always_inline unsigned long bytes_is_zero(const u8 *start,
149 size_t size)
150{
151 while (size) {
152 if (unlikely(*start))
153 return (unsigned long)start;
154 start++;
155 size--;
156 }
157
158 return 0;
159}
160
161static __always_inline unsigned long memory_is_zero(const void *start,
162 const void *end)
163{
164 unsigned int words;
165 unsigned long ret;
166 unsigned int prefix = (unsigned long)start % 8;
167
168 if (end - start <= 16)
169 return bytes_is_zero(start, end - start);
170
171 if (prefix) {
172 prefix = 8 - prefix;
173 ret = bytes_is_zero(start, prefix);
174 if (unlikely(ret))
175 return ret;
176 start += prefix;
177 }
178
179 words = (end - start) / 8;
180 while (words) {
181 if (unlikely(*(u64 *)start))
182 return bytes_is_zero(start, 8);
183 start += 8;
184 words--;
185 }
186
187 return bytes_is_zero(start, (end - start) % 8);
188}
189
190static __always_inline bool memory_is_poisoned_n(unsigned long addr,
191 size_t size)
192{
193 unsigned long ret;
194
195 ret = memory_is_zero(kasan_mem_to_shadow((void *)addr),
196 kasan_mem_to_shadow((void *)addr + size - 1) + 1);
197
198 if (unlikely(ret)) {
199 unsigned long last_byte = addr + size - 1;
200 s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte);
201
202 if (unlikely(ret != (unsigned long)last_shadow ||
203 ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow)))
204 return true;
205 }
206 return false;
207}
208
209static __always_inline bool memory_is_poisoned(unsigned long addr, size_t size)
210{
211 if (__builtin_constant_p(size)) {
212 switch (size) {
213 case 1:
214 return memory_is_poisoned_1(addr);
215 case 2:
216 return memory_is_poisoned_2(addr);
217 case 4:
218 return memory_is_poisoned_4(addr);
219 case 8:
220 return memory_is_poisoned_8(addr);
221 case 16:
222 return memory_is_poisoned_16(addr);
223 default:
224 BUILD_BUG();
225 }
226 }
227
228 return memory_is_poisoned_n(addr, size);
229}
230
231
232static __always_inline void check_memory_region(unsigned long addr,
233 size_t size, bool write)
234{
235 struct kasan_access_info info;
236
237 if (unlikely(size == 0))
238 return;
239
240 if (unlikely((void *)addr <
241 kasan_shadow_to_mem((void *)KASAN_SHADOW_START))) {
242 info.access_addr = (void *)addr;
243 info.access_size = size;
244 info.is_write = write;
245 info.ip = _RET_IP_;
246 kasan_report_user_access(&info);
247 return;
248 }
249
250 if (likely(!memory_is_poisoned(addr, size)))
251 return;
252
253 kasan_report(addr, size, write, _RET_IP_);
254}
255
256#define DEFINE_ASAN_LOAD_STORE(size) \
257 void __asan_load##size(unsigned long addr) \
258 { \
259 check_memory_region(addr, size, false); \
260 } \
261 EXPORT_SYMBOL(__asan_load##size); \
262 __alias(__asan_load##size) \
263 void __asan_load##size##_noabort(unsigned long); \
264 EXPORT_SYMBOL(__asan_load##size##_noabort); \
265 void __asan_store##size(unsigned long addr) \
266 { \
267 check_memory_region(addr, size, true); \
268 } \
269 EXPORT_SYMBOL(__asan_store##size); \
270 __alias(__asan_store##size) \
271 void __asan_store##size##_noabort(unsigned long); \
272 EXPORT_SYMBOL(__asan_store##size##_noabort)
273
274DEFINE_ASAN_LOAD_STORE(1);
275DEFINE_ASAN_LOAD_STORE(2);
276DEFINE_ASAN_LOAD_STORE(4);
277DEFINE_ASAN_LOAD_STORE(8);
278DEFINE_ASAN_LOAD_STORE(16);
279
280void __asan_loadN(unsigned long addr, size_t size)
281{
282 check_memory_region(addr, size, false);
283}
284EXPORT_SYMBOL(__asan_loadN);
285
286__alias(__asan_loadN)
287void __asan_loadN_noabort(unsigned long, size_t);
288EXPORT_SYMBOL(__asan_loadN_noabort);
289
290void __asan_storeN(unsigned long addr, size_t size)
291{
292 check_memory_region(addr, size, true);
293}
294EXPORT_SYMBOL(__asan_storeN);
295
296__alias(__asan_storeN)
297void __asan_storeN_noabort(unsigned long, size_t);
298EXPORT_SYMBOL(__asan_storeN_noabort);
299
300/* to shut up compiler complaints */
301void __asan_handle_no_return(void) {}
302EXPORT_SYMBOL(__asan_handle_no_return);
Linux kernel - Deliverables
This page took 0.039687 seconds and 5 git commands to generate.