report.c 5.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * KMSAN error reporting routines.
  4. *
  5. * Copyright (C) 2019-2022 Google LLC
  6. * Author: Alexander Potapenko <glider@google.com>
  7. *
  8. */
  9. #include <linux/console.h>
  10. #include <linux/kmsan.h>
  11. #include <linux/moduleparam.h>
  12. #include <linux/stackdepot.h>
  13. #include <linux/stacktrace.h>
  14. #include <linux/uaccess.h>
  15. #include "kmsan.h"
  16. static DEFINE_RAW_SPINLOCK(kmsan_report_lock);
  17. #define DESCR_SIZE 128
  18. /* Protected by kmsan_report_lock */
  19. static char report_local_descr[DESCR_SIZE];
  20. int panic_on_kmsan __read_mostly;
  21. EXPORT_SYMBOL_GPL(panic_on_kmsan);
  22. #ifdef MODULE_PARAM_PREFIX
  23. #undef MODULE_PARAM_PREFIX
  24. #endif
  25. #define MODULE_PARAM_PREFIX "kmsan."
  26. module_param_named(panic, panic_on_kmsan, int, 0);
  27. /*
  28. * Skip internal KMSAN frames.
  29. */
  30. static int get_stack_skipnr(const unsigned long stack_entries[],
  31. int num_entries)
  32. {
  33. int len, skip;
  34. char buf[64];
  35. for (skip = 0; skip < num_entries; ++skip) {
  36. len = scnprintf(buf, sizeof(buf), "%ps",
  37. (void *)stack_entries[skip]);
  38. /* Never show __msan_* or kmsan_* functions. */
  39. if ((strnstr(buf, "__msan_", len) == buf) ||
  40. (strnstr(buf, "kmsan_", len) == buf))
  41. continue;
  42. /*
  43. * No match for runtime functions -- @skip entries to skip to
  44. * get to first frame of interest.
  45. */
  46. break;
  47. }
  48. return skip;
  49. }
  50. /*
  51. * Currently the descriptions of locals generated by Clang look as follows:
  52. * ----local_name@function_name
  53. * We want to print only the name of the local, as other information in that
  54. * description can be confusing.
  55. * The meaningful part of the description is copied to a global buffer to avoid
  56. * allocating memory.
  57. */
  58. static char *pretty_descr(char *descr)
  59. {
  60. int pos = 0, len = strlen(descr);
  61. for (int i = 0; i < len; i++) {
  62. if (descr[i] == '@')
  63. break;
  64. if (descr[i] == '-')
  65. continue;
  66. report_local_descr[pos] = descr[i];
  67. if (pos + 1 == DESCR_SIZE)
  68. break;
  69. pos++;
  70. }
  71. report_local_descr[pos] = 0;
  72. return report_local_descr;
  73. }
  74. void kmsan_print_origin(depot_stack_handle_t origin)
  75. {
  76. unsigned long *entries = NULL, *chained_entries = NULL;
  77. unsigned int nr_entries, chained_nr_entries, skipnr;
  78. void *pc1 = NULL, *pc2 = NULL;
  79. depot_stack_handle_t head;
  80. unsigned long magic;
  81. char *descr = NULL;
  82. unsigned int depth;
  83. if (!origin)
  84. return;
  85. while (true) {
  86. nr_entries = stack_depot_fetch(origin, &entries);
  87. depth = kmsan_depth_from_eb(stack_depot_get_extra_bits(origin));
  88. magic = nr_entries ? entries[0] : 0;
  89. if ((nr_entries == 4) && (magic == KMSAN_ALLOCA_MAGIC_ORIGIN)) {
  90. descr = (char *)entries[1];
  91. pc1 = (void *)entries[2];
  92. pc2 = (void *)entries[3];
  93. pr_err("Local variable %s created at:\n",
  94. pretty_descr(descr));
  95. if (pc1)
  96. pr_err(" %pSb\n", pc1);
  97. if (pc2)
  98. pr_err(" %pSb\n", pc2);
  99. break;
  100. }
  101. if ((nr_entries == 3) && (magic == KMSAN_CHAIN_MAGIC_ORIGIN)) {
  102. /*
  103. * Origin chains deeper than KMSAN_MAX_ORIGIN_DEPTH are
  104. * not stored, so the output may be incomplete.
  105. */
  106. if (depth == KMSAN_MAX_ORIGIN_DEPTH)
  107. pr_err("<Zero or more stacks not recorded to save memory>\n\n");
  108. head = entries[1];
  109. origin = entries[2];
  110. pr_err("Uninit was stored to memory at:\n");
  111. chained_nr_entries =
  112. stack_depot_fetch(head, &chained_entries);
  113. kmsan_internal_unpoison_memory(
  114. chained_entries,
  115. chained_nr_entries * sizeof(*chained_entries),
  116. /*checked*/ false);
  117. skipnr = get_stack_skipnr(chained_entries,
  118. chained_nr_entries);
  119. stack_trace_print(chained_entries + skipnr,
  120. chained_nr_entries - skipnr, 0);
  121. pr_err("\n");
  122. continue;
  123. }
  124. pr_err("Uninit was created at:\n");
  125. if (nr_entries) {
  126. skipnr = get_stack_skipnr(entries, nr_entries);
  127. stack_trace_print(entries + skipnr, nr_entries - skipnr,
  128. 0);
  129. } else {
  130. pr_err("(stack is not available)\n");
  131. }
  132. break;
  133. }
  134. }
  135. void kmsan_report(depot_stack_handle_t origin, void *address, int size,
  136. int off_first, int off_last, const void __user *user_addr,
  137. enum kmsan_bug_reason reason)
  138. {
  139. unsigned long stack_entries[KMSAN_STACK_DEPTH];
  140. int num_stack_entries, skipnr;
  141. char *bug_type = NULL;
  142. unsigned long ua_flags;
  143. bool is_uaf;
  144. if (!kmsan_enabled || kmsan_in_runtime())
  145. return;
  146. if (current->kmsan_ctx.depth)
  147. return;
  148. if (!origin)
  149. return;
  150. kmsan_enter_runtime();
  151. ua_flags = user_access_save();
  152. raw_spin_lock(&kmsan_report_lock);
  153. pr_err("=====================================================\n");
  154. is_uaf = kmsan_uaf_from_eb(stack_depot_get_extra_bits(origin));
  155. switch (reason) {
  156. case REASON_ANY:
  157. bug_type = is_uaf ? "use-after-free" : "uninit-value";
  158. break;
  159. case REASON_COPY_TO_USER:
  160. bug_type = is_uaf ? "kernel-infoleak-after-free" :
  161. "kernel-infoleak";
  162. break;
  163. case REASON_SUBMIT_URB:
  164. bug_type = is_uaf ? "kernel-usb-infoleak-after-free" :
  165. "kernel-usb-infoleak";
  166. break;
  167. }
  168. num_stack_entries =
  169. stack_trace_save(stack_entries, KMSAN_STACK_DEPTH, 1);
  170. skipnr = get_stack_skipnr(stack_entries, num_stack_entries);
  171. pr_err("BUG: KMSAN: %s in %pSb\n", bug_type,
  172. (void *)stack_entries[skipnr]);
  173. stack_trace_print(stack_entries + skipnr, num_stack_entries - skipnr,
  174. 0);
  175. pr_err("\n");
  176. kmsan_print_origin(origin);
  177. if (size) {
  178. pr_err("\n");
  179. if (off_first == off_last)
  180. pr_err("Byte %d of %d is uninitialized\n", off_first,
  181. size);
  182. else
  183. pr_err("Bytes %d-%d of %d are uninitialized\n",
  184. off_first, off_last, size);
  185. }
  186. if (address)
  187. pr_err("Memory access of size %d starts at %px\n", size,
  188. address);
  189. if (user_addr && reason == REASON_COPY_TO_USER)
  190. pr_err("Data copied to user address %px\n", user_addr);
  191. pr_err("\n");
  192. dump_stack_print_info(KERN_ERR);
  193. pr_err("=====================================================\n");
  194. add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
  195. raw_spin_unlock(&kmsan_report_lock);
  196. if (panic_on_kmsan)
  197. panic("kmsan.panic set ...\n");
  198. user_access_restore(ua_flags);
  199. kmsan_leave_runtime();
  200. }