Up to [cvs.NetBSD.org] / src / sys / arch / amd64 / amd64
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
Sync with HEAD, resolve a couple of conflicts
Move the MI parts of KASAN into kern/subr_asan.c. This file includes machine/asan.h, which contains the MD functions. We use an include rather than a plain C file, because we want GCC to optimize/inline some functions into one single block. The amd64 MD parts of KASAN are moved accordingly. The naming convention we use is: kasan_* a generic kasan object, declared in subr_asan.c kasan_md_* an MD kasan object, declared in machine/asan.h, and used in subr_asan.c __md_* an MD object, declared in machine/asan.h, and not used outside Overall this makes it easier to add KASAN support on more architectures. Discussed with several people.
Rename kasan_shadow_fill, remove one check in it, and inline it. Remove the use-after-scope code for now, because our GCC does not support that and when it does we will want to test the feature for real rather than letting a potentially broken code compile.
Remove functions that aren't supposed to be used.
Ssync with HEAD
Don't go beyond start().
Sync with HEAD Resolve a couple of conflicts (result of the uimin/uimax changes)
file asan.c was added on branch pgoyette-compat on 2018-09-06 06:55:24 +0000
Add kasan interceptors for strcpy/strcmp/strlen.
Improve the detection on global variables, no need to round up.
Unwind the stack on error, to get the full path that led to the illegal access. Example of output: kASan: Unauthorized Access In 0xffffffff80e6219c: Addr 0xffffbb007a39fd03 [1 byte, read] #0 0xffffffff80e6219c in ras_purgeall <netbsd> #1 0xffffffff80e62330 in sys_rasctl <netbsd> #2 0xffffffff80265008 in syscall <netbsd> (I manually added a one-byte stack read overflow in rasctl to demonstrate.)
Explicitly unpoison the stack when entering a softint. Softints are the only place where we "discard" a part of the stack: we may have left the thread without allowing the asan instrumentation to clear the poison, and in this case, we can get false positives when we hit a poisoned area of the stack while executing another handler within the same softint thread. (I was actually getting a rare false positive in ip6intr.)
Add support for monitoring the stack with kASan. This allows us to detect illegal memory accesses occuring there. The compiler inlines a piece of code in each function that adds redzones around the local variables and poisons them. The illegal accesses are then detected using the usual kASan machinery. The stack size is doubled, from 4 pages to 8 pages. Several boot functions are marked with the __noasan flag, to prevent the compiler from adding redzones in them (because we haven't yet initialized kASan). The kasan_early_init function is called early at boot time to quickly create the shadow for the current stack; after this is done, we don't need __noasan anymore in the boot path. We pass -fasan-shadow-offset=0xDFFF900000000000, because the compiler wants to do shad = shadow-offset + (addr >> 3) and we do, in kasan_addr_to_shad shad = KASAN_SHADOW_START + ((addr - CANONICAL_BASE) >> 3) hence shad = KASAN_SHADOW_START + (addr >> 3) - (CANONICAL_BASE >> 3) = [KASAN_SHADOW_START - (CANONICAL_BASE >> 3)] + (addr >> 3) implies shadow-offset = KASAN_SHADOW_START - (CANONICAL_BASE >> 3) = 0xFFFF800000000000 - (0xFFFF800000000000 >> 3) = 0xDFFF900000000000 In UVM, we add a kasan_free (that is not preceded by a kasan_alloc). We don't add poisoned redzones ourselves, but all the functions we execute do, so we need to manually clear the poison before freeing the stack. With the help of Kamil for the makefile stuff.
Fix the computation in kasan_shadow_map, we may need one more page because of the rounddown.
Add support for kASan on amd64. Written by me, with some parts inspired from Siddharth Muralee's initial work. This feature can detect several kinds of memory bugs, and it's an excellent feature. It can be enabled by uncommenting these three lines in GENERIC: #makeoptions KASAN=1 # Kernel Address Sanitizer #options KASAN #no options SVS The kernel is compiled without SVS, without DMAP and without PCPU area. A shadow area is created at boot time, and it can cover the upper 128TB of the address space. This area is populated gradually as we allocate memory. With this design the memory consumption is kept at its lowest level. The compiler calls the __asan_* functions each time a memory access is done. We verify whether this access is legal by looking at the shadow area. We declare our own special memcpy/memset/etc functions, because the compiler's builtins don't add the __asan_* instrumentation. Initially all the mappings are marked as valid. During dynamic allocations, we add a redzone, which we mark as invalid. Any access on it will trigger a kASan error message. Additionally, the compiler adds a redzone on global variables, and we mark these redzones as invalid too. The illegal-access detection works with a 1-byte granularity. For now, we cover three areas: - global variables - kmem_alloc-ated areas - malloc-ated areas More will come, but that's a good start.