[Devel] [PATCH vz7 1/5] ms/kprobes: Avoid false KASAN reports during stack copy

Konstantin Khorenko khorenko at virtuozzo.com
Wed Oct 31 12:43:32 MSK 2018 

From: Dmitry Vyukov <dvyukov at google.com>

Kprobes save and restore raw stack chunks with memcpy().
With KASAN these chunks can contain poisoned stack redzones,
as the result memcpy() interceptor produces false
stack out-of-bounds reports.

Use __memcpy() instead of memcpy() for stack copying.
__memcpy() is not instrumented by KASAN and does not lead
to the false reports.

Currently there is a spew of KASAN reports during boot
if CONFIG_KPROBES_SANITY_TEST is enabled:

[   ] Kprobe smoke test: started
[   ] ==================================================================
[   ] BUG: KASAN: stack-out-of-bounds in setjmp_pre_handler+0x17c/0x280 at addr ffff88085259fba8
[   ] Read of size 64 by task swapper/0/1
[   ] page:ffffea00214967c0 count:0 mapcount:0 mapping:          (null) index:0x0
[   ] flags: 0x2fffff80000000()
[   ] page dumped because: kasan: bad access detected
[...]

Reported-by: CAI Qian <caiqian at redhat.com>
Tested-by: CAI Qian <caiqian at redhat.com>
Signed-off-by: Dmitry Vyukov <dvyukov at google.com>
Acked-by: Masami Hiramatsu <mhiramat at kernel.org>
Cc: Alexander Potapenko <glider at google.com>
Cc: Alexander Shishkin <alexander.shishkin at linux.intel.com>
Cc: Ananth N Mavinakayanahalli <ananth at linux.vnet.ibm.com>
Cc: Andrew Morton <akpm at linux-foundation.org>
Cc: Andrey Ryabinin <ryabinin.a.a at gmail.com>
Cc: Andy Lutomirski <luto at kernel.org>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy at intel.com>
Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
Cc: Borislav Petkov <bp at alien8.de>
Cc: Brian Gerst <brgerst at gmail.com>
Cc: David S. Miller <davem at davemloft.net>
Cc: Denys Vlasenko <dvlasenk at redhat.com>
Cc: H. Peter Anvin <hpa at zytor.com>
Cc: Jiri Olsa <jolsa at redhat.com>
Cc: Josh Poimboeuf <jpoimboe at redhat.com>
Cc: Linus Torvalds <torvalds at linux-foundation.org>
Cc: Peter Zijlstra <peterz at infradead.org>
Cc: Thomas Gleixner <tglx at linutronix.de>
Cc: kasan-dev at googlegroups.com
[ Improved various details. ]
Signed-off-by: Ingo Molnar <mingo at kernel.org>

(cherry picked from commit 9254139ad083433c50ba62920107ed55fc4ca5e2)
In the scope of: https://pmc.acronis.com/browse/VSTOR-16798

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 arch/x86/kernel/kprobes/core.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 39f2d05cba33..d1585bef6dc9 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -1019,9 +1019,10 @@ int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
 	 * tailcall optimization. So, to be absolutely safe
 	 * we also save and restore enough stack bytes to cover
 	 * the argument area.
+	 * Use __memcpy() to avoid KASAN stack out-of-bounds reports as we copy
+	 * raw stack chunk with redzones:
 	 */
-	memcpy(kcb->jprobes_stack, (kprobe_opcode_t *)addr,
-	       MIN_STACK_SIZE(addr));
+	__memcpy(kcb->jprobes_stack, (kprobe_opcode_t *)addr, MIN_STACK_SIZE(addr));
 	regs->flags &= ~X86_EFLAGS_IF;
 	trace_hardirqs_off();
 	regs->ip = (unsigned long)(jp->entry);
@@ -1077,7 +1078,7 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
 		/* It's OK to start function graph tracing again */
 		unpause_graph_tracing();
 		*regs = kcb->jprobe_saved_regs;
-		memcpy(saved_sp, kcb->jprobes_stack, MIN_STACK_SIZE(saved_sp));
+		__memcpy(saved_sp, kcb->jprobes_stack, MIN_STACK_SIZE(saved_sp));
 		preempt_enable_no_resched();
 		return 1;
 	}
-- 
2.15.1

More information about the Devel mailing list