Re: [PATCH v3] kasan: add memory corruption identification for software tag-based mode

Wed, 10 Jul 2019 11:25:15 -0700 


On 7/9/19 5:53 AM, Walter Wu wrote:
> On Mon, 2019-07-08 at 19:33 +0300, Andrey Ryabinin wrote:
>>
>> On 7/5/19 4:34 PM, Dmitry Vyukov wrote:
>>> On Mon, Jul 1, 2019 at 11:56 AM Walter Wu <walter-zh...@mediatek.com> wrote:

>>>
>>> Sorry for delays. I am overwhelm by some urgent work. I afraid to
>>> promise any dates because the next week I am on a conference, then
>>> again a backlog and an intern starting...
>>>
>>> Andrey, do you still have concerns re this patch? This change allows
>>> to print the free stack.
>>
>> I 'm not sure that quarantine is a best way to do that. Quarantine is made 
>> to delay freeing, but we don't that here.
>> If we want to remember more free stacks wouldn't be easier simply to 
>> remember more stacks in object itself?
>> Same for previously used tags for better use-after-free identification.
>>
> 
> Hi Andrey,
> 
> We ever tried to use object itself to determine use-after-free
> identification, but tag-based KASAN immediately released the pointer
> after call kfree(), the original object will be used by another
> pointer, if we use object itself to determine use-after-free issue, then
> it has many false negative cases. so we create a lite quarantine(ring
> buffers) to record recent free stacks in order to avoid those false
> negative situations.

I'm telling that *more* than one free stack and also tags per object can be 
stored.
If object reused we would still have information about n-last usages of the 
object.
It seems like much easier and more efficient solution than patch you proposing.

As for other concern about this particular patch
 - It wasn't tested. There is deadlock (sleep in atomic) on the report path 
which would have been noticed it tested.
   Also GFP_NOWAIT allocation which fails very noisy and very often, especially 
in memory constraint enviromnent where tag-based KASAN supposed to be used.

 - Inefficient usage of memory:
        48 bytes (sizeof (qlist_object) + sizeof(kasan_alloc_meta)) per kfree() 
call seems like a lot. It could be less.

        The same 'struct kasan_track' stored twice in two different places (in 
object and in quarantine).
        Basically, at least some part of the quarantine always duplicates 
information that we already know about
        recently freed object. 

        Since now we call kmalloc() from kfree() path, every unique kfree() 
stacktrace now generates additional unique stacktrace that
        takes space in stackdepot.























					Reply via email to