KASAN的使用

adtxl
2023-10-10 / 0 评论 / 190 阅读 / 正在检测是否收录...

1. 简介

KernelAddressSANitizer(KASAN)是一个动态检测内存错误的工具。它为找到use-after-free和out-of-bounds问题提供了一个快速和全面的解决方案。KASAN使用编译时检测每个内存访问,因此您需要GCC 4.9.2或更高版本。检测堆栈或全局变量的越界访问需要GCC 5.0或更高版本。目前KASAN仅支持x86_64和arm64架构(linux 4.4版本合入)。你使用ARM64架构,那么就需要保证linux版本在4.4以上。当然了,如果你使用的linux也有可能打过KASAN的补丁。例如,使用高通平台做手机的厂商使用linux 3.18同样支持KASAN。

2.打开KASAN

直接通过menuconfig打开KASAN,在Kernel hacking-->Memory Debugging

image.png

然后编译烧写即可。

遇到问题,打开kasan后编译出来的Image比较大,需要增大下boot和recovery分区的size,顺便需要调整下系统运行的memory map

// 调整partition
--- a/partitions/partition_dynamic.xml
+++ b/partitions/partition_dynamic.xml
@@ -4,8 +4,8 @@
 
     <user_entry type = "{EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}" name = "brp" size_kb = "31744" />
     <user_entry type = "{EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}" name = "dtb" size_kb = "512" />
-    <user_entry type = "{EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}" name = "boot" size_kb = "65536" />
-    <user_entry type = "{EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}" name = "recovery" size_kb = "65536" />
+    <user_entry type = "{EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}" name = "boot" size_kb = "131072" />
+    <user_entry type = "{EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}" name = "recovery" size_kb = "131072" />
     <user_entry type = "{EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}" name = "misc" size_kb = "8192" />
     <user_entry type = "{EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}" name = "super" size_kb = "2113536" />
     <user_entry type = "{EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}" name = "cache" size_kb = "262144" />

// 调整uboot
-#define CONFIG_SYS_BOOTM_LEN           SZ_64M
+#define CONFIG_SYS_BOOTM_LEN           SZ_128M
 
 /* Physical start address of SDRAM */
 #define CONFIG_SYS_SDRAM_BASE          0x4000000
 /* Link Definitions */
 #define FDT_ADDR_R                                     CONFIG_SYS_SDRAM_BASE
 #define SCRIPT_ADDR_R                          0x4200000
-#define KERNEL_ADDR_R                          0x8280000
-#define RAMDISK_ADDR_R                         0x6280000
+#define KERNEL_ADDR_R                          0xc280000
+#define RAMDISK_ADDR_R                         0xa280000

// 调整kernel dts
-               aipu_reserved: memory@e380000 {
+               aipu_reserved: memory@24000000 {
                        compatible = "shared-dma-pool";
-                       reg = <0x0 0x0e380000 0x0 0x01000000>;
+                       reg = <0x0 0x24000000 0x0 0x01000000>;
                        no-map;
                };
 
 
-               ramoops@f380000 {
+               ramoops@23000000 {
                        compatible = "ramoops";
-                       reg = <0x0 0x0f380000 0x0 0x100000>;
+                       reg = <0x0 0x23000000 0x0 0x100000>;
                        console-size = <0x40000>;
     

3. 测试

kasan检测到内存问题,会打印类似下面的log,

[2023-10-10 14:16:16] [    0.347342] -(0)[1:swapper/0->0:swapper/0]BUG: KASAN: slab-out-of-bounds in find_next_bit+0x38/0x9c
[2023-10-10 14:16:16] [    0.347362] -(0)[1:swapper/0->0:swapper/0]Read of size 8 at addr ffff8001642e5ab0 by task swapper/0/1
[2023-10-10 14:16:16] [    0.347376] -(0)[1:swapper/0->0:swapper/0]
[2023-10-10 14:16:16] [    0.347399] -(0)[1:swapper/0->0:swapper/0]CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.176 #46
[2023-10-10 14:16:16] [    0.347415] -(0)[1:swapper/0->0:swapper/0]Hardware name: ESWIN_LD60 (DT)
[2023-10-10 14:16:16] [    0.347430] -(0)[1:swapper/0->0:swapper/0]Call trace:
[2023-10-10 14:16:16] [    0.347450] -(0)[1:swapper/0->0:swapper/0] dump_backtrace+0x0/0x1e8
[2023-10-10 14:16:16] [    0.347467] -(0)[1:swapper/0->0:swapper/0] show_stack+0x20/0x2c
[2023-10-10 14:16:16] [    0.347487] -(0)[1:swapper/0->0:swapper/0] dump_stack+0xf4/0x148
[2023-10-10 14:16:16] [    0.347507] -(0)[1:swapper/0->0:swapper/0] print_address_description+0x84/0x2e8
[2023-10-10 14:16:17] [    0.347524] -(0)[1:swapper/0->0:swapper/0] __kasan_report+0x16c/0x1cc
[2023-10-10 14:16:17] [    0.347541] -(0)[1:swapper/0->0:swapper/0] kasan_report+0x10/0x18
[2023-10-10 14:16:17] [    0.347559] -(0)[1:swapper/0->0:swapper/0] __asan_load8+0x84/0x8c
[2023-10-10 14:16:17] [    0.347577] -(0)[1:swapper/0->0:swapper/0] find_next_bit+0x38/0x9c
[2023-10-10 14:16:17] [    0.347595] -(0)[1:swapper/0->0:swapper/0] cpumask_next+0x20/0x28
[2023-10-10 14:16:17] [    0.347615] -(0)[1:swapper/0->0:swapper/0] pm_qos_update_target+0x30c/0x5c8
[2023-10-10 14:16:17] [    0.347635] -(0)[1:swapper/0->0:swapper/0] apply_constraint+0x84/0x130
[2023-10-10 14:16:17] [    0.347653] -(0)[1:swapper/0->0:swapper/0] __dev_pm_qos_add_request+0x104/0x248
[2023-10-10 14:16:17] [    0.347672] -(0)[1:swapper/0->0:swapper/0] dev_pm_qos_expose_latency_limit+0x88/0x1b0
[2023-10-10 14:16:17] [    0.347690] -(0)[1:swapper/0->0:swapper/0] register_cpu+0x1b0/0x1cc
[2023-10-10 14:16:17] [    0.347710] -(0)[1:swapper/0->0:swapper/0] topology_init+0x94/0xd4
[2023-10-10 14:16:17] [    0.347728] -(0)[1:swapper/0->0:swapper/0] do_one_initcall+0xc0/0x37c
[2023-10-10 14:16:17] [    0.347746] -(0)[1:swapper/0->0:swapper/0] do_initcall_level+0xf0/0x200
[2023-10-10 14:16:17] [    0.347762] -(0)[1:swapper/0->0:swapper/0] do_basic_setup+0x78/0x94
[2023-10-10 14:16:17] [    0.347780] -(0)[1:swapper/0->0:swapper/0] kernel_init_freeable+0x128/0x1b0
[2023-10-10 14:16:17] [    0.347797] -(0)[1:swapper/0->0:swapper/0] kernel_init+0x18/0x2ac
[2023-10-10 14:16:17] [    0.347814] -(0)[1:swapper/0->0:swapper/0] ret_from_fork+0x10/0x18
[2023-10-10 14:16:17] [    0.347828] -(0)[1:swapper/0->0:swapper/0]
[2023-10-10 14:16:17] [    0.347842] -(0)[1:swapper/0->0:swapper/0]Allocated by task 0:
[2023-10-10 14:16:17] [    0.347855] -(0)[1:swapper/0->0:swapper/0](stack is not available)
[2023-10-10 14:16:17] [    0.347868] -(0)[1:swapper/0->0:swapper/0]
[2023-10-10 14:16:17] [    0.347882] -(0)[1:swapper/0->0:swapper/0]Freed by task 0:
[2023-10-10 14:16:17] [    0.347895] -(0)[1:swapper/0->0:swapper/0](stack is not available)
[2023-10-10 14:16:17] [    0.347907] -(0)[1:swapper/0->0:swapper/0]
[2023-10-10 14:16:17] [    0.347925] -(0)[1:swapper/0->0:swapper/0]The buggy address belongs to the object at ffff8001642e5a00
[2023-10-10 14:16:17] [    0.347925]  which belongs to the cache kmalloc-128 of size 128
[2023-10-10 14:16:17] [    0.347948] -(0)[1:swapper/0->0:swapper/0]The buggy address is located 48 bytes to the right of
[2023-10-10 14:16:17] [    0.347948]  128-byte region [ffff8001642e5a00, ffff8001642e5a80)
[2023-10-10 14:16:17] [    0.347968] -(0)[1:swapper/0->0:swapper/0]The buggy address belongs to the page:
[2023-10-10 14:16:17] [    0.347983] -(0)[1:swapper/0->0:swapper/0]page:ffff7e000590b940 count:1 mapcount:0 mapping:ffff800164c03c00 index:0x0
[2023-10-10 14:16:17] [    0.348006] -(0)[1:swapper/0->0:swapper/0]flags: 0x4000000000000200(slab)
[2023-10-10 14:16:17] [    0.348031] -(0)[1:swapper/0->0:swapper/0]raw: 4000000000000200 dead000000000100 dead000000000200 ffff800164c03c00
[2023-10-10 14:16:17] [    0.348053] -(0)[1:swapper/0->0:swapper/0]raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[2023-10-10 14:16:17] [    0.348068] -(0)[1:swapper/0->0:swapper/0]page dumped because: kasan: bad access detected
[2023-10-10 14:16:17] [    0.348081] -(0)[1:swapper/0->0:swapper/0]
[2023-10-10 14:16:17] [    0.348095] -(0)[1:swapper/0->0:swapper/0]Memory state around the buggy address:
[2023-10-10 14:16:17] [    0.348113] -(0)[1:swapper/0->0:swapper/0] ffff8001642e5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[2023-10-10 14:16:17] [    0.348131] -(0)[1:swapper/0->0:swapper/0] ffff8001642e5a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[2023-10-10 14:16:17] [    0.348148] -(0)[1:swapper/0->0:swapper/0]>ffff8001642e5a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[2023-10-10 14:16:17] [    0.348163] -(0)[1:swapper/0->0:swapper/0]                                     ^
[2023-10-10 14:16:17] [    0.348179] -(0)[1:swapper/0->0:swapper/0] ffff8001642e5b00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[2023-10-10 14:16:17] [    0.348197] -(0)[1:swapper/0->0:swapper/0] ffff8001642e5b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[2023-10-10 14:16:17] [    0.348211] -(0)[1:swapper/0->0:swapper/0]==================================================================
[2023-10-10 14:16:17] [    0.348225] -(0)[1:swapper/0->0:swapper/0]Disabling lock debugging due to kernel taint
1

评论 (0)

取消