1*f80be457SAlexander Potapenko // SPDX-License-Identifier: GPL-2.0
2*f80be457SAlexander Potapenko /*
3*f80be457SAlexander Potapenko * KMSAN error reporting routines.
4*f80be457SAlexander Potapenko *
5*f80be457SAlexander Potapenko * Copyright (C) 2019-2022 Google LLC
6*f80be457SAlexander Potapenko * Author: Alexander Potapenko <glider@google.com>
7*f80be457SAlexander Potapenko *
8*f80be457SAlexander Potapenko */
9*f80be457SAlexander Potapenko
10*f80be457SAlexander Potapenko #include <linux/console.h>
11*f80be457SAlexander Potapenko #include <linux/kmsan.h>
12*f80be457SAlexander Potapenko #include <linux/moduleparam.h>
13*f80be457SAlexander Potapenko #include <linux/stackdepot.h>
14*f80be457SAlexander Potapenko #include <linux/stacktrace.h>
15*f80be457SAlexander Potapenko #include <linux/uaccess.h>
16*f80be457SAlexander Potapenko
17*f80be457SAlexander Potapenko #include "kmsan.h"
18*f80be457SAlexander Potapenko
19*f80be457SAlexander Potapenko static DEFINE_RAW_SPINLOCK(kmsan_report_lock);
20*f80be457SAlexander Potapenko #define DESCR_SIZE 128
21*f80be457SAlexander Potapenko /* Protected by kmsan_report_lock */
22*f80be457SAlexander Potapenko static char report_local_descr[DESCR_SIZE];
23*f80be457SAlexander Potapenko int panic_on_kmsan __read_mostly;
24*f80be457SAlexander Potapenko EXPORT_SYMBOL_GPL(panic_on_kmsan);
25*f80be457SAlexander Potapenko
26*f80be457SAlexander Potapenko #ifdef MODULE_PARAM_PREFIX
27*f80be457SAlexander Potapenko #undef MODULE_PARAM_PREFIX
28*f80be457SAlexander Potapenko #endif
29*f80be457SAlexander Potapenko #define MODULE_PARAM_PREFIX "kmsan."
30*f80be457SAlexander Potapenko module_param_named(panic, panic_on_kmsan, int, 0);
31*f80be457SAlexander Potapenko
32*f80be457SAlexander Potapenko /*
33*f80be457SAlexander Potapenko * Skip internal KMSAN frames.
34*f80be457SAlexander Potapenko */
get_stack_skipnr(const unsigned long stack_entries[],int num_entries)35*f80be457SAlexander Potapenko static int get_stack_skipnr(const unsigned long stack_entries[],
36*f80be457SAlexander Potapenko int num_entries)
37*f80be457SAlexander Potapenko {
38*f80be457SAlexander Potapenko int len, skip;
39*f80be457SAlexander Potapenko char buf[64];
40*f80be457SAlexander Potapenko
41*f80be457SAlexander Potapenko for (skip = 0; skip < num_entries; ++skip) {
42*f80be457SAlexander Potapenko len = scnprintf(buf, sizeof(buf), "%ps",
43*f80be457SAlexander Potapenko (void *)stack_entries[skip]);
44*f80be457SAlexander Potapenko
45*f80be457SAlexander Potapenko /* Never show __msan_* or kmsan_* functions. */
46*f80be457SAlexander Potapenko if ((strnstr(buf, "__msan_", len) == buf) ||
47*f80be457SAlexander Potapenko (strnstr(buf, "kmsan_", len) == buf))
48*f80be457SAlexander Potapenko continue;
49*f80be457SAlexander Potapenko
50*f80be457SAlexander Potapenko /*
51*f80be457SAlexander Potapenko * No match for runtime functions -- @skip entries to skip to
52*f80be457SAlexander Potapenko * get to first frame of interest.
53*f80be457SAlexander Potapenko */
54*f80be457SAlexander Potapenko break;
55*f80be457SAlexander Potapenko }
56*f80be457SAlexander Potapenko
57*f80be457SAlexander Potapenko return skip;
58*f80be457SAlexander Potapenko }
59*f80be457SAlexander Potapenko
60*f80be457SAlexander Potapenko /*
61*f80be457SAlexander Potapenko * Currently the descriptions of locals generated by Clang look as follows:
62*f80be457SAlexander Potapenko * ----local_name@function_name
63*f80be457SAlexander Potapenko * We want to print only the name of the local, as other information in that
64*f80be457SAlexander Potapenko * description can be confusing.
65*f80be457SAlexander Potapenko * The meaningful part of the description is copied to a global buffer to avoid
66*f80be457SAlexander Potapenko * allocating memory.
67*f80be457SAlexander Potapenko */
pretty_descr(char * descr)68*f80be457SAlexander Potapenko static char *pretty_descr(char *descr)
69*f80be457SAlexander Potapenko {
70*f80be457SAlexander Potapenko int pos = 0, len = strlen(descr);
71*f80be457SAlexander Potapenko
72*f80be457SAlexander Potapenko for (int i = 0; i < len; i++) {
73*f80be457SAlexander Potapenko if (descr[i] == '@')
74*f80be457SAlexander Potapenko break;
75*f80be457SAlexander Potapenko if (descr[i] == '-')
76*f80be457SAlexander Potapenko continue;
77*f80be457SAlexander Potapenko report_local_descr[pos] = descr[i];
78*f80be457SAlexander Potapenko if (pos + 1 == DESCR_SIZE)
79*f80be457SAlexander Potapenko break;
80*f80be457SAlexander Potapenko pos++;
81*f80be457SAlexander Potapenko }
82*f80be457SAlexander Potapenko report_local_descr[pos] = 0;
83*f80be457SAlexander Potapenko return report_local_descr;
84*f80be457SAlexander Potapenko }
85*f80be457SAlexander Potapenko
kmsan_print_origin(depot_stack_handle_t origin)86*f80be457SAlexander Potapenko void kmsan_print_origin(depot_stack_handle_t origin)
87*f80be457SAlexander Potapenko {
88*f80be457SAlexander Potapenko unsigned long *entries = NULL, *chained_entries = NULL;
89*f80be457SAlexander Potapenko unsigned int nr_entries, chained_nr_entries, skipnr;
90*f80be457SAlexander Potapenko void *pc1 = NULL, *pc2 = NULL;
91*f80be457SAlexander Potapenko depot_stack_handle_t head;
92*f80be457SAlexander Potapenko unsigned long magic;
93*f80be457SAlexander Potapenko char *descr = NULL;
94*f80be457SAlexander Potapenko unsigned int depth;
95*f80be457SAlexander Potapenko
96*f80be457SAlexander Potapenko if (!origin)
97*f80be457SAlexander Potapenko return;
98*f80be457SAlexander Potapenko
99*f80be457SAlexander Potapenko while (true) {
100*f80be457SAlexander Potapenko nr_entries = stack_depot_fetch(origin, &entries);
101*f80be457SAlexander Potapenko depth = kmsan_depth_from_eb(stack_depot_get_extra_bits(origin));
102*f80be457SAlexander Potapenko magic = nr_entries ? entries[0] : 0;
103*f80be457SAlexander Potapenko if ((nr_entries == 4) && (magic == KMSAN_ALLOCA_MAGIC_ORIGIN)) {
104*f80be457SAlexander Potapenko descr = (char *)entries[1];
105*f80be457SAlexander Potapenko pc1 = (void *)entries[2];
106*f80be457SAlexander Potapenko pc2 = (void *)entries[3];
107*f80be457SAlexander Potapenko pr_err("Local variable %s created at:\n",
108*f80be457SAlexander Potapenko pretty_descr(descr));
109*f80be457SAlexander Potapenko if (pc1)
110*f80be457SAlexander Potapenko pr_err(" %pSb\n", pc1);
111*f80be457SAlexander Potapenko if (pc2)
112*f80be457SAlexander Potapenko pr_err(" %pSb\n", pc2);
113*f80be457SAlexander Potapenko break;
114*f80be457SAlexander Potapenko }
115*f80be457SAlexander Potapenko if ((nr_entries == 3) && (magic == KMSAN_CHAIN_MAGIC_ORIGIN)) {
116*f80be457SAlexander Potapenko /*
117*f80be457SAlexander Potapenko * Origin chains deeper than KMSAN_MAX_ORIGIN_DEPTH are
118*f80be457SAlexander Potapenko * not stored, so the output may be incomplete.
119*f80be457SAlexander Potapenko */
120*f80be457SAlexander Potapenko if (depth == KMSAN_MAX_ORIGIN_DEPTH)
121*f80be457SAlexander Potapenko pr_err("<Zero or more stacks not recorded to save memory>\n\n");
122*f80be457SAlexander Potapenko head = entries[1];
123*f80be457SAlexander Potapenko origin = entries[2];
124*f80be457SAlexander Potapenko pr_err("Uninit was stored to memory at:\n");
125*f80be457SAlexander Potapenko chained_nr_entries =
126*f80be457SAlexander Potapenko stack_depot_fetch(head, &chained_entries);
127*f80be457SAlexander Potapenko kmsan_internal_unpoison_memory(
128*f80be457SAlexander Potapenko chained_entries,
129*f80be457SAlexander Potapenko chained_nr_entries * sizeof(*chained_entries),
130*f80be457SAlexander Potapenko /*checked*/ false);
131*f80be457SAlexander Potapenko skipnr = get_stack_skipnr(chained_entries,
132*f80be457SAlexander Potapenko chained_nr_entries);
133*f80be457SAlexander Potapenko stack_trace_print(chained_entries + skipnr,
134*f80be457SAlexander Potapenko chained_nr_entries - skipnr, 0);
135*f80be457SAlexander Potapenko pr_err("\n");
136*f80be457SAlexander Potapenko continue;
137*f80be457SAlexander Potapenko }
138*f80be457SAlexander Potapenko pr_err("Uninit was created at:\n");
139*f80be457SAlexander Potapenko if (nr_entries) {
140*f80be457SAlexander Potapenko skipnr = get_stack_skipnr(entries, nr_entries);
141*f80be457SAlexander Potapenko stack_trace_print(entries + skipnr, nr_entries - skipnr,
142*f80be457SAlexander Potapenko 0);
143*f80be457SAlexander Potapenko } else {
144*f80be457SAlexander Potapenko pr_err("(stack is not available)\n");
145*f80be457SAlexander Potapenko }
146*f80be457SAlexander Potapenko break;
147*f80be457SAlexander Potapenko }
148*f80be457SAlexander Potapenko }
149*f80be457SAlexander Potapenko
kmsan_report(depot_stack_handle_t origin,void * address,int size,int off_first,int off_last,const void __user * user_addr,enum kmsan_bug_reason reason)150*f80be457SAlexander Potapenko void kmsan_report(depot_stack_handle_t origin, void *address, int size,
151*f80be457SAlexander Potapenko int off_first, int off_last, const void __user *user_addr,
152*f80be457SAlexander Potapenko enum kmsan_bug_reason reason)
153*f80be457SAlexander Potapenko {
154*f80be457SAlexander Potapenko unsigned long stack_entries[KMSAN_STACK_DEPTH];
155*f80be457SAlexander Potapenko int num_stack_entries, skipnr;
156*f80be457SAlexander Potapenko char *bug_type = NULL;
157*f80be457SAlexander Potapenko unsigned long ua_flags;
158*f80be457SAlexander Potapenko bool is_uaf;
159*f80be457SAlexander Potapenko
160*f80be457SAlexander Potapenko if (!kmsan_enabled || kmsan_in_runtime())
161*f80be457SAlexander Potapenko return;
162*f80be457SAlexander Potapenko if (current->kmsan_ctx.depth)
163*f80be457SAlexander Potapenko return;
164*f80be457SAlexander Potapenko if (!origin)
165*f80be457SAlexander Potapenko return;
166*f80be457SAlexander Potapenko
167*f80be457SAlexander Potapenko kmsan_enter_runtime();
168*f80be457SAlexander Potapenko ua_flags = user_access_save();
169*f80be457SAlexander Potapenko raw_spin_lock(&kmsan_report_lock);
170*f80be457SAlexander Potapenko pr_err("=====================================================\n");
171*f80be457SAlexander Potapenko is_uaf = kmsan_uaf_from_eb(stack_depot_get_extra_bits(origin));
172*f80be457SAlexander Potapenko switch (reason) {
173*f80be457SAlexander Potapenko case REASON_ANY:
174*f80be457SAlexander Potapenko bug_type = is_uaf ? "use-after-free" : "uninit-value";
175*f80be457SAlexander Potapenko break;
176*f80be457SAlexander Potapenko case REASON_COPY_TO_USER:
177*f80be457SAlexander Potapenko bug_type = is_uaf ? "kernel-infoleak-after-free" :
178*f80be457SAlexander Potapenko "kernel-infoleak";
179*f80be457SAlexander Potapenko break;
180*f80be457SAlexander Potapenko case REASON_SUBMIT_URB:
181*f80be457SAlexander Potapenko bug_type = is_uaf ? "kernel-usb-infoleak-after-free" :
182*f80be457SAlexander Potapenko "kernel-usb-infoleak";
183*f80be457SAlexander Potapenko break;
184*f80be457SAlexander Potapenko }
185*f80be457SAlexander Potapenko
186*f80be457SAlexander Potapenko num_stack_entries =
187*f80be457SAlexander Potapenko stack_trace_save(stack_entries, KMSAN_STACK_DEPTH, 1);
188*f80be457SAlexander Potapenko skipnr = get_stack_skipnr(stack_entries, num_stack_entries);
189*f80be457SAlexander Potapenko
190*f80be457SAlexander Potapenko pr_err("BUG: KMSAN: %s in %pSb\n", bug_type,
191*f80be457SAlexander Potapenko (void *)stack_entries[skipnr]);
192*f80be457SAlexander Potapenko stack_trace_print(stack_entries + skipnr, num_stack_entries - skipnr,
193*f80be457SAlexander Potapenko 0);
194*f80be457SAlexander Potapenko pr_err("\n");
195*f80be457SAlexander Potapenko
196*f80be457SAlexander Potapenko kmsan_print_origin(origin);
197*f80be457SAlexander Potapenko
198*f80be457SAlexander Potapenko if (size) {
199*f80be457SAlexander Potapenko pr_err("\n");
200*f80be457SAlexander Potapenko if (off_first == off_last)
201*f80be457SAlexander Potapenko pr_err("Byte %d of %d is uninitialized\n", off_first,
202*f80be457SAlexander Potapenko size);
203*f80be457SAlexander Potapenko else
204*f80be457SAlexander Potapenko pr_err("Bytes %d-%d of %d are uninitialized\n",
205*f80be457SAlexander Potapenko off_first, off_last, size);
206*f80be457SAlexander Potapenko }
207*f80be457SAlexander Potapenko if (address)
208*f80be457SAlexander Potapenko pr_err("Memory access of size %d starts at %px\n", size,
209*f80be457SAlexander Potapenko address);
210*f80be457SAlexander Potapenko if (user_addr && reason == REASON_COPY_TO_USER)
211*f80be457SAlexander Potapenko pr_err("Data copied to user address %px\n", user_addr);
212*f80be457SAlexander Potapenko pr_err("\n");
213*f80be457SAlexander Potapenko dump_stack_print_info(KERN_ERR);
214*f80be457SAlexander Potapenko pr_err("=====================================================\n");
215*f80be457SAlexander Potapenko add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
216*f80be457SAlexander Potapenko raw_spin_unlock(&kmsan_report_lock);
217*f80be457SAlexander Potapenko if (panic_on_kmsan)
218*f80be457SAlexander Potapenko panic("kmsan.panic set ...\n");
219*f80be457SAlexander Potapenko user_access_restore(ua_flags);
220 kmsan_leave_runtime();
221 }
222