-
在kernel中使用内存检测
目录
一般的内存访问错误如下:
- 越界访问
- 访问已经释放的内存
- 重复释放
- 内存泄露
- 栈溢出
在内核中提供了内存检测的工具slub与kasan,在开发时可以将检测的功能打开。
一、slub内存检测
在linux内核中,对于小块内存分配,大量使用slab/slub分配器,在内存访问中比较容易出错的地方如下:
- 访问已经释放的内存
- 越界访问
- 重复释放
内核配置
CONFIG_SLUB=y
CONFIG_SLUB_DEBUG_ON=y
CONFIG_SLUB_STATS=y
使用的工具tools/vm/slabinfo
1、越界访问
- static noinline void __init kmalloc_pagealloc_oob_right(void)
- {
- char *ptr;
- size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
- /* Allocate a chunk that does not fit into a SLUB cache to trigger
- * the page allocator fallback.
- */
- pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n");
- ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
- pr_err("Allocation failed\n");
- return;
- }
- ptr[size] = 0;
- kfree(ptr);
- }
2、释放后再访问
- static noinline void __init kmalloc_pagealloc_uaf(void)
- {
- char *ptr;
- size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
- pr_info("kmalloc pagealloc allocation: use-after-free\n");
- ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
- pr_err("Allocation failed\n");
- return;
- }
- kfree(ptr);
- ptr[0] = 0;
- }
3、无效的释放
- static noinline void __init kmalloc_pagealloc_invalid_free(void)
- {
- char *ptr;
- size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
- pr_info("kmalloc pagealloc allocation: invalid-free\n");
- ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
- pr_err("Allocation failed\n");
- return;
- }
- kfree(ptr + 1);
- }
4、实验输出
- 内存越界访问Redzone overwritten、Object padding overwritten
- 重复释放Object already free
- 访问已释放内存为Posion overwritten
- # insmod slub3.ko
- [ 997.342740] :access free memory
- benshushu:slub_test_3# [ 997.436270] =============================================================================
- [ 997.437705] BUG kmalloc-128 (Tainted: G B OE ): Redzone overwritten
- [ 997.438153] -----------------------------------------------------------------------------
- [ 997.438153]
- [ 997.440009] INFO: 0x000000001c0937b9-0x0000000065391b57. First byte 0x55 instead of 0xcc
- [ 997.442519] INFO: Allocated in create_slub_error+0x30/0x94 [slub3] age=63120 cpu=1 pid=1602
有的时候需要使用slabinfo -v才能输出错误
- slub_test# ./slabinfo -v
- [ 1112.602383] =============================================================================
- [ 1112.602945] BUG kmalloc-128 (Tainted: G B OE ): Redzone overwritten
- [ 1112.603254] -----------------------------------------------------------------------------
- [ 1112.603254]
- [ 1112.603773] INFO: 0x00000000583020f8-0x00000000583020f8. First byte 0x55 instead of 0xcc
- [ 1112.604214] INFO: Allocated in create_slub_error+0x34/0xdc [slub4] age=4071 cpu=0 pid=1687
- [ 1112.604661] __slab_alloc+0x64/0xb0
- [ 1112.604822] __kmalloc+0x558/0xee4
- [ 1112.605002] create_slub_error+0x34/0xdc [slub4]
二、KASAN 内存检测
KASAN(Kernal Address SANtizer)在Linux4.0版本中合并到官方的内核。是动态检测内存错误的工具。可以检查内存越界和使用已经释放的内存等问题。KASAN比kmemcheck工具检测速度快。
内核配置
CONFIG_HAVE_ARCH_KASAN=y
CONFIG_KASAN=y
CONFIG_KASAN_OUTLINE=y
CONFIG_KASAN_INLINE=y
CONFIG_TEST_KASAN=m //编译test_kasan.ko测试模块
内核源码中的测试程序/lib/test_ksacn.c
- static int __init kmalloc_tests_init(void)
- {
- /*
- * Temporarily enable multi-shot mode. Otherwise, we'd only get a
- * report for the first case.
- */
- bool multishot = kasan_save_enable_multi_shot();
- kmalloc_oob_right();
- kmalloc_oob_left();
- kmalloc_node_oob_right();
- #ifdef CONFIG_SLUB
- kmalloc_pagealloc_oob_right();
- kmalloc_pagealloc_uaf();
- kmalloc_pagealloc_invalid_free();
- #endif
- kmalloc_large_oob_right();
- kmalloc_oob_krealloc_more();
- kmalloc_oob_krealloc_less();
- kmalloc_oob_16();
- kmalloc_oob_in_memset();
- kmalloc_oob_memset_2();
- kmalloc_oob_memset_4();
- kmalloc_oob_memset_8();
- kmalloc_oob_memset_16();
- kmalloc_uaf();
- kmalloc_uaf_memset();
- kmalloc_uaf2();
- kmem_cache_oob();
- memcg_accounted_kmem_cache();
- kasan_stack_oob();
- kasan_global_oob();
- kasan_alloca_oob_left();
- kasan_alloca_oob_right();
- ksize_unpoisons_memory();
- copy_user_test();
- use_after_scope_test();
- kmem_cache_double_free();
- kmem_cache_invalid_free();
- kasan_memchr();
- kasan_memcmp();
- kasan_strings();
- kasan_restore_multi_shot(multishot);
- return -EAGAIN;
- }
从上选择其中两个解析
1、数组越界
- static noinline void __init kmalloc_oob_right(void)
- {
- char *ptr;
- size_t size = 123;
- pr_info("out-of-bounds to right\n");
- ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
- pr_err("Allocation failed\n");
- return;
- }
- ptr[size] = 'x';
- kfree(ptr);
- }
2、栈的越界访问
- static noinline void __init kasan_stack_oob(void)
- {
- char stack_array[10];
- volatile int i = 0;
- char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
- pr_info("out-of-bounds on stack\n");
- *(volatile char *)p;
- }
3、实验输出
1)在内核中同时开启ksasn与slub的检测的检测,内存错误优先被kasan检测到,如下所示:
- slub_test_1# insmod slub1.ko
- [ 744.870946] slub1: loading out-of-tree module taints kernel.
- [ 744.886482] slub1: module verification failed: signature and/or required key missing - tainting kernel
- [ 744.958499] module init
- [ 744.959688] ==================================================================
- [ 744.962726] BUG: KASAN: slab-out-of-bounds in create_slub_error+0x6c/0x78 [slub1]
- [ 744.963528] Write of size 130 at addr ffff800019ea1200 by task insmod/1602
- [ 744.964141]
- slub_test_2# insmod slub2.ko
- [ 874.303487] my module init
- [ 874.304834] ben:double free test
- [ 874.305266] ==================================================================
- [ 874.306672] BUG: KASAN: double-free or invalid-free in create_slub_error+0x98/0xa4 [slub2]
- [ 874.307269]
2)将test_kasan.ko加载后,所有的打印输出有所缩减,把检测到的提示错误保留
slab-out-of-bounds, use-after-free,double-free or invalid-free,alloca-out-of-bounds
- insmod test_kasan.ko
- [ 96.717377] test_kasan: module verification failed: signature and/or required key missing - tainting kernel
- [ 96.788908] kasan test: kmalloc_oob_right out-of-bounds to right
- [ 96.790675] ==================================================================
- [ 96.794556] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xc8/0xe4 [test_kasan]
- [ 96.796122] Write of size 1 at addr ffff80001cebcffb by task insmod/569
- [ 96.796619]
- [ 96.797727] CPU: 0 PID: 569 Comm: insmod Kdump: loaded Tainted: G E 5.0.0+ #2
- [ 96.798290] Hardware name: linux,dummy-virt (DT)
- [ 96.799205] Call trace:
- [ 96.800667] dump_backtrace+0x0/0x97c
- [ 96.801030] show_stack+0x24/0x30
- [ 96.801283] __dump_stack+0x20/0x2c
- [ 96.801673] dump_stack+0x318/0x690
- [ 96.802003] print_address_description+0x38/0x42c
- [ 96.802371] kasan_report+0x194/0x1e8
- [ 96.802727] __asan_report_store1_noabort+0x30/0x3c
- [ 96.803462] kmalloc_oob_right+0xc8/0xe4 [test_kasan]
- [ 96.805821] kmalloc_tests_init+0x14/0x640 [test_kasan]
- [ 96.806516] do_one_initcall+0xc8c/0x1ca4
- [ 96.806802] do_init_module+0x1d8/0x784
- [ 96.807130] load_module+0x1210/0x1920
- [ 96.808033] __se_sys_finit_module+0x1c8/0x224
- [ 96.808527] __arm64_sys_finit_module+0xbc/0xc8
- [ 96.809137] __invoke_syscall+0x24/0x2c
- [ 96.809389] invoke_syscall+0xcc/0x128
- [ 96.809557] el0_svc_common+0x1c4/0x2d0
- [ 96.809746] el0_svc_handler+0x91c/0x960
- [ 96.809946] el0_svc+0x8/0xc
- [ 96.810422]
- [ 96.810770] Allocated by task 569:
- [ 96.811245] __kasan_kmalloc+0x148/0x290
- [ 96.811886] kasan_kmalloc+0x30/0x38
- [ 96.812672] __kmalloc+0xea4/0xee4
- [ 96.813049] kmalloc_oob_right+0x48/0xe4 [test_kasan]
- [ 96.813561] kmalloc_tests_init+0x14/0x640 [test_kasan]
- [ 96.814003] do_one_initcall+0xc8c/0x1ca4
- [ 96.814363] do_init_module+0x1d8/0x784
- [ 96.814589] load_module+0x1210/0x1920
- [ 96.814829] __se_sys_finit_module+0x1c8/0x224
- [ 96.815093] __arm64_sys_finit_module+0xbc/0xc8
- [ 96.816164] __invoke_syscall+0x24/0x2c
- [ 96.816581] invoke_syscall+0xcc/0x128
- [ 96.817567] el0_svc_common+0x1c4/0x2d0
- [ 96.817836] el0_svc_handler+0x91c/0x960
- [ 96.818363] el0_svc+0x8/0xc
- [ 96.818832]
- [ 96.819123] Freed by task 0:
- [ 96.820128] (stack is not available)
- [ 96.820582]
- [ 96.820839] The buggy address belongs to the object at ffff80001cebcf80
- [ 96.820839] which belongs to the cache kmalloc-128 of size 128
- [ 96.821736] The buggy address is located 123 bytes inside of
- [ 96.821736] 128-byte region [ffff80001cebcf80, ffff80001cebd000)
- [ 96.823027] The buggy address belongs to the page:
- [ 96.827418] page:ffff7e000073af00 count:1 mapcount:0 mapping:ffff800021c0c400 index:0xffff80001cebed80 compound_mapcount: 0
- [ 96.830608] flags: 0xffff00000010200(slab|head)
- [ 96.831566] raw: 0ffff00000010200 ffff7e0000752f08 ffff800021c03c90 ffff800021c0c400
- [ 96.833056] raw: ffff80001cebed80 0000000000190012 00000001ffffffff 0000000000000000
- [ 96.833864] page dumped because: kasan: bad access detected
- [ 96.834505]
- [ 96.834866] Memory state around the buggy address:
- [ 96.836134] ffff80001cebce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- [ 96.837813] ffff80001cebcf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- [ 96.839023] >ffff80001cebcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03
- [ 96.840070] ^
- [ 96.840943] ffff80001cebd000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- [ 96.841405] ffff80001cebd080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- [ 96.841988] ==================================================================
- [ 96.842481] Disabling lock debugging due to kernel taint
- [ 96.844009] kasan test: kmalloc_oob_left out-of-bounds to left
- [ 96.845114] ==================================================================
- [ 96.849223] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0xc0/0x134 [test_kasan]
- [ 96.850317] Read of size 1 at addr ffff80001cebed7f by task insmod/569
- [ 96.895962] ==================================================================
- [ 96.898866] kasan test: kmalloc_node_oob_right kmalloc_node(): out-of-bounds to right
- [ 96.902638] ==================================================================
- [ 96.905146] BUG: KASAN: slab-out-of-bounds in kmalloc_node_oob_right+0xd0/0xe8 [test_kasan]
- [ 96.906247] Write of size 1 at addr ffff800015826a80 by task insmod/569
- [ 96.907658]
- [ 96.967853] ==================================================================
- [ 96.970577] kasan test: kmalloc_pagealloc_oob_right kmalloc pagealloc allocation: out-of-bounds to right
- [ 96.973391] ==================================================================
- [ 96.974297] BUG: KASAN: slab-out-of-bounds in kmalloc_pagealloc_oob_right+0xc8/0xe0 [test_kasan]
- [ 96.976085] Write of size 1 at addr ffff80001c0be00a by task insmod/569
- [ 97.009774] ==================================================================
- [ 97.013784] kasan test: kmalloc_pagealloc_uaf kmalloc pagealloc allocation: use-after-free
- [ 97.015457] ==================================================================
- [ 97.016937] BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0xc0/0xd0 [test_kasan]
- [ 97.018264] Write of size 1 at addr ffff80001c0bc000 by task insmod/569
- [ 97.021236]
- [ 97.058048] ==================================================================
- [ 97.062012] kasan test: kmalloc_pagealloc_invalid_free kmalloc pagealloc allocation: invalid-free
- [ 97.063042] ==================================================================
- [ 97.064403] BUG: KASAN: double-free or invalid-free in kmalloc_pagealloc_invalid_free+0x78/0x80 [test_kasan]
- [ 97.563543] ==================================================================
- [ 97.565871] kasan test: kmalloc_oob_memset_16 out-of-bounds in memset16
- [ 97.566822] ==================================================================
- [ 97.567581] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_memset_16+0x80/0x90 [test_kasan]
- [ 97.568841] Write of size 16 at addr ffff80001d4bc081 by task insmod/569
- [ 97.618222] ==================================================================
- [ 97.620924] kasan test: kmalloc_uaf use-after-free
- [ 97.622887] ==================================================================
- [ 97.624507] BUG: KASAN: use-after-free in kmalloc_uaf+0xcc/0xe0 [test_kasan]
- [ 97.626212] Write of size 1 at addr ffff80001d4bc588 by task insmod/569
- [ 97.627438]
- [ 97.672285] ==================================================================
- [ 97.673872] kasan test: kmalloc_uaf_memset use-after-free in memset
- [ 97.674501] ==================================================================
- [ 97.675046] BUG: KASAN: use-after-free in kmalloc_uaf_memset+0x84/0x8c [test_kasan]
- [ 97.675620] Write of size 33 at addr ffff80001d4bf500 by task insmod/569
- [ 97.676672] ==================================================================
- [ 98.023758] kasan test: memcg_accounted_kmem_cache allocate memcg accounted object
- [ 98.674484] kasan test: kasan_stack_oob out-of-bounds on stack
- [ 98.675223] ==================================================================
- [ 98.678286] BUG: KASAN: stack-out-of-bounds in kasan_stack_oob+0xf8/0x144 [test_kasan]
- [ 98.679094] Read of size 1 at addr ffff8000197df39a by task insmod/569
- [ 98.679522] [ 98.735804]
- [ 98.867912] ==================================================================
- [ 98.870386] kasan test: copy_user_test out-of-bounds in copy_from_user()
- [ 98.871485] ==================================================================
- [ 98.872960] BUG: KASAN: slab-out-of-bounds in copy_user_test+0x28c/0x8d8 [test_kasan]
- [ 98.874518] Write of size 11 at addr ffff80001c007000 by task insmod/569
- [ 98.875381][ 98.932274] ==================================================================
- [ 98.934343] kasan test: copy_user_test out-of-bounds in copy_to_user()
- [ 98.935494] ==================================================================
- [ 98.936524] BUG: KASAN: slab-out-of-bounds in copy_user_test+0x500/0x8d8 [test_kasan]
- [ 98.937066] Read of size 11 at addr ffff80001c007000 by task insmod/569
- [ 98.938636][ 98.993046]
- [ 99.049702] ==================================================================
- [ 99.051988] kasan test: copy_user_test out-of-bounds in __copy_to_user()
- [ 99.052711] ==================================================================
- [ 99.054365] BUG: KASAN: slab-out-of-bounds in copy_user_test+0x67c/0x8d8 [test_kasan]
- [ 99.056035] Read of size 11 at addr ffff80001c007000 by task insmod/569
- [ 99.057768]
- [ 99.297345] ==================================================================
- [ 99.303983] kasan test: use_after_scope_test use-after-scope on int
- [ 99.305426] kasan test: use_after_scope_test use-after-scope on array
- [ 99.319414] kasan test: kmem_cache_double_free double-free on heap object
- [ 99.321611] ==================================================================
- [ 99.322758] BUG: KASAN: double-free or invalid-free in kmem_cache_double_free+0xc4/0xd4 [test_kasan]
- [ 99.324030]
- [ 99.718299] ==================================================================
- [ 99.719678] kasan test: kasan_memcmp out-of-bounds in memcmp
- [ 99.721512] ==================================================================
- [ 99.722675] BUG: KASAN: slab-out-of-bounds in memcmp+0x7c/0x138
- [ 99.723387] Read of size 1 at addr ffff80001d62b798 by task insmod/569
- [ 99.723956]
- [ 99.808130] ==================================================================
- [ 99.810907] kasan test: kasan_strings use-after-free in strchr
- [ 99.812133] ==================================================================
- [ 99.812909] BUG: KASAN: use-after-free in strchr+0xd0/0xf4
- [ 99.813602] Read of size 1 at addr ffff80001d629c10 by task insmod/569
- [ 99.814186]
- [ 100.231048] ==================================================================
- [ 100.232472] kasan test: kasan_strings use-after-free in strncmp
- [ 100.235615] ==================================================================
- [ 100.241922] BUG: KASAN: use-after-free in strncmp+0x74/0x148
- [ 100.243947] Read of size 1 at addr ffff80001d629c10 by task insmod/569
- [ 100.244851]
- [ 100.293083] ffff80001d629c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- [ 100.293951] ffff80001d629d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-
相关阅读:
“深入理解机器学习性能评估指标:TP、TN、FP、FN、精确率、召回率、准确率、F1-score和mAP”
AGV小车、机械臂协同作业实战06-任务分配算法(图解蚁群算法)代码示例java
C#、C++、Java、Python 选择哪个好?
494. 目标和
集合转json json转集合
磷酸铁锂电池回收浸出液除铝
elastic-job源码分析
使用gitpull项目的时候第一次输错密码之后报错Authentication failed for “http://xxxxxx“
算法学习(一)—— 如何看待数据结构与算法
Java - Object#finalize在JDK9中被标记废弃了!
- 原文地址:https://blog.csdn.net/WANGYONGZIXUE/article/details/126922861
