ubuntu16.04上启用KASan动态检测内核内存错误(ubuntu16.04 4.4.0内核编译升级到linux-4.4.252版本)

因为kasan在内核版本V4.0后才支持,默认是不启用kasan,所以需要编译配置内核才能启用支持(gcc版本要求5.0及以上才完全支持)。

本文实验环境:

root@ubuntu:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.6 LTS
Release:        16.04
Codename:       xenial
root@ubuntu:~# 
root@ubuntu:~# uname -r
4.4.0-142-generic
root@ubuntu:~# 

所以本文先将ubuntu16.04的4.4.0内核编译升级到linux-4.4.252版本内核,之后编码测试kasan的输出检测情况。

 

一、编译内核并配置支持kasan

1、下载源码

在Linux官网下载内核源码,我这里选择了linux-4.4.252源码。

下载完成后,解压到/usr/src下。

2、安装编译内核必须的库:

apt-get install nc libssl-dev -y
apt-get install build-essential openssl -y
apt-get install zlibc minizip -y
apt-get install libidn11-dev libidn11 -y

3、清理之前内核编译配置

root@ubuntu:/usr/src# cd linux-4.4.252/
root@ubuntu:/usr/src/linux-4.4.252# make mrproper 
  CLEAN   scripts/basic
  CLEAN   scripts/kconfig
  CLEAN   include/config include/generated
root@ubuntu:/usr/src/linux-4.4.252# make clean
root@ubuntu:/usr/src/linux-4.4.252# 

 

4、启动配置菜单

root@ubuntu:/usr/src# cd linux-4.4.252/
root@ubuntu:/usr/src/linux-4.4.252# make menuconfig

依次选择Kernel hacking > Memory Debugging,然后配置内存debug选项,这里我把大部分debug选项都选中了:

ubuntu16.04上启用KASan动态检测内核内存错误(ubuntu16.04 4.4.0内核编译升级到linux-4.4.252版本)_第1张图片

其中,KASan选项中Instrumentation type选inline的:

ubuntu16.04上启用KASan动态检测内核内存错误(ubuntu16.04 4.4.0内核编译升级到linux-4.4.252版本)_第2张图片

配置完成后,exit退出,最后选择yes保存配置项。

5、开始编译:

make -j4

6、模块安装

root@ubuntu:/usr/src/linux-4.4.252# make modules_install 

7、安装

root@ubuntu:/usr/src/linux-4.4.252# make install 
sh ./arch/x86/boot/install.sh 4.4.252 arch/x86/boot/bzImage \
        System.map "/boot"
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.4.252 /boot/vmlinuz-4.4.252
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.4.252 /boot/vmlinuz-4.4.252
update-initramfs: Generating /boot/initrd.img-4.4.252
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 4.4.252 /boot/vmlinuz-4.4.252
Generating grub configuration file ...
Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
Found linux image: /boot/vmlinuz-4.4.252
Found initrd image: /boot/initrd.img-4.4.252
Found linux image: /boot/vmlinuz-4.4.0-171-generic
Found initrd image: /boot/initrd.img-4.4.0-171-generic
Found linux image: /boot/vmlinuz-4.4.0-170-generic
Found initrd image: /boot/initrd.img-4.4.0-170-generic
Found linux image: /boot/vmlinuz-4.4.0-142-generic
Found initrd image: /boot/initrd.img-4.4.0-142-generic
done

8、修改内核启动顺序

root@ubuntu:~# grep menuentry /boot/grub/grub.cfg
if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
  menuentry_id_option=""
export menuentry_id_option
menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
submenu 'Advanced options for Ubuntu' $menuentry_id_option 'gnulinux-advanced-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
        menuentry 'Ubuntu, with Linux 4.4.252' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.252-advanced-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
        menuentry 'Ubuntu, with Linux 4.4.252 (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.252-recovery-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
        menuentry 'Ubuntu, with Linux 4.4.0-171-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-171-generic-advanced-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
        menuentry 'Ubuntu, with Linux 4.4.0-171-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-171-generic-recovery-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
        menuentry 'Ubuntu, with Linux 4.4.0-170-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-170-generic-advanced-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
        menuentry 'Ubuntu, with Linux 4.4.0-170-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-170-generic-recovery-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
        menuentry 'Ubuntu, with Linux 4.4.0-142-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-142-generic-advanced-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
        menuentry 'Ubuntu, with Linux 4.4.0-142-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-142-generic-recovery-39f6e796-6e9e-41ae-89db-fade0f403ad4' {
    

修改配置:

root@ubuntu:~# vi /etc/default/grub 

修改GRUB_DEFAULT="Advanced options for Ubuntu>Ubuntu, with Linux 4.4.252",红色部分即为上面查找到的新生成的menuentry值。

然后执行update-grub命令,使改动生效:

root@ubuntu:~# update-grub
Generating grub configuration file ...
Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
Found linux image: /boot/vmlinuz-4.4.252
Found initrd image: /boot/initrd.img-4.4.252
Found linux image: /boot/vmlinuz-4.4.0-171-generic
Found initrd image: /boot/initrd.img-4.4.0-171-generic
Found linux image: /boot/vmlinuz-4.4.0-170-generic
Found initrd image: /boot/initrd.img-4.4.0-170-generic
Found linux image: /boot/vmlinuz-4.4.0-142-generic
Found initrd image: /boot/initrd.img-4.4.0-142-generic
done
root@ubuntu:~# 

9、reboot

二、编写测试内核模块

1、测试代码编写,命名为my_lkm.c文件

#include 
#include 
#include 
#include 
#include  // __FUNCTION__
#include  // kmalloc kfree

MODULE_LICENSE("GPL");

static int __init test_init(void) 
{ 
    char *ptr; 
    size_t size = 124; 

    printk("out-of-bounds to right\n"); 
    ptr = kmalloc(size, GFP_KERNEL); 
    if (!ptr) { 
        printk(KERN_ERR "Allocation failed\n"); 
        return -1; 
    } 
    printk("ptr address: %p\n", ptr); 

    ptr[size] = 'x'; 
    printk("ptr[size] address: %p\n", ptr + size); 

    kfree(ptr);
    return 0;
}
 

static void __exit test_exit(void)
{
    printk("%s removed.\n",__func__);
}

module_init(test_init);
module_exit(test_exit);

2、编写Makefile文件

vi Makefile

内容如下:

​
obj-m += my_test_lkm.o
my_test_lkm-objs := my_lkm.o

EXTRA_CFLAGS += -g -Wall

all:
	make -C /usr/src/linux-4.4.252/ M=$(PWD) modules
	 
clean:
	make -C /usr/src/linux-4.4.252/ M=$(PWD) clean

​

3、编译

root@ubuntu:/home/test_ko/lkm-test05# make
make -C /usr/src/linux-4.4.252/ M=/home/test_ko/lkm-test05 modules
make[1]: Entering directory '/usr/src/linux-4.4.252'
  CC [M]  /home/test_ko/lkm-test05/my_lkm.o
  LD [M]  /home/test_ko/lkm-test05/my_test_lkm.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/test_ko/lkm-test05/my_test_lkm.mod.o
  LD [M]  /home/test_ko/lkm-test05/my_test_lkm.ko
make[1]: Leaving directory '/usr/src/linux-4.4.252'
root@ubuntu:/home/test_ko/lkm-test05# 

4、insmod my_test_lkm.ko

5、dmesg -Tw查看系统内核日志:

[Tue Jan 19 18:27:29 2021] out-of-bounds to right
[Tue Jan 19 18:27:29 2021] ptr address: ffff8800badbd910
[Tue Jan 19 18:27:29 2021] ==================================================================
[Tue Jan 19 18:27:29 2021] BUG: KASAN: slab-out-of-bounds in test_init+0xa2/0x1000 [my_test_lkm] at addr ffff8800badbd98c
[Tue Jan 19 18:27:29 2021] Write of size 1 by task insmod/100870
[Tue Jan 19 18:27:29 2021] =============================================================================
[Tue Jan 19 18:27:29 2021] BUG kmalloc-128 (Tainted: G    B      OE  ): kasan: bad access detected
[Tue Jan 19 18:27:29 2021] -----------------------------------------------------------------------------

[Tue Jan 19 18:27:29 2021] INFO: Allocated in test_init+0x4c/0x1000 [my_test_lkm] age=4 cpu=0 pid=100870
[Tue Jan 19 18:27:29 2021]      ___slab_alloc+0x4d9/0x550
[Tue Jan 19 18:27:29 2021]      __slab_alloc+0x20/0x40
[Tue Jan 19 18:27:29 2021]      kmem_cache_alloc_trace+0x24c/0x2e0
[Tue Jan 19 18:27:29 2021]      test_init+0x4c/0x1000 [my_test_lkm]
[Tue Jan 19 18:27:29 2021]      do_one_initcall+0x143/0x300
[Tue Jan 19 18:27:29 2021]      do_init_module+0x1d9/0x4de
[Tue Jan 19 18:27:29 2021]      load_module+0x6a4f/0xa160
[Tue Jan 19 18:27:29 2021]      SYSC_finit_module+0x126/0x160
[Tue Jan 19 18:27:29 2021]      SyS_finit_module+0xe/0x10
[Tue Jan 19 18:27:29 2021]      entry_SYSCALL_64_fastpath+0x22/0x9e
[Tue Jan 19 18:27:29 2021] INFO: Freed in load_elf_binary+0x220/0x4480 age=14729 cpu=0 pid=100293
[Tue Jan 19 18:27:29 2021]      __slab_free+0x1bc/0x300
[Tue Jan 19 18:27:29 2021]      kfree+0x106/0x1e0
[Tue Jan 19 18:27:29 2021]      load_elf_binary+0x220/0x4480
[Tue Jan 19 18:27:29 2021]      search_binary_handler+0x156/0x430
[Tue Jan 19 18:27:29 2021]      do_execveat_common.isra.31+0x1025/0x1ae0
[Tue Jan 19 18:27:29 2021]      SyS_execve+0x3a/0x50
[Tue Jan 19 18:27:29 2021]      return_from_execve+0x0/0x23
[Tue Jan 19 18:27:29 2021] INFO: Slab 0xffffea0002eb6e00 objects=71 used=30 fp=0xffff8800badbb738 flags=0x1ffff8000004080
[Tue Jan 19 18:27:29 2021] INFO: Object 0xffff8800badbd910 @offset=22800 fp=0xffff8800badb9728

[Tue Jan 19 18:27:29 2021] Bytes b4 ffff8800badbd900: 19 37 d1 00 01 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  .7......ZZZZZZZZ
[Tue Jan 19 18:27:29 2021] Object ffff8800badbd910: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[Tue Jan 19 18:27:29 2021] Object ffff8800badbd920: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[Tue Jan 19 18:27:29 2021] Object ffff8800badbd930: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[Tue Jan 19 18:27:29 2021] Object ffff8800badbd940: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[Tue Jan 19 18:27:29 2021] Object ffff8800badbd950: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[Tue Jan 19 18:27:29 2021] Object ffff8800badbd960: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[Tue Jan 19 18:27:29 2021] Object ffff8800badbd970: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[Tue Jan 19 18:27:29 2021] Object ffff8800badbd980: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
[Tue Jan 19 18:27:29 2021] Redzone ffff8800badbd990: cc cc cc cc cc cc cc cc                          ........
[Tue Jan 19 18:27:29 2021] Padding ffff8800badbdad0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
[Tue Jan 19 18:27:29 2021] CPU: 0 PID: 100870 Comm: insmod Tainted: G    B      OE   4.4.252 #1
[Tue Jan 19 18:27:29 2021] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
[Tue Jan 19 18:27:29 2021]  0000000000000000 41692362580668d4 ffff8800a1287898 ffffffff82988c2f
[Tue Jan 19 18:27:29 2021]  ffff88011840f580 ffff8800badbd910 ffff8800a12878c8 ffffffff81585cc9
[Tue Jan 19 18:27:29 2021]  ffff88011840f580 ffffea0002eb6e00 ffff8800badbd910 0000000000000001
[Tue Jan 19 18:27:29 2021] Call Trace:
[Tue Jan 19 18:27:29 2021]  [] dump_stack+0x6d/0x8b
[Tue Jan 19 18:27:29 2021]  [] print_trailer+0xf9/0x150
[Tue Jan 19 18:27:29 2021]  [] object_err+0x34/0x40
[Tue Jan 19 18:27:29 2021]  [] kasan_report.part.2+0x21d/0x520
[Tue Jan 19 18:27:29 2021]  [] ? test_init+0xa2/0x1000 [my_test_lkm]
[Tue Jan 19 18:27:29 2021]  [] ? kmem_cache_alloc_trace+0x120/0x2e0
[Tue Jan 19 18:27:29 2021]  [] ? 0xffffffffc0a50000
[Tue Jan 19 18:27:29 2021]  [] __asan_report_store1_noabort+0x31/0x40
[Tue Jan 19 18:27:29 2021]  [] test_init+0xa2/0x1000 [my_test_lkm]
[Tue Jan 19 18:27:29 2021]  [] do_one_initcall+0x143/0x300
[Tue Jan 19 18:27:29 2021]  [] ? try_to_run_init_process+0x40/0x40
[Tue Jan 19 18:27:29 2021]  [] ? kasan_unpoison_shadow+0x36/0x50
[Tue Jan 19 18:27:29 2021]  [] ? kasan_unpoison_shadow+0x36/0x50
[Tue Jan 19 18:27:29 2021]  [] ? kasan_kmalloc+0x5e/0x70
[Tue Jan 19 18:27:29 2021]  [] ? kasan_unpoison_shadow+0x36/0x50
[Tue Jan 19 18:27:29 2021]  [] ? __asan_register_globals+0x87/0xa0
[Tue Jan 19 18:27:29 2021]  [] do_init_module+0x1d9/0x4de
[Tue Jan 19 18:27:29 2021]  [] load_module+0x6a4f/0xa160
[Tue Jan 19 18:27:29 2021]  [] ? m_show+0x4b0/0x4b0
[Tue Jan 19 18:27:29 2021]  [] ? module_frob_arch_sections+0x20/0x20
[Tue Jan 19 18:27:29 2021]  [] ? kernel_read+0xeb/0x1a0
[Tue Jan 19 18:27:29 2021]  [] ? open_exec+0x50/0x50
[Tue Jan 19 18:27:29 2021]  [] ? copy_module_from_fd.isra.50+0x1dd/0x2f0
[Tue Jan 19 18:27:29 2021]  [] SYSC_finit_module+0x126/0x160
[Tue Jan 19 18:27:29 2021]  [] ? SYSC_init_module+0x210/0x210
[Tue Jan 19 18:27:29 2021]  [] SyS_finit_module+0xe/0x10
[Tue Jan 19 18:27:29 2021]  [] entry_SYSCALL_64_fastpath+0x22/0x9e
[Tue Jan 19 18:27:29 2021] Memory state around the buggy address:
[Tue Jan 19 18:27:29 2021]  ffff8800badbd880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[Tue Jan 19 18:27:29 2021]  ffff8800badbd900: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[Tue Jan 19 18:27:29 2021] >ffff8800badbd980: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[Tue Jan 19 18:27:29 2021]                       ^
[Tue Jan 19 18:27:29 2021]  ffff8800badbda00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[Tue Jan 19 18:27:29 2021]  ffff8800badbda80: fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00
[Tue Jan 19 18:27:29 2021] ==================================================================
[Tue Jan 19 18:27:29 2021] ptr[size] address: ffff8800badbd98c

完。

 

 

 

你可能感兴趣的:(linux)