Linux内核中使用内存检测

目录

一、slub内存检测

1、越界访问

2、释放后再访问

3、无效的释放

4、实验输出

二、KASAN 内存检测

1、数组越界

2、栈的越界访问

3、实验输出


一般的内存访问错误如下:

  • 越界访问
  • 访问已经释放的内存
  • 重复释放
  • 内存泄露
  • 栈溢出

在内核中提供了内存检测的工具slub与kasan,在开发时可以将检测的功能打开。

一、slub内存检测

在linux内核中,对于小块内存分配,大量使用slab/slub分配器,在内存访问中比较容易出错的地方如下:

  • 访问已经释放的内存
  • 越界访问
  • 重复释放

内核配置

CONFIG_SLUB=y

CONFIG_SLUB_DEBUG_ON=y

CONFIG_SLUB_STATS=y

使用的工具tools/vm/slabinfo    

1、越界访问

static noinline void __init kmalloc_pagealloc_oob_right(void)
{
        char *ptr;
        size_t size = KMALLOC_MAX_CACHE_SIZE + 10;

        /* Allocate a chunk that does not fit into a SLUB cache to trigger
         * the page allocator fallback.
         */
        pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        ptr[size] = 0;
        kfree(ptr);
}

2、释放后再访问

static noinline void __init kmalloc_pagealloc_uaf(void)
{
        char *ptr;
        size_t size = KMALLOC_MAX_CACHE_SIZE + 10;

        pr_info("kmalloc pagealloc allocation: use-after-free\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        kfree(ptr);
        ptr[0] = 0;
}

3、无效的释放

static noinline void __init kmalloc_pagealloc_invalid_free(void)
{
        char *ptr;
        size_t size = KMALLOC_MAX_CACHE_SIZE + 10;

        pr_info("kmalloc pagealloc allocation: invalid-free\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        kfree(ptr + 1);
}

4、实验输出

  • 内存越界访问Redzone overwritten、Object padding overwritten
  • 重复释放Object already free
  • 访问已释放内存为Posion overwritten
# insmod slub3.ko 
[  997.342740] :access free memory
benshushu:slub_test_3# [  997.436270] =============================================================================
[  997.437705] BUG kmalloc-128 (Tainted: G    B      OE    ): Redzone overwritten
[  997.438153] -----------------------------------------------------------------------------
[  997.438153] 
[  997.440009] INFO: 0x000000001c0937b9-0x0000000065391b57. First byte 0x55 instead of 0xcc
[  997.442519] INFO: Allocated in create_slub_error+0x30/0x94 [slub3] age=63120 cpu=1 pid=1602

有的时候需要使用slabinfo -v才能输出错误

slub_test# ./slabinfo -v
[ 1112.602383] =============================================================================
[ 1112.602945] BUG kmalloc-128 (Tainted: G    B      OE    ): Redzone overwritten
[ 1112.603254] -----------------------------------------------------------------------------
[ 1112.603254] 
[ 1112.603773] INFO: 0x00000000583020f8-0x00000000583020f8. First byte 0x55 instead of 0xcc
[ 1112.604214] INFO: Allocated in create_slub_error+0x34/0xdc [slub4] age=4071 cpu=0 pid=1687
[ 1112.604661] 	__slab_alloc+0x64/0xb0
[ 1112.604822] 	__kmalloc+0x558/0xee4
[ 1112.605002] 	create_slub_error+0x34/0xdc [slub4]

二、KASAN 内存检测

KASAN(Kernal Address SANtizer)在Linux4.0版本中合并到官方的内核。是动态检测内存错误的工具。可以检查内存越界和使用已经释放的内存等问题。KASAN比kmemcheck工具检测速度快。

内核配置

CONFIG_HAVE_ARCH_KASAN=y

CONFIG_KASAN=y

CONFIG_KASAN_OUTLINE=y

CONFIG_KASAN_INLINE=y

CONFIG_TEST_KASAN=m //编译test_kasan.ko测试模块

内核源码中的测试程序/lib/test_ksacn.c 

static int __init kmalloc_tests_init(void)
{
        /*
         * Temporarily enable multi-shot mode. Otherwise, we'd only get a
         * report for the first case.
         */
        bool multishot = kasan_save_enable_multi_shot();

        kmalloc_oob_right();
        kmalloc_oob_left();
        kmalloc_node_oob_right();
#ifdef CONFIG_SLUB
        kmalloc_pagealloc_oob_right();
        kmalloc_pagealloc_uaf();
        kmalloc_pagealloc_invalid_free();
#endif
        kmalloc_large_oob_right();
        kmalloc_oob_krealloc_more();
        kmalloc_oob_krealloc_less();
        kmalloc_oob_16();
        kmalloc_oob_in_memset();
        kmalloc_oob_memset_2();
        kmalloc_oob_memset_4();
        kmalloc_oob_memset_8();
        kmalloc_oob_memset_16();
        kmalloc_uaf();
        kmalloc_uaf_memset();
        kmalloc_uaf2();
        kmem_cache_oob();
        memcg_accounted_kmem_cache();
        kasan_stack_oob();
        kasan_global_oob();
        kasan_alloca_oob_left();
        kasan_alloca_oob_right();
        ksize_unpoisons_memory();
        copy_user_test();
        use_after_scope_test();
        kmem_cache_double_free();
        kmem_cache_invalid_free();
        kasan_memchr();
        kasan_memcmp();
        kasan_strings();

        kasan_restore_multi_shot(multishot);

        return -EAGAIN;
}

从上选择其中两个解析

1、数组越界

static noinline void __init kmalloc_oob_right(void)
{
        char *ptr;
        size_t size = 123;

        pr_info("out-of-bounds to right\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        ptr[size] = 'x';
        kfree(ptr);
}

2、栈的越界访问

static noinline void __init kasan_stack_oob(void)
{
        char stack_array[10];
        volatile int i = 0;
        char *p = &stack_array[ARRAY_SIZE(stack_array) + i];

        pr_info("out-of-bounds on stack\n");
        *(volatile char *)p;
}

3、实验输出

1)在内核中同时开启ksasn与slub的检测的检测,内存错误优先被kasan检测到,如下所示:

slub_test_1# insmod slub1.ko 
[  744.870946] slub1: loading out-of-tree module taints kernel.
[  744.886482] slub1: module verification failed: signature and/or required key missing - tainting kernel
[  744.958499] module init
[  744.959688] ==================================================================
[  744.962726] BUG: KASAN: slab-out-of-bounds in create_slub_error+0x6c/0x78 [slub1]
[  744.963528] Write of size 130 at addr ffff800019ea1200 by task insmod/1602
[  744.964141] 
slub_test_2# insmod slub2.ko 
[  874.303487]  my module init
[  874.304834] ben:double free test
[  874.305266] ==================================================================
[  874.306672] BUG: KASAN: double-free or invalid-free in create_slub_error+0x98/0xa4 [slub2]
[  874.307269] 

2)将test_kasan.ko加载后,所有的打印输出有所缩减,把检测到的提示错误保留

slab-out-of-bounds, use-after-free,double-free or invalid-free,alloca-out-of-bounds

insmod test_kasan.ko 
[   96.717377] test_kasan: module verification failed: signature and/or required key missing - tainting kernel
[   96.788908] kasan test: kmalloc_oob_right out-of-bounds to right
[   96.790675] ==================================================================
[   96.794556] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xc8/0xe4 [test_kasan]
[   96.796122] Write of size 1 at addr ffff80001cebcffb by task insmod/569
[   96.796619] 
[   96.797727] CPU: 0 PID: 569 Comm: insmod Kdump: loaded Tainted: G            E     5.0.0+ #2
[   96.798290] Hardware name: linux,dummy-virt (DT)
[   96.799205] Call trace:
[   96.800667]  dump_backtrace+0x0/0x97c
[   96.801030]  show_stack+0x24/0x30
[   96.801283]  __dump_stack+0x20/0x2c
[   96.801673]  dump_stack+0x318/0x690
[   96.802003]  print_address_description+0x38/0x42c
[   96.802371]  kasan_report+0x194/0x1e8
[   96.802727]  __asan_report_store1_noabort+0x30/0x3c
[   96.803462]  kmalloc_oob_right+0xc8/0xe4 [test_kasan]
[   96.805821]  kmalloc_tests_init+0x14/0x640 [test_kasan]
[   96.806516]  do_one_initcall+0xc8c/0x1ca4
[   96.806802]  do_init_module+0x1d8/0x784
[   96.807130]  load_module+0x1210/0x1920
[   96.808033]  __se_sys_finit_module+0x1c8/0x224
[   96.808527]  __arm64_sys_finit_module+0xbc/0xc8
[   96.809137]  __invoke_syscall+0x24/0x2c
[   96.809389]  invoke_syscall+0xcc/0x128
[   96.809557]  el0_svc_common+0x1c4/0x2d0
[   96.809746]  el0_svc_handler+0x91c/0x960
[   96.809946]  el0_svc+0x8/0xc
[   96.810422] 
[   96.810770] Allocated by task 569:
[   96.811245]  __kasan_kmalloc+0x148/0x290
[   96.811886]  kasan_kmalloc+0x30/0x38
[   96.812672]  __kmalloc+0xea4/0xee4
[   96.813049]  kmalloc_oob_right+0x48/0xe4 [test_kasan]
[   96.813561]  kmalloc_tests_init+0x14/0x640 [test_kasan]
[   96.814003]  do_one_initcall+0xc8c/0x1ca4
[   96.814363]  do_init_module+0x1d8/0x784
[   96.814589]  load_module+0x1210/0x1920
[   96.814829]  __se_sys_finit_module+0x1c8/0x224
[   96.815093]  __arm64_sys_finit_module+0xbc/0xc8
[   96.816164]  __invoke_syscall+0x24/0x2c
[   96.816581]  invoke_syscall+0xcc/0x128
[   96.817567]  el0_svc_common+0x1c4/0x2d0
[   96.817836]  el0_svc_handler+0x91c/0x960
[   96.818363]  el0_svc+0x8/0xc
[   96.818832] 
[   96.819123] Freed by task 0:
[   96.820128] (stack is not available)
[   96.820582] 
[   96.820839] The buggy address belongs to the object at ffff80001cebcf80
[   96.820839]  which belongs to the cache kmalloc-128 of size 128
[   96.821736] The buggy address is located 123 bytes inside of
[   96.821736]  128-byte region [ffff80001cebcf80, ffff80001cebd000)
[   96.823027] The buggy address belongs to the page:
[   96.827418] page:ffff7e000073af00 count:1 mapcount:0 mapping:ffff800021c0c400 index:0xffff80001cebed80 compound_mapcount: 0
[   96.830608] flags: 0xffff00000010200(slab|head)
[   96.831566] raw: 0ffff00000010200 ffff7e0000752f08 ffff800021c03c90 ffff800021c0c400
[   96.833056] raw: ffff80001cebed80 0000000000190012 00000001ffffffff 0000000000000000
[   96.833864] page dumped because: kasan: bad access detected
[   96.834505] 
[   96.834866] Memory state around the buggy address:
[   96.836134]  ffff80001cebce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.837813]  ffff80001cebcf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.839023] >ffff80001cebcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03
[   96.840070]                                                                 ^
[   96.840943]  ffff80001cebd000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.841405]  ffff80001cebd080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.841988] ==================================================================
[   96.842481] Disabling lock debugging due to kernel taint
[   96.844009] kasan test: kmalloc_oob_left out-of-bounds to left
[   96.845114] ==================================================================
[   96.849223] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0xc0/0x134 [test_kasan]
[   96.850317] Read of size 1 at addr ffff80001cebed7f by task insmod/569
[   96.895962] ==================================================================
[   96.898866] kasan test: kmalloc_node_oob_right kmalloc_node(): out-of-bounds to right
[   96.902638] ==================================================================
[   96.905146] BUG: KASAN: slab-out-of-bounds in kmalloc_node_oob_right+0xd0/0xe8 [test_kasan]
[   96.906247] Write of size 1 at addr ffff800015826a80 by task insmod/569
[   96.907658] 
[   96.967853] ==================================================================
[   96.970577] kasan test: kmalloc_pagealloc_oob_right kmalloc pagealloc allocation: out-of-bounds to right
[   96.973391] ==================================================================
[   96.974297] BUG: KASAN: slab-out-of-bounds in kmalloc_pagealloc_oob_right+0xc8/0xe0 [test_kasan]
[   96.976085] Write of size 1 at addr ffff80001c0be00a by task insmod/569
[   97.009774] ==================================================================
[   97.013784] kasan test: kmalloc_pagealloc_uaf kmalloc pagealloc allocation: use-after-free
[   97.015457] ==================================================================
[   97.016937] BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0xc0/0xd0 [test_kasan]
[   97.018264] Write of size 1 at addr ffff80001c0bc000 by task insmod/569
[   97.021236] 
[   97.058048] ==================================================================
[   97.062012] kasan test: kmalloc_pagealloc_invalid_free kmalloc pagealloc allocation: invalid-free
[   97.063042] ==================================================================
[   97.064403] BUG: KASAN: double-free or invalid-free in kmalloc_pagealloc_invalid_free+0x78/0x80 [test_kasan]
[   97.563543] ==================================================================
[   97.565871] kasan test: kmalloc_oob_memset_16 out-of-bounds in memset16
[   97.566822] ==================================================================
[   97.567581] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_memset_16+0x80/0x90 [test_kasan]
[   97.568841] Write of size 16 at addr ffff80001d4bc081 by task insmod/569
[   97.618222] ==================================================================
[   97.620924] kasan test: kmalloc_uaf use-after-free
[   97.622887] ==================================================================
[   97.624507] BUG: KASAN: use-after-free in kmalloc_uaf+0xcc/0xe0 [test_kasan]
[   97.626212] Write of size 1 at addr ffff80001d4bc588 by task insmod/569
[   97.627438] 
[   97.672285] ==================================================================
[   97.673872] kasan test: kmalloc_uaf_memset use-after-free in memset
[   97.674501] ==================================================================
[   97.675046] BUG: KASAN: use-after-free in kmalloc_uaf_memset+0x84/0x8c [test_kasan]
[   97.675620] Write of size 33 at addr ffff80001d4bf500 by task insmod/569
[   97.676672] ==================================================================
[   98.023758] kasan test: memcg_accounted_kmem_cache allocate memcg accounted object
[   98.674484] kasan test: kasan_stack_oob out-of-bounds on stack
[   98.675223] ==================================================================
[   98.678286] BUG: KASAN: stack-out-of-bounds in kasan_stack_oob+0xf8/0x144 [test_kasan]
[   98.679094] Read of size 1 at addr ffff8000197df39a by task insmod/569
[   98.679522] [   98.735804] 
[   98.867912] ==================================================================
[   98.870386] kasan test: copy_user_test out-of-bounds in copy_from_user()
[   98.871485] ==================================================================
[   98.872960] BUG: KASAN: slab-out-of-bounds in copy_user_test+0x28c/0x8d8 [test_kasan]
[   98.874518] Write of size 11 at addr ffff80001c007000 by task insmod/569
[   98.875381][   98.932274] ==================================================================
[   98.934343] kasan test: copy_user_test out-of-bounds in copy_to_user()
[   98.935494] ==================================================================
[   98.936524] BUG: KASAN: slab-out-of-bounds in copy_user_test+0x500/0x8d8 [test_kasan]
[   98.937066] Read of size 11 at addr ffff80001c007000 by task insmod/569
[   98.938636][   98.993046] 
[   99.049702] ==================================================================
[   99.051988] kasan test: copy_user_test out-of-bounds in __copy_to_user()
[   99.052711] ==================================================================
[   99.054365] BUG: KASAN: slab-out-of-bounds in copy_user_test+0x67c/0x8d8 [test_kasan]
[   99.056035] Read of size 11 at addr ffff80001c007000 by task insmod/569
[   99.057768] 
[   99.297345] ==================================================================
[   99.303983] kasan test: use_after_scope_test use-after-scope on int
[   99.305426] kasan test: use_after_scope_test use-after-scope on array
[   99.319414] kasan test: kmem_cache_double_free double-free on heap object
[   99.321611] ==================================================================
[   99.322758] BUG: KASAN: double-free or invalid-free in kmem_cache_double_free+0xc4/0xd4 [test_kasan]
[   99.324030] 
[   99.718299] ==================================================================
[   99.719678] kasan test: kasan_memcmp out-of-bounds in memcmp
[   99.721512] ==================================================================
[   99.722675] BUG: KASAN: slab-out-of-bounds in memcmp+0x7c/0x138
[   99.723387] Read of size 1 at addr ffff80001d62b798 by task insmod/569
[   99.723956] 
[   99.808130] ==================================================================
[   99.810907] kasan test: kasan_strings use-after-free in strchr
[   99.812133] ==================================================================
[   99.812909] BUG: KASAN: use-after-free in strchr+0xd0/0xf4
[   99.813602] Read of size 1 at addr ffff80001d629c10 by task insmod/569
[   99.814186] 
[  100.231048] ==================================================================
[  100.232472] kasan test: kasan_strings use-after-free in strncmp
[  100.235615] ==================================================================
[  100.241922] BUG: KASAN: use-after-free in strncmp+0x74/0x148
[  100.243947] Read of size 1 at addr ffff80001d629c10 by task insmod/569
[  100.244851] 
[  100.293083]  ffff80001d629c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  100.293951]  ffff80001d629d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

你可能感兴趣的:(linux内核分析,linux内核调试与追踪,内存检测,kasan,slub,1024程序员节)