1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright (C) 2023, Google LLC.
3
4 Kernel Address Sanitizer (KASAN)
5 ================================
6
7 Overview
8 --------
9
10 Kernel Address Sanitizer (KASAN) is a dynamic
11 designed to find out-of-bounds and use-after-f
12
13 KASAN has three modes:
14
15 1. Generic KASAN
16 2. Software Tag-Based KASAN
17 3. Hardware Tag-Based KASAN
18
19 Generic KASAN, enabled with CONFIG_KASAN_GENER
20 debugging, similar to userspace ASan. This mod
21 architectures, but it has significant performa
22
23 Software Tag-Based KASAN or SW_TAGS KASAN, ena
24 can be used for both debugging and dogfood tes
25 This mode is only supported for arm64, but its
26 using it for testing on memory-restricted devi
27
28 Hardware Tag-Based KASAN or HW_TAGS KASAN, ena
29 is the mode intended to be used as an in-field
30 security mitigation. This mode only works on a
31 (Memory Tagging Extension), but it has low mem
32 thus can be used in production.
33
34 For details about the memory and performance i
35 descriptions of the corresponding Kconfig opti
36
37 The Generic and the Software Tag-Based modes a
38 software modes. The Software Tag-Based and the
39 referred to as the tag-based modes.
40
41 Support
42 -------
43
44 Architectures
45 ~~~~~~~~~~~~~
46
47 Generic KASAN is supported on x86_64, arm, arm
48 and loongarch, and the tag-based KASAN modes a
49
50 Compilers
51 ~~~~~~~~~
52
53 Software KASAN modes use compile-time instrume
54 before every memory access and thus require a
55 support for that. The Hardware Tag-Based mode
56 these checks but still requires a compiler ver
57 tagging instructions.
58
59 Generic KASAN requires GCC version 8.3.0 or la
60 or any Clang version supported by the kernel.
61
62 Software Tag-Based KASAN requires GCC 11+
63 or any Clang version supported by the kernel.
64
65 Hardware Tag-Based KASAN requires GCC 10+ or C
66
67 Memory types
68 ~~~~~~~~~~~~
69
70 Generic KASAN supports finding bugs in all of
71 stack, and global memory.
72
73 Software Tag-Based KASAN supports slab, page_a
74
75 Hardware Tag-Based KASAN supports slab, page_a
76 memory.
77
78 For slab, both software KASAN modes support SL
79 Hardware Tag-Based KASAN only supports SLUB.
80
81 Usage
82 -----
83
84 To enable KASAN, configure the kernel with::
85
86 CONFIG_KASAN=y
87
88 and choose between ``CONFIG_KASAN_GENERIC`` (t
89 ``CONFIG_KASAN_SW_TAGS`` (to enable Software T
90 ``CONFIG_KASAN_HW_TAGS`` (to enable Hardware T
91
92 For the software modes, also choose between ``
93 ``CONFIG_KASAN_INLINE``. Outline and inline ar
94 The former produces a smaller binary while the
95
96 To include alloc and free stack traces of affe
97 enable ``CONFIG_STACKTRACE``. To include alloc
98 physical pages, enable ``CONFIG_PAGE_OWNER`` a
99
100 Boot parameters
101 ~~~~~~~~~~~~~~~
102
103 KASAN is affected by the generic ``panic_on_wa
104 When it is enabled, KASAN panics the kernel af
105
106 By default, KASAN prints a bug report only for
107 With ``kasan_multi_shot``, KASAN prints a repo
108 effectively disables ``panic_on_warn`` for KAS
109
110 Alternatively, independent of ``panic_on_warn`
111 parameter can be used to control panic and rep
112
113 - ``kasan.fault=report``, ``=panic``, or ``=pa
114 to only print a KASAN report, panic the kern
115 invalid writes only (default: ``report``). T
116 ``kasan_multi_shot`` is enabled. Note that w
117 Hardware Tag-Based KASAN, ``kasan.fault=pani
118 asynchronously checked accesses (including r
119
120 Software and Hardware Tag-Based KASAN modes (s
121 modes below) support altering stack trace coll
122
123 - ``kasan.stacktrace=off`` or ``=on`` disables
124 traces collection (default: ``on``).
125 - ``kasan.stack_ring_size=<number of entries>`
126 in the stack ring (default: ``32768``).
127
128 Hardware Tag-Based KASAN mode is intended for
129 mitigation. Therefore, it supports additional
130 disabling KASAN altogether or controlling its
131
132 - ``kasan=off`` or ``=on`` controls whether KA
133
134 - ``kasan.mode=sync``, ``=async`` or ``=asymm`
135 is configured in synchronous, asynchronous o
136 execution (default: ``sync``).
137 Synchronous mode: a bad access is detected i
138 check fault occurs.
139 Asynchronous mode: a bad access detection is
140 fault occurs, the information is stored in h
141 register for arm64). The kernel periodically
142 only reports tag faults during these checks.
143 Asymmetric mode: a bad access is detected sy
144 asynchronously on writes.
145
146 - ``kasan.vmalloc=off`` or ``=on`` disables or
147 allocations (default: ``on``).
148
149 - ``kasan.page_alloc.sample=<sampling interval
150 Nth page_alloc allocation with the order equ
151 ``kasan.page_alloc.sample.order``, where N i
152 parameter (default: ``1``, or tag every such
153 This parameter is intended to mitigate the p
154 by KASAN.
155 Note that enabling this parameter makes Hard
156 of allocations chosen by sampling and thus m
157 allocations. Use the default value for accur
158
159 - ``kasan.page_alloc.sample.order=<minimum pag
160 order of allocations that are affected by sa
161 Only applies when ``kasan.page_alloc.sample`
162 than ``1``.
163 This parameter is intended to allow sampling
164 allocations, which is the biggest source of
165
166 Error reports
167 ~~~~~~~~~~~~~
168
169 A typical KASAN report looks like this::
170
171 ==========================================
172 BUG: KASAN: slab-out-of-bounds in kmalloc_
173 Write of size 1 at addr ffff8801f44ec37b b
174
175 CPU: 1 PID: 2760 Comm: insmod Not tainted
176 Hardware name: QEMU Standard PC (i440FX +
177 Call Trace:
178 dump_stack+0x94/0xd8
179 print_address_description+0x73/0x280
180 kasan_report+0x144/0x187
181 __asan_report_store1_noabort+0x17/0x20
182 kmalloc_oob_right+0xa8/0xbc [kasan_test]
183 kmalloc_tests_init+0x16/0x700 [kasan_test
184 do_one_initcall+0xa5/0x3ae
185 do_init_module+0x1b6/0x547
186 load_module+0x75df/0x8070
187 __do_sys_init_module+0x1c6/0x200
188 __x64_sys_init_module+0x6e/0xb0
189 do_syscall_64+0x9f/0x2c0
190 entry_SYSCALL_64_after_hwframe+0x44/0xa9
191 RIP: 0033:0x7f96443109da
192 RSP: 002b:00007ffcf0b51b08 EFLAGS: 0000020
193 RAX: ffffffffffffffda RBX: 000055dc3ee521a
194 RDX: 00007f96445cff88 RSI: 0000000000057a5
195 RBP: 000055dc3ee510b0 R08: 000000000000000
196 R10: 00007f964430cd0a R11: 000000000000020
197 R13: 000055dc3ee51090 R14: 000000000000000
198
199 Allocated by task 2760:
200 save_stack+0x43/0xd0
201 kasan_kmalloc+0xa7/0xd0
202 kmem_cache_alloc_trace+0xe1/0x1b0
203 kmalloc_oob_right+0x56/0xbc [kasan_test]
204 kmalloc_tests_init+0x16/0x700 [kasan_test
205 do_one_initcall+0xa5/0x3ae
206 do_init_module+0x1b6/0x547
207 load_module+0x75df/0x8070
208 __do_sys_init_module+0x1c6/0x200
209 __x64_sys_init_module+0x6e/0xb0
210 do_syscall_64+0x9f/0x2c0
211 entry_SYSCALL_64_after_hwframe+0x44/0xa9
212
213 Freed by task 815:
214 save_stack+0x43/0xd0
215 __kasan_slab_free+0x135/0x190
216 kasan_slab_free+0xe/0x10
217 kfree+0x93/0x1a0
218 umh_complete+0x6a/0xa0
219 call_usermodehelper_exec_async+0x4c3/0x64
220 ret_from_fork+0x35/0x40
221
222 The buggy address belongs to the object at
223 which belongs to the cache kmalloc-128 of
224 The buggy address is located 123 bytes ins
225 128-byte region [ffff8801f44ec300, ffff88
226 The buggy address belongs to the page:
227 page:ffffea0007d13b00 count:1 mapcount:0 m
228 flags: 0x200000000000100(slab)
229 raw: 0200000000000100 ffffea0007d11dc0 000
230 raw: 0000000000000000 0000000080150015 000
231 page dumped because: kasan: bad access det
232
233 Memory state around the buggy address:
234 ffff8801f44ec200: fc fc fc fc fc fc fc fc
235 ffff8801f44ec280: fb fb fb fb fb fb fb fb
236 >ffff8801f44ec300: 00 00 00 00 00 00 00 00
237
238 ffff8801f44ec380: fc fc fc fc fc fc fc fc
239 ffff8801f44ec400: fb fb fb fb fb fb fb fb
240 ==========================================
241
242 The report header summarizes what kind of bug
243 caused it. It is followed by a stack trace of
244 where the accessed memory was allocated (in ca
245 and a stack trace of where the object was free
246 bug report). Next comes a description of the a
247 information about the accessed memory page.
248
249 In the end, the report shows the memory state
250 Internally, KASAN tracks memory state separate
251 is either 8 or 16 aligned bytes depending on K
252 memory state section of the report shows the s
253 granules that surround the accessed address.
254
255 For Generic KASAN, the size of each memory gra
256 granule is encoded in one shadow byte. Those 8
257 partially accessible, freed, or be a part of a
258 encoding for each shadow byte: 00 means that a
259 memory region are accessible; number N (1 <= N
260 bytes are accessible, and other (8 - N) bytes
261 indicates that the entire 8-byte word is inacc
262 negative values to distinguish between differe
263 like redzones or freed memory (see mm/kasan/ka
264
265 In the report above, the arrow points to the s
266 that the accessed address is partially accessi
267
268 For tag-based KASAN modes, this last report se
269 the accessed address (see the `Implementation
270
271 Note that KASAN bug titles (like ``slab-out-of
272 are best-effort: KASAN prints the most probabl
273 information it has. The actual type of the bug
274
275 Generic KASAN also reports up to two auxiliary
276 traces point to places in code that interacted
277 directly present in the bad access stack trace
278 call_rcu() and workqueue queuing.
279
280 CONFIG_KASAN_EXTRA_INFO
281 ~~~~~~~~~~~~~~~~~~~~~~~
282
283 Enabling CONFIG_KASAN_EXTRA_INFO allows KASAN
284 information. The extra information currently s
285 timestamp at allocation and free. More informa
286 the bug and correlate the error with other sys
287 extra memory to record more information (more
288 CONFIG_KASAN_EXTRA_INFO).
289
290 Here is the report with CONFIG_KASAN_EXTRA_INF
291 different parts are shown)::
292
293 ==========================================
294 ...
295 Allocated by task 134 on cpu 5 at 229.1338
296 ...
297 Freed by task 136 on cpu 3 at 230.199335s:
298 ...
299 ==========================================
300
301 Implementation details
302 ----------------------
303
304 Generic KASAN
305 ~~~~~~~~~~~~~
306
307 Software KASAN modes use shadow memory to reco
308 safe to access and use compile-time instrument
309 checks before each memory access.
310
311 Generic KASAN dedicates 1/8th of kernel memory
312 to cover 128TB on x86_64) and uses direct mapp
313 translate a memory address to its correspondin
314
315 Here is the function which translates an addre
316 address::
317
318 static inline void *kasan_mem_to_shadow(co
319 {
320 return (void *)((unsigned long)addr >>
321 + KASAN_SHADOW_OFFSET;
322 }
323
324 where ``KASAN_SHADOW_SCALE_SHIFT = 3``.
325
326 Compile-time instrumentation is used to insert
327 inserts function calls (``__asan_load*(addr)``
328 each memory access of size 1, 2, 4, 8, or 16.
329 memory accesses are valid or not by checking c
330
331 With inline instrumentation, instead of making
332 directly inserts the code to check shadow memo
333 enlarges the kernel, but it gives an x1.1-x2 p
334 outline-instrumented kernel.
335
336 Generic KASAN is the only mode that delays the
337 quarantine (see mm/kasan/quarantine.c for impl
338
339 Software Tag-Based KASAN
340 ~~~~~~~~~~~~~~~~~~~~~~~~
341
342 Software Tag-Based KASAN uses a software memor
343 access validity. It is currently only implemen
344
345 Software Tag-Based KASAN uses the Top Byte Ign
346 to store a pointer tag in the top byte of kern
347 to store memory tags associated with each 16-b
348 dedicates 1/16th of the kernel memory for shad
349
350 On each memory allocation, Software Tag-Based
351 the allocated memory with this tag, and embeds
352 pointer.
353
354 Software Tag-Based KASAN uses compile-time ins
355 before each memory access. These checks make s
356 that is being accessed is equal to the tag of
357 this memory. In case of a tag mismatch, Softwa
358 report.
359
360 Software Tag-Based KASAN also has two instrume
361 emits callbacks to check memory accesses; and
362 memory checks inline). With outline instrument
363 printed from the function that performs the ac
364 instrumentation, a ``brk`` instruction is emit
365 dedicated ``brk`` handler is used to print bug
366
367 Software Tag-Based KASAN uses 0xFF as a match-
368 pointers with the 0xFF pointer tag are not che
369 reserved to tag freed memory regions.
370
371 Hardware Tag-Based KASAN
372 ~~~~~~~~~~~~~~~~~~~~~~~~
373
374 Hardware Tag-Based KASAN is similar to the sof
375 hardware memory tagging support instead of com
376 shadow memory.
377
378 Hardware Tag-Based KASAN is currently only imp
379 and based on both arm64 Memory Tagging Extensi
380 Instruction Set Architecture and Top Byte Igno
381
382 Special arm64 instructions are used to assign
383 Same tags are assigned to pointers to those al
384 access, hardware makes sure that the tag of th
385 equal to the tag of the pointer that is used t
386 tag mismatch, a fault is generated, and a repo
387
388 Hardware Tag-Based KASAN uses 0xFF as a match-
389 pointers with the 0xFF pointer tag are not che
390 reserved to tag freed memory regions.
391
392 If the hardware does not support MTE (pre ARMv
393 will not be enabled. In this case, all KASAN b
394
395 Note that enabling CONFIG_KASAN_HW_TAGS always
396 enabled. Even when ``kasan.mode=off`` is provi
397 support MTE (but supports TBI).
398
399 Hardware Tag-Based KASAN only reports the firs
400 checking gets disabled.
401
402 Shadow memory
403 -------------
404
405 The contents of this section are only applicab
406
407 The kernel maps memory in several different pa
408 The range of kernel virtual addresses is large
409 memory to support a real shadow region for eve
410 accessed by the kernel. Therefore, KASAN only
411 parts of the address space.
412
413 Default behaviour
414 ~~~~~~~~~~~~~~~~~
415
416 By default, architectures only map real memory
417 for the linear mapping (and potentially other
418 other areas - such as vmalloc and vmemmap spac
419 page is mapped over the shadow area. This read
420 declares all memory accesses as permitted.
421
422 This presents a problem for modules: they do n
423 mapping but in a dedicated module space. By ho
424 allocator, KASAN temporarily maps real shadow
425 This allows detection of invalid accesses to m
426
427 This also creates an incompatibility with ``VM
428 lives in vmalloc space, it will be shadowed by
429 the kernel will fault when trying to set up th
430 variables.
431
432 CONFIG_KASAN_VMALLOC
433 ~~~~~~~~~~~~~~~~~~~~
434
435 With ``CONFIG_KASAN_VMALLOC``, KASAN can cover
436 cost of greater memory usage. Currently, this
437 arm64, riscv, s390, and powerpc.
438
439 This works by hooking into vmalloc and vmap an
440 allocating real shadow memory to back the mapp
441
442 Most mappings in vmalloc space are small, requ
443 page of shadow space. Allocating a full shadow
444 therefore be wasteful. Furthermore, to ensure
445 use different shadow pages, mappings would hav
446 ``KASAN_GRANULE_SIZE * PAGE_SIZE``.
447
448 Instead, KASAN shares backing space across mul
449 a backing page when a mapping in vmalloc space
450 of the shadow region. This page can be shared
451 mappings later on.
452
453 KASAN hooks into the vmap infrastructure to la
454 memory.
455
456 To avoid the difficulties around swapping mapp
457 that the part of the shadow region that covers
458 not be covered by the early shadow page but wi
459 This will require changes in arch-specific cod
460
461 This allows ``VMAP_STACK`` support on x86 and
462 architectures that do not have a fixed module
463
464 For developers
465 --------------
466
467 Ignoring accesses
468 ~~~~~~~~~~~~~~~~~
469
470 Software KASAN modes use compiler instrumentat
471 Such instrumentation might be incompatible wit
472 therefore needs to be disabled.
473
474 Other parts of the kernel might access metadat
475 Normally, KASAN detects and reports such acces
476 in memory allocators), these accesses are vali
477
478 For software KASAN modes, to disable instrumen
479 directory, add a ``KASAN_SANITIZE`` annotation
480 Makefile:
481
482 - For a single file (e.g., main.o)::
483
484 KASAN_SANITIZE_main.o := n
485
486 - For all files in one directory::
487
488 KASAN_SANITIZE := n
489
490 For software KASAN modes, to disable instrumen
491 use the KASAN-specific ``__no_sanitize_address
492 generic ``noinstr`` one.
493
494 Note that disabling compiler instrumentation (
495 per-function basis) makes KASAN ignore the acc
496 that code for software KASAN modes. It does no
497 indirectly (through calls to instrumented func
498 Tag-Based KASAN, which does not use compiler i
499
500 For software KASAN modes, to disable KASAN rep
501 for the current task, annotate this part of th
502 ``kasan_disable_current()``/``kasan_enable_cur
503 disables the reports for indirect accesses tha
504
505 For tag-based KASAN modes, to disable access c
506 ``kasan_reset_tag()`` or ``page_kasan_tag_rese
507 disabling access checking via ``page_kasan_tag
508 restoring the per-page KASAN tag via ``page_ka
509
510 Tests
511 ~~~~~
512
513 There are KASAN tests that allow verifying tha
514 certain types of memory corruptions. The tests
515
516 1. Tests that are integrated with the KUnit Te
517 ``CONFIG_KASAN_KUNIT_TEST``. These tests can b
518 automatically in a few different ways; see the
519
520 2. Tests that are currently incompatible with
521 ``CONFIG_KASAN_MODULE_TEST`` and can only be r
522 only be verified manually by loading the kerne
523 kernel log for KASAN reports.
524
525 Each KUnit-compatible KASAN test prints one of
526 error is detected. Then the test prints its nu
527
528 When a test passes::
529
530 ok 28 - kmalloc_double_kzfree
531
532 When a test fails due to a failed ``kmalloc``:
533
534 # kmalloc_large_oob_right: ASSERTION F
535 Expected ptr is not null, but is
536 not ok 5 - kmalloc_large_oob_right
537
538 When a test fails due to a missing KASAN repor
539
540 # kmalloc_double_kzfree: EXPECTATION F
541 KASAN failure expected in "kfree_sensi
542 not ok 28 - kmalloc_double_kzfree
543
544
545 At the end the cumulative status of all KASAN
546
547 ok 1 - kasan
548
549 Or, if one of the tests failed::
550
551 not ok 1 - kasan
552
553 There are a few ways to run KUnit-compatible K
554
555 1. Loadable module
556
557 With ``CONFIG_KUNIT`` enabled, KASAN-KUnit
558 module and run by loading ``kasan_test.ko``
559
560 2. Built-In
561
562 With ``CONFIG_KUNIT`` built-in, KASAN-KUnit
563 In this case, the tests will run at boot as
564
565 3. Using kunit_tool
566
567 With ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KU
568 possible to use ``kunit_tool`` to see the r
569 readable way. This will not print the KASAN
570 See `KUnit documentation <https://www.kerne
571 for more up-to-date information on ``kunit_
572
573 .. _KUnit: https://www.kernel.org/doc/html/lat
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.