Lines Matching +full:pre +full:- +full:verified
1 .. SPDX-License-Identifier: GPL-2.0
8 --------
11 designed to find out-of-bounds and use-after-free bugs.
16 2. Software Tag-Based KASAN
17 3. Hardware Tag-Based KASAN
23 Software Tag-Based KASAN or SW_TAGS KASAN, enabled with CONFIG_KASAN_SW_TAGS,
26 using it for testing on memory-restricted devices with real workloads.
28 Hardware Tag-Based KASAN or HW_TAGS KASAN, enabled with CONFIG_KASAN_HW_TAGS,
29 is the mode intended to be used as an in-field memory bug detector or as a
37 The Generic and the Software Tag-Based modes are commonly referred to as the
38 software modes. The Software Tag-Based and the Hardware Tag-Based modes are
39 referred to as the tag-based modes.
42 -------
48 and loongarch, and the tag-based KASAN modes are supported only on arm64.
53 Software KASAN modes use compile-time instrumentation to insert validity checks
55 support for that. The Hardware Tag-Based mode relies on hardware to perform
62 Software Tag-Based KASAN requires GCC 11+
65 Hardware Tag-Based KASAN requires GCC 10+ or Clang 12+.
73 Software Tag-Based KASAN supports slab, page_alloc, vmalloc, and stack memory.
75 Hardware Tag-Based KASAN supports slab, page_alloc, and non-executable vmalloc
79 Hardware Tag-Based KASAN only supports SLUB.
82 -----
89 ``CONFIG_KASAN_SW_TAGS`` (to enable Software Tag-Based KASAN), and
90 ``CONFIG_KASAN_HW_TAGS`` (to enable Hardware Tag-Based KASAN).
113 - ``kasan.fault=report``, ``=panic``, or ``=panic_on_write`` controls whether
117 Hardware Tag-Based KASAN, ``kasan.fault=panic_on_write`` always panics on
120 Software and Hardware Tag-Based KASAN modes (see the section about various
123 - ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
125 - ``kasan.stack_ring_size=<number of entries>`` specifies the number of entries
128 Hardware Tag-Based KASAN mode is intended for use in production as a security
132 - ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
134 - ``kasan.mode=sync``, ``=async`` or ``=asymm`` controls whether KASAN
146 - ``kasan.vmalloc=off`` or ``=on`` disables or enables tagging of vmalloc
149 - ``kasan.page_alloc.sample=<sampling interval>`` makes KASAN tag only every
155 Note that enabling this parameter makes Hardware Tag-Based KASAN skip checks
159 - ``kasan.page_alloc.sample.order=<minimum page order>`` specifies the minimum
172 BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xa8/0xbc [kasan_test]
175 CPU: 1 PID: 2760 Comm: insmod Not tainted 4.19.0-rc3+ #698
176 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
223 which belongs to the cache kmalloc-128 of size 128
225 128-byte region [ffff8801f44ec300, ffff8801f44ec380)
245 and a stack trace of where the object was freed (in case of a use-after-free
260 bytes are accessible, and other (8 - N) bytes are not; any negative value
261 indicates that the entire 8-byte word is inaccessible. KASAN uses different
268 For tag-based KASAN modes, this last report section shows the memory tags around
271 Note that KASAN bug titles (like ``slab-out-of-bounds`` or ``use-after-free``)
272 are best-effort: KASAN prints the most probable bug type based on the limited
302 ----------------------
308 safe to access and use compile-time instrumentation to insert shadow memory
326 Compile-time instrumentation is used to insert memory access checks. Compiler
333 enlarges the kernel, but it gives an x1.1-x2 performance boost over the
334 outline-instrumented kernel.
339 Software Tag-Based KASAN
342 Software Tag-Based KASAN uses a software memory tagging approach to checking
345 Software Tag-Based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
347 to store memory tags associated with each 16-byte memory cell (therefore, it
350 On each memory allocation, Software Tag-Based KASAN generates a random tag, tags
354 Software Tag-Based KASAN uses compile-time instrumentation to insert checks
357 this memory. In case of a tag mismatch, Software Tag-Based KASAN prints a bug
360 Software Tag-Based KASAN also has two instrumentation modes (outline, which
367 Software Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
371 Hardware Tag-Based KASAN
374 Hardware Tag-Based KASAN is similar to the software mode in concept but uses
378 Hardware Tag-Based KASAN is currently only implemented for arm64 architecture
388 Hardware Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
392 If the hardware does not support MTE (pre ARMv8.5), Hardware Tag-Based KASAN
395 Note that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being
399 Hardware Tag-Based KASAN only reports the first found bug. After that, MTE tag
403 -------------
418 other areas - such as vmalloc and vmemmap space - a single read-only
419 page is mapped over the shadow area. This read-only shadow page
428 lives in vmalloc space, it will be shadowed by the read-only page, and
459 This will require changes in arch-specific code.
465 --------------
482 - For a single file (e.g., main.o)::
486 - For all files in one directory::
490 For software KASAN modes, to disable instrumentation on a per-function basis,
491 use the KASAN-specific ``__no_sanitize_address`` function attribute or the
494 Note that disabling compiler instrumentation (either on a per-file or a
495 per-function basis) makes KASAN ignore the accesses that happen directly in
498 Tag-Based KASAN, which does not use compiler instrumentation.
505 For tag-based KASAN modes, to disable access checking, use
508 restoring the per-page KASAN tag via ``page_kasan_tag``/``page_kasan_tag_set``.
517 ``CONFIG_KASAN_KUNIT_TEST``. These tests can be run and partially verified
522 only be verified manually by loading the kernel module and inspecting the
525 Each KUnit-compatible KASAN test prints one of multiple KASAN reports if an
530 ok 28 - kmalloc_double_kzfree
536 not ok 5 - kmalloc_large_oob_right
542 not ok 28 - kmalloc_double_kzfree
547 ok 1 - kasan
551 not ok 1 - kasan
553 There are a few ways to run KUnit-compatible KASAN tests.
557 With ``CONFIG_KUNIT`` enabled, KASAN-KUnit tests can be built as a loadable
560 2. Built-In
562 With ``CONFIG_KUNIT`` built-in, KASAN-KUnit tests can be built-in as well.
563 In this case, the tests will run at boot as a late-init call.
567 With ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KUNIT_TEST`` built-in, it is also
570 See `KUnit documentation <https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html>`_
571 for more up-to-date information on ``kunit_tool``.
573 .. _KUnit: https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html