kasan.rst - OpenGrok cross reference for /Linux-v6.1/Documentation/dev-tools/kasan.rst

Lines Matching +full:pre +full:- +full:verified
5 --------
8 designed to find out-of-bounds and use-after-free bugs.
13 2. Software Tag-Based KASAN
14 3. Hardware Tag-Based KASAN
20 Software Tag-Based KASAN or SW_TAGS KASAN, enabled with CONFIG_KASAN_SW_TAGS,
23 using it for testing on memory-restricted devices with real workloads.
25 Hardware Tag-Based KASAN or HW_TAGS KASAN, enabled with CONFIG_KASAN_HW_TAGS,
26 is the mode intended to be used as an in-field memory bug detector or as a
34 The Generic and the Software Tag-Based modes are commonly referred to as the
35 software modes. The Software Tag-Based and the Hardware Tag-Based modes are
36 referred to as the tag-based modes.
39 -------
45 xtensa, and the tag-based KASAN modes are supported only on arm64.
50 Software KASAN modes use compile-time instrumentation to insert validity checks
52 support for that. The Hardware Tag-Based mode relies on hardware to perform
59 Software Tag-Based KASAN requires GCC 11+
62 Hardware Tag-Based KASAN requires GCC 10+ or Clang 12+.
70 Software Tag-Based KASAN supports slab, page_alloc, vmalloc, and stack memory.
72 Hardware Tag-Based KASAN supports slab, page_alloc, and non-executable vmalloc
76 Hardware Tag-Based KASAN only supports SLUB.
79 -----
86 ``CONFIG_KASAN_SW_TAGS`` (to enable Software Tag-Based KASAN), and
87 ``CONFIG_KASAN_HW_TAGS`` (to enable Hardware Tag-Based KASAN).
110 - ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN
114 Software and Hardware Tag-Based KASAN modes (see the section about various
117 - ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
119 - ``kasan.stack_ring_size=<number of entries>`` specifies the number of entries
122 Hardware Tag-Based KASAN mode is intended for use in production as a security
126 - ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
128 - ``kasan.mode=sync``, ``=async`` or ``=asymm`` controls whether KASAN
140 - ``kasan.vmalloc=off`` or ``=on`` disables or enables tagging of vmalloc
149     BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xa8/0xbc [test_kasan]
152     CPU: 1 PID: 2760 Comm: insmod Not tainted 4.19.0-rc3+ #698
153     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
200      which belongs to the cache kmalloc-128 of size 128
202      128-byte region [ffff8801f44ec300, ffff8801f44ec380)
222 and a stack trace of where the object was freed (in case of a use-after-free
237 bytes are accessible, and other (8 - N) bytes are not; any negative value
238 indicates that the entire 8-byte word is inaccessible. KASAN uses different
245 For tag-based KASAN modes, this last report section shows the memory tags around
248 Note that KASAN bug titles (like ``slab-out-of-bounds`` or ``use-after-free``)
249 are best-effort: KASAN prints the most probable bug type based on the limited
258 ----------------------
264 safe to access and use compile-time instrumentation to insert shadow memory
282 Compile-time instrumentation is used to insert memory access checks. Compiler
289 enlarges the kernel, but it gives an x1.1-x2 performance boost over the
290 outline-instrumented kernel.
295 Software Tag-Based KASAN
298 Software Tag-Based KASAN uses a software memory tagging approach to checking
301 Software Tag-Based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
303 to store memory tags associated with each 16-byte memory cell (therefore, it
306 On each memory allocation, Software Tag-Based KASAN generates a random tag, tags
310 Software Tag-Based KASAN uses compile-time instrumentation to insert checks
313 this memory. In case of a tag mismatch, Software Tag-Based KASAN prints a bug
316 Software Tag-Based KASAN also has two instrumentation modes (outline, which
323 Software Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
327 Hardware Tag-Based KASAN
330 Hardware Tag-Based KASAN is similar to the software mode in concept but uses
334 Hardware Tag-Based KASAN is currently only implemented for arm64 architecture
344 Hardware Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
348 If the hardware does not support MTE (pre ARMv8.5), Hardware Tag-Based KASAN
351 Note that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being
355 Hardware Tag-Based KASAN only reports the first found bug. After that, MTE tag
359 -------------
374 other areas - such as vmalloc and vmemmap space - a single read-only
375 page is mapped over the shadow area. This read-only shadow page
384 lives in vmalloc space, it will be shadowed by the read-only page, and
415 This will require changes in arch-specific code.
421 --------------
438 - For a single file (e.g., main.o)::
442 - For all files in one directory::
446 For software KASAN modes, to disable instrumentation on a per-function basis,
447 use the KASAN-specific ``__no_sanitize_address`` function attribute or the
450 Note that disabling compiler instrumentation (either on a per-file or a
451 per-function basis) makes KASAN ignore the accesses that happen directly in
454 Tag-Based KASAN, which does not use compiler instrumentation.
461 For tag-based KASAN modes, to disable access checking, use
464 restoring the per-page KASAN tag via ``page_kasan_tag``/``page_kasan_tag_set``.
473 ``CONFIG_KASAN_KUNIT_TEST``. These tests can be run and partially verified
478 only be verified manually by loading the kernel module and inspecting the
481 Each KUnit-compatible KASAN test prints one of multiple KASAN reports if an
486         ok 28 - kmalloc_double_kzfree
492         not ok 4 - kmalloc_large_oob_right
498         not ok 44 - kmalloc_double_kzfree
503         ok 1 - kasan
507         not ok 1 - kasan
509 There are a few ways to run KUnit-compatible KASAN tests.
513    With ``CONFIG_KUNIT`` enabled, KASAN-KUnit tests can be built as a loadable
516 2. Built-In
518    With ``CONFIG_KUNIT`` built-in, KASAN-KUnit tests can be built-in as well.
519    In this case, the tests will run at boot as a late-init call.
523    With ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KUNIT_TEST`` built-in, it is also
526    See `KUnit documentation <https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html>`_
527    for more up-to-date information on ``kunit_tool``.
529 .. _KUnit: https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html