linux/Documentation/dev-tools
Marco Elver cc0a0f9855 kfence: introduce burst mode
Introduce burst mode, which can be configured with kfence.burst=$count,
where the burst count denotes the additional successive slab allocations
to be allocated through KFENCE for each sample interval.

The idea is that this can give developers an additional knob to make
KFENCE more aggressive when debugging specific issues of systems where
either rebooting or recompiling the kernel with KASAN is not possible.

Experiment: To assess the effectiveness of the new option, we randomly
picked a recent out-of-bounds [1] and use-after-free bug [2], each with a
reproducer provided by syzbot, that initially detected these bugs with
KASAN.  We then tried to reproduce the bugs with KFENCE below.

[1] Fixed by: 7c55b78818 ("jfs: xattr: fix buffer overflow for invalid xattr")
    https://syzkaller.appspot.com/bug?id=9d1b59d4718239da6f6069d3891863c25f9f24a2
[2] Fixed by: f8ad00f3fb ("l2tp: fix possible UAF when cleaning up tunnels")
    https://syzkaller.appspot.com/bug?id=4f34adc84f4a3b080187c390eeef60611fd450e1

The following KFENCE configs were compared. A pool size of 1023 objects
was used for all configurations.

	Baseline
		kfence.sample_interval=100
		kfence.skip_covered_thresh=75
		kfence.burst=0

	Aggressive
		kfence.sample_interval=1
		kfence.skip_covered_thresh=10
		kfence.burst=0

	AggressiveBurst
		kfence.sample_interval=1
		kfence.skip_covered_thresh=10
		kfence.burst=1000

Each reproducer was run 10 times (after a fresh reboot), with the
following detection counts for each KFENCE config:

                    | Detection Count out of 10 |
                    |    OOB [1]  |    UAF [2]  |
  ------------------+-------------+-------------+
  Default           |     0/10    |     0/10    |
  Aggressive        |     0/10    |     0/10    |
  AggressiveBurst   |     8/10    |     8/10    |

With the Default and even the Aggressive configs the results are
unsurprising, given KFENCE has not been designed for deterministic bug
detection of small test cases.

However, when enabling burst mode with relatively large burst count,
KFENCE can start to detect heap memory-safety bugs even in simpler test
cases with high probability (in the above cases with ~80% probability).

Link: https://lkml.kernel.org/r/20240805124203.2692278-1-elver@google.com
Signed-off-by: Marco Elver <elver@google.com>
Reviewed-by: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Jann Horn <jannh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2024-09-01 20:26:03 -07:00
..
kunit Documentation: KUnit: Update the instructions on how to test static functions 2024-01-22 07:59:03 -07:00
checkpatch.rst scripts: checkpatch: check unused parameters for function-like macro 2024-05-11 15:51:44 -07:00
checkuapi.rst docs: dev-tools: Add UAPI checker documentation 2023-12-29 22:25:21 +09:00
clang-format.rst Docs: Move clang-format from process/ to dev-tools/ 2024-06-26 16:36:00 -06:00
coccinelle.rst Documentation: coccinelle: Escape --options to fix Sphinx output 2023-01-31 13:55:44 -07:00
gcov.rst docs/gcov: Convert two tags to ref in dev-tools/gov.rst 2021-04-08 11:19:43 -06:00
gdb-kernel-debugging.rst docs/scripts/gdb: add necessary make scripts_gdb step 2023-01-26 11:21:05 -07:00
gpio-sloppy-logic-analyzer.rst gpio: add sloppy logic analyzer using polling 2024-07-01 10:54:11 +02:00
index.rst Nothing hugely exciting happening in the documentation tree this time 2024-07-18 15:54:16 -07:00
kasan.rst - Sumanth Korikkar has taught s390 to allocate hotplug-time page frames 2024-03-14 17:43:30 -07:00
kcov.rst kcov: improve documentation 2023-04-08 13:45:36 -07:00
kcsan.rst kcsan, compiler_types: Introduce __data_racy type qualifier 2024-05-07 11:39:50 -07:00
kfence.rst kfence: introduce burst mode 2024-09-01 20:26:03 -07:00
kgdb.rst Documentation: kgdb: Replace deprecated remotebaud 2022-01-07 09:33:13 -07:00
kmemleak.rst docs: kmemleak: adjust to config renaming 2023-04-20 17:53:38 -06:00
kmsan.rst kmsan: allow disabling KMSAN checks for the current task 2024-07-03 19:30:22 -07:00
kselftest.rst selftests: Add information about TAP conformance in tests 2024-07-11 11:23:54 -06:00
ktap.rst Documentation: dev-tools: Clarify requirements for result description 2022-12-12 14:13:48 -07:00
sparse.rst Documentation/sparse: add hints about __CHECKER__ 2022-03-23 19:00:33 -07:00
testing-overview.rst Documentation: dev-tools: Add link to RV docs 2024-03-29 08:27:21 -06:00
ubsan.rst ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL 2024-02-06 02:21:38 -08:00