| Message ID | 450a1fe078b0e07bf2e4f3098c9110c9959c6524.1738686764.git.maciej.wieczor-retman@intel.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | kasan: x86: arm64: risc-v: KASAN tag-based mode for x86 | expand |
On Tue, Feb 4, 2025 at 6:37 PM Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com> wrote: > > With smaller memory footprint KASAN could be used in production systems. > One problem is that saving stacktraces slowes memory allocation > substantially - with KASAN enabled up to 90% of time spent on kmalloc() > is spent on saving the stacktrace. > > Add mitigation mode to allow the option for running KASAN focused on > performance and security. In mitigation mode disable saving stacktraces > and set fault mode to always panic on KASAN error as a security > mechanism. > > Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com> > --- > lib/Kconfig.kasan | 28 ++++++++++++++++++++++++++++ > mm/kasan/report.c | 4 ++++ > mm/kasan/tags.c | 5 +++++ > 3 files changed, 37 insertions(+) > > diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan > index d08b4e9bf477..6daa62b40dea 100644 > --- a/lib/Kconfig.kasan > +++ b/lib/Kconfig.kasan > @@ -244,4 +244,32 @@ config KASAN_SW_TAGS_DENSE > ARCH_HAS_KASAN_SW_TAGS_DENSE is needed for this option since the > special tag macros need to be properly set for 4-bit wide tags. > > +choice > + prompt "KASAN operation mode" > + default KASAN_OPERATION_DEBUG > + help > + Choose between the mitigation or debug operation modes. > + > + The first one disables stacktrace saving and enables panic on error. > + Faster memory allocation but less information. The second one is the > + default where KASAN operates with full functionality. This is something that I thought about before and I think we should _not_ add configuration options like these. The distinction between debug and mitigation modes is something that's specific to a particular user of the feature. Some might prefer to take the impact of having stack traces enabled in a production environment to allow debugging in-the-wild exploitation attempts. Also at some point in the future, we will hopefully have production-grade stack traces [1], and this would thus change the desired behavior of KASAN_OPERATION_MITIGATION. We already have the kasan.stacktrace command-line parameter for disabling stack trace collection. On top of that, if you prefer, we could add a configuration option that changes the default value of kasan_flag_stacktrace (but can still be overridden via the kasan.stacktrace command-line parameter). Note though that by default, stack traces should be turned on. [1] https://bugzilla.kernel.org/show_bug.cgi?id=211785 > + > +config KASAN_OPERATION_DEBUG > + bool "Debug operation mode" > + depends on KASAN > + help > + The default mode. Full functionality and all boot parameters > + available. > + > +config KASAN_OPERATION_MITIGATION > + bool "Mitigation operation mode" > + depends on KASAN > + help > + Operation mode dedicated at faster operation at the cost of less > + information collection. Disables stacktrace saving for faster > + allocations and forces panic on KASAN error to mitigate malicious > + attacks. > + > +endchoice > + > endif # KASAN > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > index ee9e406b0cdb..ae989d3bd919 100644 > --- a/mm/kasan/report.c > +++ b/mm/kasan/report.c > @@ -47,7 +47,11 @@ enum kasan_arg_fault { > KASAN_ARG_FAULT_PANIC_ON_WRITE, > }; > > +#ifdef CONFIG_KASAN_OPERATION_MITIGATION > +static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_PANIC; > +#else > static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_DEFAULT; > +#endif > > /* kasan.fault=report/panic */ > static int __init early_kasan_fault(char *arg) > diff --git a/mm/kasan/tags.c b/mm/kasan/tags.c > index c111d98961ed..2414cddeaaf3 100644 > --- a/mm/kasan/tags.c > +++ b/mm/kasan/tags.c > @@ -78,6 +78,11 @@ early_param("kasan.stack_ring_size", early_kasan_flag_stack_ring_size); > > void __init kasan_init_tags(void) > { > + if (IS_ENABLED(CONFIG_KASAN_OPERATION_MITIGATION)) { > + static_branch_disable(&kasan_flag_stacktrace); > + return; > + } > + > switch (kasan_arg_stacktrace) { > case KASAN_ARG_STACKTRACE_DEFAULT: > /* Default is specified by kasan_flag_stacktrace definition. */ > -- > 2.47.1 >
On 2025-02-06 at 00:46:21 +0100, Andrey Konovalov wrote: >On Tue, Feb 4, 2025 at 6:37 PM Maciej Wieczor-Retman ><maciej.wieczor-retman@intel.com> wrote: ... >> +choice >> + prompt "KASAN operation mode" >> + default KASAN_OPERATION_DEBUG >> + help >> + Choose between the mitigation or debug operation modes. >> + >> + The first one disables stacktrace saving and enables panic on error. >> + Faster memory allocation but less information. The second one is the >> + default where KASAN operates with full functionality. > >This is something that I thought about before and I think we should >_not_ add configuration options like these. The distinction between >debug and mitigation modes is something that's specific to a >particular user of the feature. Some might prefer to take the impact >of having stack traces enabled in a production environment to allow >debugging in-the-wild exploitation attempts. Also at some point in the >future, we will hopefully have production-grade stack traces [1], and >this would thus change the desired behavior of >KASAN_OPERATION_MITIGATION. > >We already have the kasan.stacktrace command-line parameter for >disabling stack trace collection. On top of that, if you prefer, we >could add a configuration option that changes the default value of >kasan_flag_stacktrace (but can still be overridden via the >kasan.stacktrace command-line parameter). Note though that by default, >stack traces should be turned on. > >[1] https://bugzilla.kernel.org/show_bug.cgi?id=211785 > Okay, I see your point. I'll drop the patch for now and rethink if messing with how stacktraces are enabled/disabled is worth it. > >_______________________________________________ >linux-riscv mailing list >linux-riscv@lists.infradead.org >http://lists.infradead.org/mailman/listinfo/linux-riscv
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index d08b4e9bf477..6daa62b40dea 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -244,4 +244,32 @@ config KASAN_SW_TAGS_DENSE ARCH_HAS_KASAN_SW_TAGS_DENSE is needed for this option since the special tag macros need to be properly set for 4-bit wide tags. +choice + prompt "KASAN operation mode" + default KASAN_OPERATION_DEBUG + help + Choose between the mitigation or debug operation modes. + + The first one disables stacktrace saving and enables panic on error. + Faster memory allocation but less information. The second one is the + default where KASAN operates with full functionality. + +config KASAN_OPERATION_DEBUG + bool "Debug operation mode" + depends on KASAN + help + The default mode. Full functionality and all boot parameters + available. + +config KASAN_OPERATION_MITIGATION + bool "Mitigation operation mode" + depends on KASAN + help + Operation mode dedicated at faster operation at the cost of less + information collection. Disables stacktrace saving for faster + allocations and forces panic on KASAN error to mitigate malicious + attacks. + +endchoice + endif # KASAN diff --git a/mm/kasan/report.c b/mm/kasan/report.c index ee9e406b0cdb..ae989d3bd919 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -47,7 +47,11 @@ enum kasan_arg_fault { KASAN_ARG_FAULT_PANIC_ON_WRITE, }; +#ifdef CONFIG_KASAN_OPERATION_MITIGATION +static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_PANIC; +#else static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_DEFAULT; +#endif /* kasan.fault=report/panic */ static int __init early_kasan_fault(char *arg) diff --git a/mm/kasan/tags.c b/mm/kasan/tags.c index c111d98961ed..2414cddeaaf3 100644 --- a/mm/kasan/tags.c +++ b/mm/kasan/tags.c @@ -78,6 +78,11 @@ early_param("kasan.stack_ring_size", early_kasan_flag_stack_ring_size); void __init kasan_init_tags(void) { + if (IS_ENABLED(CONFIG_KASAN_OPERATION_MITIGATION)) { + static_branch_disable(&kasan_flag_stacktrace); + return; + } + switch (kasan_arg_stacktrace) { case KASAN_ARG_STACKTRACE_DEFAULT: /* Default is specified by kasan_flag_stacktrace definition. */
With smaller memory footprint KASAN could be used in production systems. One problem is that saving stacktraces slowes memory allocation substantially - with KASAN enabled up to 90% of time spent on kmalloc() is spent on saving the stacktrace. Add mitigation mode to allow the option for running KASAN focused on performance and security. In mitigation mode disable saving stacktraces and set fault mode to always panic on KASAN error as a security mechanism. Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com> --- lib/Kconfig.kasan | 28 ++++++++++++++++++++++++++++ mm/kasan/report.c | 4 ++++ mm/kasan/tags.c | 5 +++++ 3 files changed, 37 insertions(+)