mm/kasan: print memory around poisoned address

Gary-Hobson · xiaoxiang781216 · commit a9afed96b9fc · 2024-08-30T01:35:09.000+08:00
Print shadow memory following asan format. ==3118004==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5618ac32a100 at pc 0x5618ac32727f bp 0x7ffe5f3e66f0 sp 0x7ffe5f3e66e0 WRITE of size 4 at 0x5618ac32a100 thread T0 #0 0x5618ac32727e in main /home/baerg/vela/x4b/asan_test.c:12 #1 0x7f221ce29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #2 0x7f221ce29e3f in __libc_start_main_impl ../csu/libc-start.c:392 apache#3 0x5618ac327144 in _start (/home/baerg/vela/x4b/asan_test+0x1144) 0x5618ac32a100 is located 0 bytes to the right of global variable 'buffer' defined in 'asan_test.c:5:6' (0x5618ac32a0e0) of size 32 SUMMARY: AddressSanitizer: global-buffer-overflow /home/baerg/vela/x4b/asan_test.c:12 in main Shadow bytes around the buggy address: 0x0ac39585d3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac39585d3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac39585d3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac39585d400: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 0x0ac39585d410: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 =>0x0ac39585d420:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac39585d430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac39585d440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac39585d450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac39585d460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac39585d470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Signed-off-by: yinshengkai <yinshengkai@xiaomi.com>
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
@@ -28,6 +28,7 @@
 #include <debug.h>
 #include <stdbool.h>
 #include <stdint.h>
+#include <stdio.h>
 
 #include "kasan.h"
 
@@ -74,6 +75,12 @@ struct kasan_region_s
   uintptr_t shadow[1];
 };
 
+/****************************************************************************
+ * Private Function Prototypes
+ ****************************************************************************/
+
+static bool kasan_is_poisoned(FAR const void *addr, size_t size);
+
 /****************************************************************************
  * Private Data
  ****************************************************************************/
@@ -136,6 +143,49 @@ static FAR uintptr_t *kasan_mem_to_shadow(FAR const void *ptr, size_t size,
   return NULL;
 }
 
+static void kasan_show_memory(FAR const uint8_t *addr, size_t size,
+                              size_t dumpsize)
+{
+  FAR const uint8_t *start = (FAR const uint8_t *)
+                             (((uintptr_t)addr) & ~0xf) - dumpsize;
+  FAR const uint8_t *end = start + 2 * dumpsize;
+  FAR const uint8_t *p = start;
+  char buffer[256];
+
+  _alert("Shadow bytes around the buggy address:\n");
+  for (p = start; p < end; p += 16)
+    {
+      int ret = sprintf(buffer, "  %p: ", p);
+      int i;
+
+      for (i = 0; i < 16; i++)
+        {
+          if (kasan_is_poisoned(p + i, 1))
+            {
+              if (p + i == addr)
+                {
+                  ret += sprintf(buffer + ret,
+                                 "\b[\033[31m%02x\033[0m ", p[i]);
+                }
+              else if (p + i == addr + size - 1)
+                {
+                  ret += sprintf(buffer + ret, "\033[31m%02x\033[0m]", p[i]);
+                }
+              else
+                {
+                  ret += sprintf(buffer + ret, "\033[31m%02x\033[0m ", p[i]);
+                }
+            }
+          else
+            {
+              ret += sprintf(buffer + ret, "\033[37m%02x\033[0m ", p[i]);
+            }
+        }
+
+      _alert("%s\n", buffer);
+    }
+}
+
 static void kasan_report(FAR const void *addr, size_t size,
                          bool is_write,
                          FAR void *return_address)
@@ -148,6 +198,8 @@ static void kasan_report(FAR const void *addr, size_t size,
              "size is %zu, return address: %p\n",
              is_write ? "write" : "read",
              addr, size, return_address);
+
+      kasan_show_memory(addr, size, 80);
       PANIC();
     }
 
