kasan.rst - OpenGrok cross reference for /kernel/linux/linux-6.6/Documentation/dev-tools/kasan.rst

Lines Matching +full:software +full:- +full:based
5 --------
8 designed to find out-of-bounds and use-after-free bugs.
13 2. Software Tag-Based KASAN
14 3. Hardware Tag-Based KASAN
20 Software Tag-Based KASAN or SW_TAGS KASAN, enabled with CONFIG_KASAN_SW_TAGS,
23 using it for testing on memory-restricted devices with real workloads.
25 Hardware Tag-Based KASAN or HW_TAGS KASAN, enabled with CONFIG_KASAN_HW_TAGS,
26 is the mode intended to be used as an in-field memory bug detector or as a
34 The Generic and the Software Tag-Based modes are commonly referred to as the
35 software modes. The Software Tag-Based and the Hardware Tag-Based modes are
36 referred to as the tag-based modes.
39 -------
45 and loongarch, and the tag-based KASAN modes are supported only on arm64.
50 Software KASAN modes use compile-time instrumentation to insert validity checks
52 support for that. The Hardware Tag-Based mode relies on hardware to perform
59 Software Tag-Based KASAN requires GCC 11+
62 Hardware Tag-Based KASAN requires GCC 10+ or Clang 12+.
70 Software Tag-Based KASAN supports slab, page_alloc, vmalloc, and stack memory.
72 Hardware Tag-Based KASAN supports slab, page_alloc, and non-executable vmalloc
75 For slab, both software KASAN modes support SLUB and SLAB allocators, while
76 Hardware Tag-Based KASAN only supports SLUB.
79 -----
86 ``CONFIG_KASAN_SW_TAGS`` (to enable Software Tag-Based KASAN), and
87 ``CONFIG_KASAN_HW_TAGS`` (to enable Hardware Tag-Based KASAN).
89 For the software modes, also choose between ``CONFIG_KASAN_OUTLINE`` and
110 - ``kasan.fault=report``, ``=panic``, or ``=panic_on_write`` controls whether
114   Hardware Tag-Based KASAN, ``kasan.fault=panic_on_write`` always panics on
117 Software and Hardware Tag-Based KASAN modes (see the section about various
120 - ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
122 - ``kasan.stack_ring_size=<number of entries>`` specifies the number of entries
125 Hardware Tag-Based KASAN mode is intended for use in production as a security
129 - ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
131 - ``kasan.mode=sync``, ``=async`` or ``=asymm`` controls whether KASAN
143 - ``kasan.vmalloc=off`` or ``=on`` disables or enables tagging of vmalloc
146 - ``kasan.page_alloc.sample=<sampling interval>`` makes KASAN tag only every
152   Note that enabling this parameter makes Hardware Tag-Based KASAN skip checks
156 - ``kasan.page_alloc.sample.order=<minimum page order>`` specifies the minimum
169     BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xa8/0xbc [test_kasan]
172     CPU: 1 PID: 2760 Comm: insmod Not tainted 4.19.0-rc3+ #698
173     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
220      which belongs to the cache kmalloc-128 of size 128
222      128-byte region [ffff8801f44ec300, ffff8801f44ec380)
242 and a stack trace of where the object was freed (in case of a use-after-free
257 bytes are accessible, and other (8 - N) bytes are not; any negative value
258 indicates that the entire 8-byte word is inaccessible. KASAN uses different
265 For tag-based KASAN modes, this last report section shows the memory tags around
268 Note that KASAN bug titles (like ``slab-out-of-bounds`` or ``use-after-free``)
269 are best-effort: KASAN prints the most probable bug type based on the limited
278 ----------------------
283 Software KASAN modes use shadow memory to record whether each byte of memory is
284 safe to access and use compile-time instrumentation to insert shadow memory
302 Compile-time instrumentation is used to insert memory access checks. Compiler
309 enlarges the kernel, but it gives an x1.1-x2 performance boost over the
310 outline-instrumented kernel.
315 Software Tag-Based KASAN
318 Software Tag-Based KASAN uses a software memory tagging approach to checking
321 Software Tag-Based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
323 to store memory tags associated with each 16-byte memory cell (therefore, it
326 On each memory allocation, Software Tag-Based KASAN generates a random tag, tags
330 Software Tag-Based KASAN uses compile-time instrumentation to insert checks
333 this memory. In case of a tag mismatch, Software Tag-Based KASAN prints a bug
336 Software Tag-Based KASAN also has two instrumentation modes (outline, which
343 Software Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
347 Hardware Tag-Based KASAN
350 Hardware Tag-Based KASAN is similar to the software mode in concept but uses
354 Hardware Tag-Based KASAN is currently only implemented for arm64 architecture
355 and based on both arm64 Memory Tagging Extension (MTE) introduced in ARMv8.5
364 Hardware Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
368 If the hardware does not support MTE (pre ARMv8.5), Hardware Tag-Based KASAN
371 Note that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being
375 Hardware Tag-Based KASAN only reports the first found bug. After that, MTE tag
379 -------------
381 The contents of this section are only applicable to software KASAN modes.
394 other areas - such as vmalloc and vmemmap space - a single read-only
395 page is mapped over the shadow area. This read-only shadow page
404 lives in vmalloc space, it will be shadowed by the read-only page, and
435 This will require changes in arch-specific code.
441 --------------
446 Software KASAN modes use compiler instrumentation to insert validity checks.
454 For software KASAN modes, to disable instrumentation for a specific file or
458 - For a single file (e.g., main.o)::
462 - For all files in one directory::
466 For software KASAN modes, to disable instrumentation on a per-function basis,
467 use the KASAN-specific ``__no_sanitize_address`` function attribute or the
470 Note that disabling compiler instrumentation (either on a per-file or a
471 per-function basis) makes KASAN ignore the accesses that happen directly in
472 that code for software KASAN modes. It does not help when the accesses happen
474 Tag-Based KASAN, which does not use compiler instrumentation.
476 For software KASAN modes, to disable KASAN reports in a part of the kernel code
481 For tag-based KASAN modes, to disable access checking, use
484 restoring the per-page KASAN tag via ``page_kasan_tag``/``page_kasan_tag_set``.
501 Each KUnit-compatible KASAN test prints one of multiple KASAN reports if an
506         ok 28 - kmalloc_double_kzfree
512         not ok 4 - kmalloc_large_oob_right
518         not ok 44 - kmalloc_double_kzfree
523         ok 1 - kasan
527         not ok 1 - kasan
529 There are a few ways to run KUnit-compatible KASAN tests.
533    With ``CONFIG_KUNIT`` enabled, KASAN-KUnit tests can be built as a loadable
536 2. Built-In
538    With ``CONFIG_KUNIT`` built-in, KASAN-KUnit tests can be built-in as well.
539    In this case, the tests will run at boot as a late-init call.
543    With ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KUNIT_TEST`` built-in, it is also
546    See `KUnit documentation <https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html>`_
547    for more up-to-date information on ``kunit_tool``.
549 .. _KUnit: https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html