Re: [PATCH] kfence: introduce burst mode

Alexander Potapenko <glider@xxxxxxxxxx> · Wed, 7 Aug 2024 10:27:03 +0200



On Mon, Aug 5, 2024 at 2:43 PM Marco Elver <elver@xxxxxxxxxx> wrote:
>
> Introduce burst mode, which can be configured with kfence.burst=$count,
> where the burst count denotes the additional successive slab allocations
> to be allocated through KFENCE for each sample interval.
>
> The idea is that this can give developers an additional knob to make
> KFENCE more aggressive when debugging specific issues of systems where
> either rebooting or recompiling the kernel with KASAN is not possible.
>
> Experiment: To assess the effectiveness of the new option, we randomly
> picked a recent out-of-bounds [1] and use-after-free bug [2], each with
> a reproducer provided by syzbot, that initially detected these bugs with
> KASAN. We then tried to reproduce the bugs with KFENCE below.
>
> [1] Fixed by: 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr")
>     https://syzkaller.appspot.com/bug?id=9d1b59d4718239da6f6069d3891863c25f9f24a2
> [2] Fixed by: f8ad00f3fb2a ("l2tp: fix possible UAF when cleaning up tunnels")
>     https://syzkaller.appspot.com/bug?id=4f34adc84f4a3b080187c390eeef60611fd450e1
>
> The following KFENCE configs were compared. A pool size of 1023 objects
> was used for all configurations.
>
>         Baseline
>                 kfence.sample_interval=100
>                 kfence.skip_covered_thresh=75
>                 kfence.burst=0
>
>         Aggressive
>                 kfence.sample_interval=1
>                 kfence.skip_covered_thresh=10
>                 kfence.burst=0
>
>         AggressiveBurst
>                 kfence.sample_interval=1
>                 kfence.skip_covered_thresh=10
>                 kfence.burst=1000
>
> Each reproducer was run 10 times (after a fresh reboot), with the
> following detection counts for each KFENCE config:
>
>                     | Detection Count out of 10 |
>                     |    OOB [1]  |    UAF [2]  |
>   ------------------+-------------+-------------+
>   Default           |     0/10    |     0/10    |
>   Aggressive        |     0/10    |     0/10    |
>   AggressiveBurst   |     8/10    |     8/10    |
>
> With the Default and even the Aggressive configs the results are
> unsurprising, given KFENCE has not been designed for deterministic bug
> detection of small test cases.
>
> However, when enabling burst mode with relatively large burst count,
> KFENCE can start to detect heap memory-safety bugs even in simpler test
> cases with high probability (in the above cases with ~80% probability).
>
> Signed-off-by: Marco Elver <elver@xxxxxxxxxx>
Reviewed-by: Alexander Potapenko <glider@xxxxxxxxxx>