I have some doubts about the bug types reported by KASAN.
1. In Line 126 of "get_bug_type", it verifies if the address has the corresponding shadow memory. However, from the description of KASAN(
https://www.kernel.org/doc/html/latest/dev-tools/kasan.html), all the kernel space should be mapped into the shadow memory region. Why there are some accesses that not mapped into the shadow region? And in the code of "get_wild_bug_type", what's the logic to distinguish each type?
2. How does KASAN add redzone(e.g., KASAN_PAGE_REDZONE) for Page-level allocator?
......
76
77 switch (*shadow_addr) {
78 case 0 ... KASAN_SHADOW_SCALE_SIZE - 1:
79 /*
80 * In theory it's still possible to see these shadow values
81 * due to a data race in the kernel code.
82 */
83 bug_type = "out-of-bounds";
84 break;
85 case KASAN_PAGE_REDZONE:
86 case KASAN_KMALLOC_REDZONE:
87 bug_type = "slab-out-of-bounds";
88 break;
89 case KASAN_GLOBAL_REDZONE:
90 bug_type = "global-out-of-bounds";
91 break;
92 case KASAN_STACK_LEFT:
93 case KASAN_STACK_MID:
94 case KASAN_STACK_RIGHT:
95 case KASAN_STACK_PARTIAL:
96 bug_type = "stack-out-of-bounds";
97 break;
98 case KASAN_FREE_PAGE:
99 case KASAN_KMALLOC_FREE:
100 bug_type = "use-after-free";
101 break;
102 case KASAN_USE_AFTER_SCOPE:
103 bug_type = "use-after-scope";
104 break;
105 }
106
107 return bug_type;
108 }
109
110 static const char *get_wild_bug_type(struct kasan_access_info *info)
111 {
112 const char *bug_type = "unknown-crash";
113
114 if ((unsigned long)info->access_addr < PAGE_SIZE)
115 bug_type = "null-ptr-deref";
116 else if ((unsigned long)info->access_addr < TASK_SIZE)
117 bug_type = "user-memory-access";
118 else
119 bug_type = "wild-memory-access";
120
121 return bug_type;
122 }
124 static const char *get_bug_type(struct kasan_access_info *info)
125 {
126 if (addr_has_shadow(info))
127 return get_shadow_bug_type(info);
128 return get_wild_bug_type(info);
129 }