From 96943ab07c98e73b01b7bbc33abb1c34bd696633 Mon Sep 17 00:00:00 2001
From: Brian Gianforcaro <b.gianfo@gmail.com>
Date: Sun, 14 Feb 2021 12:47:10 -0800
Subject: Kernel: Initial integration of Kernel Address Sanitizer (KASAN)

KASAN is a dynamic analysis tool that finds memory errors. It focuses
mostly on finding use-after-free and out-of-bound read/writes bugs.

KASAN works by allocating a "shadow memory" region which is used to store
whether each byte of memory is safe to access. The compiler then instruments
the kernel code and a check is inserted which validates the state of the
shadow memory region on every memory access (load or store).

To fully integrate KASAN into the SerenityOS kernel we need to:

 a) Implement the KASAN interface to intercept the injected loads/stores.

      void __asan_load*(address);
      void __asan_store(address);

 b) Setup KASAN region and determine the shadow memory offset + translation.
    This might be challenging since Serenity is only 32bit at this time.

    Ex: Linux implements kernel address -> shadow address translation like:

      static inline void *kasan_mem_to_shadow(const void *addr)
      {
          return ((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT)
                  + KASAN_SHADOW_OFFSET;
      }

 c) Integrating KASAN with Kernel allocators.
    The kernel allocators need to be taught how to record allocation state
    in the shadow memory region.

This commit only implements the initial steps of this long process:
- A new (default OFF) CMake build flag `ENABLE_KERNEL_ADDRESS_SANITIZER`
- Stubs out enough of the KASAN interface to allow the Kernel to link clean.

Currently the KASAN kernel crashes on boot (triple fault because of the crash
in strlen other sanitizer are seeing) but the goal here is to just get started,
and this should help others jump in and continue making progress on KASAN.

References:
* ASAN Paper: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/37752.pdf
* KASAN Docs: https://github.com/google/kasan
* NetBSD KASAN Blog: https://blog.netbsd.org/tnf/entry/kernel_address_sanitizer_part_3
* LWN KASAN Article: https://lwn.net/Articles/612153/
* Tracking Issue #5351
---
 Kernel/CMakeLists.txt | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'Kernel/CMakeLists.txt')

diff --git a/Kernel/CMakeLists.txt b/Kernel/CMakeLists.txt
index 5059dde24b..eee0c68e9d 100644
--- a/Kernel/CMakeLists.txt
+++ b/Kernel/CMakeLists.txt
@@ -10,6 +10,7 @@ set(KERNEL_SOURCES
     ACPI/Initialize.cpp
     ACPI/MultiProcessorParser.cpp
     ACPI/Parser.cpp
+    AddressSanitizer.cpp
     Arch/i386/CPU.cpp
     Arch/i386/ProcessorInfo.cpp
     Arch/i386/SafeMem.cpp
@@ -307,6 +308,13 @@ set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-asynchronous-unwind-tables")
 set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-strong")
 set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -nostdlib -nostdinc -nostdinc++")
 
+# Kernel Address Sanitize (KASAN) implementation is still a work in progress, this option
+# is not currently meant to be used, besides when developing Kernel ASAN support.
+#
+if (ENABLE_KERNEL_ADDRESS_SANITIZER)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=kernel-address")
+endif()
+
 add_compile_definitions(KERNEL)
 
 # HACK: This is a workaround for CLion to grok the kernel sources.
-- 
cgit v1.2.3