开发者手机4.0release kasan版本编译

一、修改内核配置文件：

路径：kernel\linux\linux-5.15\arch\arm64\configs\laphone_defconfig  

1、stack_depot_disable=off 打开，否则缓存堆栈不可用，导致打印缓存调用栈失败
CONFIG_CMDLINE="stack_depot_disable=off kasan.stacktrace=off kvm-arm.mode=protected cgroup_disable=pressure"
2、CONFIG_FRAME_WARN=0  //关闭堆栈大小设置，否则会导致编译不通过
3、开启kasan通用堆栈设置，关闭其他选项
CONFIG_HAVE_ARCH_KASAN=y
#CONFIG_HAVE_ARCH_KASAN_SW_TAGS=y
#CONFIG_HAVE_ARCH_KASAN_HW_TAGS=y
#CONFIG_HAVE_ARCH_KASAN_VMALLOC=y
CONFIG_CC_HAS_KASAN_GENERIC=y
#CONFIG_CC_HAS_KASAN_SW_TAGS=y
CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y
CONFIG_KASAN=y
CONFIG_KASAN_GENERIC=y
CONFIG_SECTION_MISMATCH_WARN_ONLY=y
# CONFIG_KASAN_SW_TAGS is not set
# CONFIG_KASAN_HW_TAGS=y
# CONFIG_KASAN_TAGS_IDENTIFY is not set
# CONFIG_KASAN_VMALLOC=y

二、kasan 测试样例添加

1、添加测试样例代码

路径：kernel\linux\linux-5.15\arch\arm64\mm\ 目录下添加测试样例kasan_test.c 文件

#define pr_fmt(fmt) "kasan test: %s " fmt, __func__

#include <linux/kernel.h>
#include <linux/mman.h>
#include <linux/mm.h>
#include <linux/printk.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/uaccess.h>
#include <linux/module.h>
#include <linux/kasan.h>

static noinline void __init kmalloc_oob_right(void)
{
        char *ptr;
        size_t size = 123;

        pr_info("out-of-bounds to right\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        ptr[size] = 'x';
        kfree(ptr);
}

static noinline void __init kmalloc_oob_left(void)
{
        char *ptr;
        size_t size = 15;

        pr_info("out-of-bounds to left\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        *ptr = *(ptr - 1);
        kfree(ptr);
}

static noinline void __init kmalloc_node_oob_right(void)
{
        char *ptr;
        size_t size = 4096;

        pr_info("kmalloc_node(): out-of-bounds to right\n");
        ptr = kmalloc_node(size, GFP_KERNEL, 0);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        ptr[size] = 0;
        kfree(ptr);
}

#ifdef CONFIG_SLUB
static noinline void __init kmalloc_pagealloc_oob_right(void)
{
        char *ptr;
        size_t size = KMALLOC_MAX_CACHE_SIZE + 10;

        /* Allocate a chunk that does not fit into a SLUB cache to trigger
         * the page allocator fallback.
         */
        pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        ptr[size] = 0;
        kfree(ptr);
}
#endif

static noinline void __init kmalloc_large_oob_right(void)
{
        char *ptr;
        size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
        /* Allocate a chunk that is large enough, but still fits into a slab
         * and does not trigger the page allocator fallback in SLUB.
         */
        pr_info("kmalloc large allocation: out-of-bounds to right\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        ptr[size] = 0;
        kfree(ptr);
}

static noinline void __init kmalloc_oob_krealloc_more(void)
{
        char *ptr1, *ptr2;
        size_t size1 = 17;
        size_t size2 = 19;

        pr_info("out-of-bounds after krealloc more\n");
        ptr1 = kmalloc(size1, GFP_KERNEL);
        ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
        if (!ptr1 || !ptr2) {
                pr_err("Allocation failed\n");
                kfree(ptr1);
                return;
        }

        ptr2[size2] = 'x';
        kfree(ptr2);
}

static noinline void __init kmalloc_oob_krealloc_less(void)
{
        char *ptr1, *ptr2;
        size_t size1 = 17;
        size_t size2 = 15;

        pr_info("out-of-bounds after krealloc less\n");
        ptr1 = kmalloc(size1, GFP_KERNEL);
        ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
        if (!ptr1 || !ptr2) {
                pr_err("Allocation failed\n");
                kfree(ptr1);
                return;
        }
        ptr2[size2] = 'x';
        kfree(ptr2);
}

static noinline void __init kmalloc_oob_16(void)
{
        struct {
                u64 words[2];
        } *ptr1, *ptr2;

        pr_info("kmalloc out-of-bounds for 16-bytes access\n");
        ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
        ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
        if (!ptr1 || !ptr2) {
                pr_err("Allocation failed\n");
                kfree(ptr1);
                kfree(ptr2);
                return;
        }
        *ptr1 = *ptr2;
        kfree(ptr1);
        kfree(ptr2);
}

static noinline void __init kmalloc_oob_memset_2(void)
{
        char *ptr;
        size_t size = 8;

        pr_info("out-of-bounds in memset2\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        memset(ptr+7, 0, 2);
        kfree(ptr);
}

static noinline void __init kmalloc_oob_memset_4(void)
{
        char *ptr;
        size_t size = 8;

        pr_info("out-of-bounds in memset4\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        memset(ptr+5, 0, 4);
        kfree(ptr);
}


static noinline void __init kmalloc_oob_memset_8(void)
{
        char *ptr;
        size_t size = 8;

        pr_info("out-of-bounds in memset8\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        memset(ptr+1, 0, 8);
        kfree(ptr);
}

static noinline void __init kmalloc_oob_memset_16(void)
{
        char *ptr;
        size_t size = 16;

        pr_info("out-of-bounds in memset16\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        memset(ptr+1, 0, 16);
        kfree(ptr);
}

static noinline void __init kmalloc_oob_in_memset(void)
{
        char *ptr;
        size_t size = 666;

        pr_info("out-of-bounds in memset\n");
        ptr = kmalloc(size, GFP_KERNEL);
        if (!ptr) {
                pr_err("Allocation failed\n");
                return;
        }

        memset(ptr, 0, size+5);
        kfree(ptr);
}


static noinline void __init kmalloc_uaf(void)
{
	char *ptr;
	size_t size = 10;

	pr_info("use-after-free\n");
	ptr = kmalloc(size, GFP_KERNEL);
	if (!ptr) {
		pr_err("Allocation failed\n");
		return;
	}

	kfree(ptr);
	*(ptr + 8) = 'x';
}

static noinline void __init kmalloc_uaf_memset(void)
{
	char *ptr;
	size_t size = 33;

	pr_info("use-after-free in memset\n");
	ptr = kmalloc(size, GFP_KERNEL);
	if (!ptr) {
		pr_err("Allocation failed\n");
		return;
	}

	kfree(ptr);
	memset(ptr, 0, size);
}


static noinline void __init kmalloc_double_free_test(void)
{
	char *ptr;
	size_t size = 123;

	pr_info("double-free\n");
	ptr = kmalloc(size, GFP_KERNEL);
	if (!ptr) {
		pr_err("Allocation failed\n");
		return;
	}

	kfree(ptr);
	kfree(ptr);
}

static int __init kmalloc_tests_init(void)
{
        /*
         * Temporarily enable multi-shot mode. Otherwise, we'd only get a
         * report for the first case.
         */

        kmalloc_oob_right();
        kmalloc_oob_left();
        kmalloc_node_oob_right();
#ifdef CONFIG_SLUB
        kmalloc_pagealloc_oob_right();
#endif
        kmalloc_large_oob_right();
        kmalloc_oob_krealloc_more();
        kmalloc_oob_krealloc_less();
        kmalloc_oob_16();
        kmalloc_oob_in_memset();
        kmalloc_oob_memset_2();
        kmalloc_oob_memset_4();
        kmalloc_oob_memset_8();
        kmalloc_oob_memset_16();
		
		kmalloc_uaf();
		kmalloc_uaf_memset();
	
		kmalloc_double_free_test();
		
		return -EAGAIN;
}
module_init(kmalloc_tests_init);
MODULE_LICENSE("GPL");

2、测试用例编译添加 

路径：kernel\linux\linux-5.15\arch\arm64\mm\Makefile  中添加obj-$(CONFIG_KASAN)        += kasan_init.o kasan_test.o

obj-$(CONFIG_KASAN)		+= kasan_init.o kasan_test.o

3、kasan_init.c中添加多次故障检测

路径：kernel\linux\linux-5.15\arch\arm64\mm\kasan_init.c    

kasan_init() 函数中添加 kasan_save_enable_multi_shot();  目的：可以检测到多次内存问题，不添加仅能检测首次。

void __init kasan_init(void)
{
	kasan_init_shadow();
	kasan_init_depth();
    kasan_save_enable_multi_shot(); 
#if defined(CONFIG_KASAN_GENERIC)
	/* CONFIG_KASAN_SW_TAGS also requires kasan_init_sw_tags(). */
	pr_info("KernelAddressSanitizer initialized (generic)\n");
#endif
}

4、修改缓存堆栈打印函数

路径：kernel\linux\linux-5.15\kernel\stacktrace.c    

stack_trace_print（）函数中printk 改为pr_err ，原因为系统默认日志级别为4导致printk无法打印堆栈。

void stack_trace_print(const unsigned long *entries, unsigned int nr_entries,
		       int spaces)
{
	unsigned int i;

	if (WARN_ON(!entries))
		return;

	for (i = 0; i < nr_entries; i++)
		// printk("%*c%pS\n", 1 + spaces, ' ', (void *)entries[i]);
        pr_err("%*c%pS\n", 1 + spaces, ' ', (void *)entries[i]);
		
}

三、修改编译问题

1、编译问题1：

说明：4.1release 版本代码修改后该问题不存在了，无需修改。

路径：kernel\linux\common_modules\xpm\core\xpm_hck.c

xpm_register_xpm_hooks（）函数添加__init修饰符 。

__init void xpm_register_xpm_hooks(void)
{
	security_add_hooks(xpm_hooks, ARRAY_SIZE(xpm_hooks), "xpm");
}

2、编译问题2：

移除out/laphone目录下kernel 文件夹，执行 touch device/board/hys/laphone/kernel/build_kernel.sh  然后编译。

四、 修改烧录配置文件，解决烧录失败问题

路径：device\board\hys\laphone\pac\ImageFiles\uis7885_2h10.xml 中将updater_a  的值由64改为100

开发者手机二代还需将 boot_a的值由64改为100

五、kasan故障日志分析

见：OpenHarmony_3.2Release_编译Kasan版本指导_zhengxiaobo131202-Laval社区 (csdn.net) 文章中的故障日志分析。