The Linux 5.12 kernel under development includes an implementation of the KFence mechanism (Kernel Electric Fence), which checks for memory operation, catching buffer overruns, memory accesses after freeing, and other errors of this class.
Such functionality was already present in the kernel in the form of the KASAN build option (kernel address sanitizer, uses Address Sanitizer in modern gcc and clang) - however, it was positioned mainly for debugging use. The KFence subsystem differs from KASAN in its high speed of operation, which allows using this feature even on cores in production systems.
Application on production systems will make it possible to catch memory errors that do not appear in test runs and pop up only on workloads or during long-term operation (with a large uptime). In addition, the use of KFence on production systems will make it possible to significantly increase the number of machines involved in checking the operation of the kernel with memory.
The minimum load-independent overhead is achieved in KFence by heaping guard pages at fixed intervals. After the expiration of the next protection interval, KFence adds another protection page from the pool of KFence objects through the standard memory allocation system (SLAB or SLUB allocator) and starts a new time counter report. Each KFence object is placed in a separate memory page, and the memory pages along the left and right borders form guard pages, the size of which is chosen randomly.
Thus, pages with objects are separated from each other by protection pages, which are configured to generate a “page fault” on any access. To detect out-of-bounds buffer write operations inside pages with objects, additional "red zones" based on patterns are used, which occupy the memory not used by objects, which remains when the size of memory pages is equalized. —+————+————+————+————+————+— | xxxxxxxxx | O : | xxxxxxxxx | : O | xxxxxxxxx | | xxxxxxxxx | B : | xxxxxxxxx | : B | xxxxxxxxx | | x GUARD x | J : RED- | x GUARD x | RED- : J | x GUARD x | | xxxxxxxxx | E : ZONE | xxxxxxxxx | ZONE : E | xxxxxxxxx | | xxxxxxxxx | C : | xxxxxxxxx | : C | xxxxxxxxx | | xxxxxxxxx | T : | xxxxxxxxx | : T | xxxxxxxxx | —+————+————+————+————+————+—
In case of an attempt to access an area outside the buffer boundaries, the operation affects the protection page, which leads to the generation of a “page fault”, which intercepts KFence and displays data about the detected problem in the log. By default, KFence does not block an error and only displays a warning in the log, but the “panic_on_warn” setting is provided, which allows, if an error is detected, to put the kernel into a crash state (panic).
Source: opennet.ru