Using Kasan with KEXT

Hello,
I am developing a kernel extenstion and I want to load it with kernel sanitizers in order to find potential bugs.
After downloading the Debug Kit for MacOS 10.13.5 (17F77) and changing the boot-args to load the kernel.kasan build, I am not able to get the kext compiled in xcode with asan support (Edit Schema -> Diagnostic -> Address Sanitizer) loaded.
Although I can successfully load com.apple.kpi.kasan (from System.kext), when loading my kext I get the following errors:



(kernel) kxld[com.test.kext]: The following symbols are unresolved for this kext:
(kernel) kxld[com.test.kext]: ___asan_after_dynamic_init
(kernel) kxld[com.test.kext]: ___asan_before_dynamic_init
(kernel) kxld[com.test.kext]: ___asan_init
(kernel) kxld[com.test.kext]: ___asan_memcpy
(kernel) kxld[com.test.kext]: ___asan_memset
(kernel) kxld[com.test.kext]: ___asan_option_detect_stack_use_after_return
(kernel) kxld[com.test.kext]: ___asan_register_image_globals
(kernel) kxld[com.test.kext]: ___asan_report_load1
(kernel) kxld[com.test.kext]: ___asan_report_load2
(kernel) kxld[com.test.kext]: ___asan_report_load4
(kernel) kxld[com.test.kext]: ___asan_report_load8
(kernel) kxld[com.test.kext]: ___asan_report_load_n
(kernel) kxld[com.test.kext]: ___asan_report_store1
(kernel) kxld[com.test.kext]: ___asan_report_store2
(kernel) kxld[com.test.kext]: ___asan_report_store4
(kernel) kxld[com.test.kext]: ___asan_report_store8
(kernel) kxld[com.test.kext]: ___asan_report_store_n
(kernel) kxld[com.test.kext]: ___asan_set_shadow_00
(kernel) kxld[com.test.kext]: ___asan_set_shadow_f5
(kernel) kxld[com.test.kext]: ___asan_set_shadow_f8
(kernel) kxld[com.test.kext]: ___asan_stack_free_5
(kernel) kxld[com.test.kext]: ___asan_stack_malloc_0
(kernel) kxld[com.test.kext]: ___asan_stack_malloc_1
(kernel) kxld[com.test.kext]: ___asan_stack_malloc_2
(kernel) kxld[com.test.kext]: ___asan_stack_malloc_3
(kernel) kxld[com.test.kext]: ___asan_stack_malloc_5
(kernel) kxld[com.test.kext]: ___asan_unregister_image_globals
(kernel) kxld[com.test.kext]: ___asan_version_mismatch_check_apple_902
(kernel) Can't load kext com.test.kext - link failed.

mini-mac:Debug user$ uname -a
Darwin mini-mac.local 17.6.0 Darwin Kernel Version 17.6.0: Tue May  8 15:22:16 PDT 2018; 
root:xnu_kasan-4570.61.1~1/KASAN_X86_64 x86_64

Is it possible to force my kext resolve these symbols or another way to use AddressSanitizers on kernel extensions?

Up vote post of ricardo2197 Down vote post of ricardo2197
4k views
Posted by
ricardo2197
Reply
Add a Comment

Replies

Is it possible to force my kext resolve these symbols or another way to use AddressSanitizers on kernel extensions?

I do not, alas, have suggestions for you. If no one else chimes in my recommendation is that you open a DTS tech support incident and chat with DTS’s KEXT specialist about this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi,

I have the same issue. I like to test a kernel extensions against memory corruption issues.

- Is it correct that I it is sufficent to use the kernel.kasan without using special options during building the kernel extension?

- Is there any documentation about testing a kext with the kernel.kasan? (kernel with asan support)


Regards,

Karl

Posted by
karl_obdev
Up vote reply of karl_obdev Down vote reply of karl_obdev
Add a Comment

Someone did open a DTS tech support incident about this (I’m not sure if it was ricardo2197 or not) and one of my colleagues, who specialises in kernel stuff, took the incident and did a bunch of research on it. Alas, he’s out of the office right now, otherwise I’d encourage him to respond here. In the meantime, at the end of this email you’ll find a bunch of relevant snippets from his responses.

I have to stress that I didn’t try this myself, nor do I have any direct experience with it. If you get stuck you should open your own TSI and I, or one of my colleagues, can look at your issue in depth.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

Instead of a build configuration, the Kasan support expects a build variant called 

kasan
. [In] your target’s build settings set 
BUILD_VARIANTS
to 
normal kasan
. Then add a user-defined build setting named 
OTHER_CFLAGS_kasan
and set it to 
$(KASAN_DEFAULT_CFLAGS)
.

Do a normal build of your KEXT. If this worked, your KEXT bundle will contain two executables, a normal one and a second one with a 

_kasan
suffix.

The Kasan support is not in the shipping version of the kernel, but is in the 

kernel_kasan
version that is included in the Kernel Debug Kit. […]

Use the instructions in the Kernel Debug Kit Readme for installing the development or debug kernel to install the Kasan version. Be sure to disable System Integrity Protection and to set [the] 

kcsuffix=kasan
[boot argument].

You also need to add Kasan support to the 

System.
kext pseudo-extension that is used to find symbols at link/load time. Copy 
/Library/Developer/KDKs/KDK_***.kdk/System/Library/Extensions/System.kext/PlugIns/Kasan.kext/Kasan_kasan
[where *** matches the target system version] to 
/System/Library/Extensions/System.kext/Plugins/Kasan.kext
.

To turn off Kasan support, remove 

Kasan_kasan
from 
System.kext
and follow the instructions in the KDK Readme to switch back to the production kernel.

If a Kasan kernel is booted, Kasan is running and enabled. There is no way to turn off Kasan without switching kernels. To check if the Kasan kernel is running:

$ sysctl kern.kasan.available
kern.kasan.available: 1

When a Kasan violation occurs, the kernel will print some diagnostics before panicking. This includes basic information about the invalid access, including the address, width, and direction. Also shown is the address and value of the corresponding shadow, and the context of the shadow map around the invalid access. The backtrace generated in the normal panic process can be used to determine the offending instruction.

You can confirm that the Kasan-enabled version of your KEXT is loaded by comparing the UUID from 

kextstat
with the UUID of the 
<KEXT>_kasan
binary. For example: 
$ dwarfdump -u /Library/Extensions/HelloIOKit.kext/Contents/MacOS/HelloIOKit_kasan 
UUID: 97BAB606-7D55-38FB-869B-DB96CB77D477 (x86_64) /Library/Extensions/HelloIOKit.kext/Contents/MacOS/HelloIOKit_kasan
$ kextstat | grep Hello
  163    0 0xffffff7f81e77000 0xa000     0xa000     com.example.apple-samplecode.driver.HelloIOKit (1) 97BAB606-7D55-38FB-869B-DB96CB77D477 <162 5 4 3>

In my testing, I needed to put my KEXT in 

/Library/Extensions
and reboot. 
kextutil
doesn’t appear to be able to load the kasan variant.
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

While doing this builds correctly, it does not load the kasan variant. When I tried to change the Info.plist in the kext to explicitly load the kasan variant, I get a kernel panic:


Debugger called: 
panic(cpu 0 caller 0xffffff7f9b3f37dc): __func__ ": unsupported API\n"@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu_kasan/xnu-4570.71.2/san/kasan.c:1312
Backtrace (CPU 0), Frame : Return Address
0xffffff80759ef2a0 : 0xffffff8019841a4d
0xffffff80759ef2f0 : 0xffffff8019b8c0be
0xffffff80759ef330 : 0xffffff8019b780fd
0xffffff80759ef640 : 0xffffff8019b92a20
0xffffff80759ef660 : 0xffffff8019841ef9
0xffffff80759ef7a0 : 0xffffff801984143c
0xffffff80759ef800 : 0xffffff7f9b3f37dc
0xffffff80759ef890 : 0xffffff801a95d4af
0xffffff80759ef9d0 : 0xffffff801a955040
0xffffff80759efad0 : 0xffffff801a94fe4b
0xffffff80759efbc0 : 0xffffff801a954a27
0xffffff80759efc00 : 0xffffff801aa7946c
0xffffff80759efc30 : 0xffffff801aa2b8af
0xffffff80759efd70 : 0xffffff801aa1d582
0xffffff80759efe90 : 0xffffff801aa2f8ff
0xffffff80759effa0 : 0xffffff8019b627d7
      Kernel Extensions in backtrace:
         com.bit9.Kernel(7.2.3f11)[5E4528CE-DE13-3A82-9548-2FE9CD09B8C9]@0xffffff7f9b3f0000->0xffffff7f9b41cfff
            dependency: com.bit9.KernelKauth(7.2.3fc11)[ABF7579C-9451-3DF9-B057-2E4351AFE893]@0xffffff7f9b3e4000
            dependency: com.bit9.KernelSupport(7.2.3fc11)[B9E7C4D0-455B-363E-AE48-F5439FFD2682]@0xffffff7f9b2f0000

BSD process name corresponding to current thread: Unknown
Boot args: kext-dev-mode=1 debug=0x14C kcsuffix=kasan -v

Mac OS version:
Not yet set

Kernel version:
Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:36 PDT 2018; root:xnu_kasan-4570.71.2~1/KASAN_X86_64
Kernel UUID: AE78C90E-FE17-386D-AB00-2739D47BFAC2
Kernel slide:     0x0000000019400000
Kernel text base: 0xffffff8019600000
__HIB  text base: 0xffffff8019500000


Any ideas as to where I've gone wrong?

Posted by
Red Mercury
Up vote reply of Red Mercury Down vote reply of Red Mercury
Add a Comment

Any ideas as to where I've gone wrong?

No, sorry. I think ricardo2197 might have got this working, so hopefully they’ll reply based on their experience.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Was there any luck in getting this work?
Posted by
slipch
Up vote reply of slipch Down vote reply of slipch
Add a Comment