* [PATCH 0/2] KASAN: fix a type conversion error and add test @ 2015-09-09 3:59 Wang Long 2015-09-09 3:59 ` [PATCH 1/2] lib: test_kasan: add some testcases Wang Long 2015-09-09 3:59 ` [PATCH 2/2] kasan: Fix a type conversion error Wang Long 0 siblings, 2 replies; 10+ messages in thread From: Wang Long @ 2015-09-09 3:59 UTC (permalink / raw) To: ryabinin.a.a, adech.fo Cc: akpm, rusty, long.wanglong, linux-mm, linux-kernel, wanglong, peifeiyue, morgan.wang Hi, This patchset fix a type conversion error for KASAN. patch 1: this patch add some out-of-bounds testcases, the current KASAN code can not find these bugs. patch 2: fix the type conversion error, with this patch, KASAN could find these out-of-bounds bugs. Wang Long (2): lib: test_kasan: add some testcases kasan: Fix a type conversion error lib/test_kasan.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ mm/kasan/kasan.c | 2 +- 2 files changed, 70 insertions(+), 1 deletion(-) -- 1.8.3.4 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/2] lib: test_kasan: add some testcases 2015-09-09 3:59 [PATCH 0/2] KASAN: fix a type conversion error and add test Wang Long @ 2015-09-09 3:59 ` Wang Long 2015-09-09 10:10 ` Andrey Ryabinin 2015-09-09 3:59 ` [PATCH 2/2] kasan: Fix a type conversion error Wang Long 1 sibling, 1 reply; 10+ messages in thread From: Wang Long @ 2015-09-09 3:59 UTC (permalink / raw) To: ryabinin.a.a, adech.fo Cc: akpm, rusty, long.wanglong, linux-mm, linux-kernel, wanglong, peifeiyue, morgan.wang This patch add some out of bounds testcases to test_kasan module. Signed-off-by: Wang Long <long.wanglong@huawei.com> --- lib/test_kasan.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/lib/test_kasan.c b/lib/test_kasan.c index c1efb1b..c32f3b0 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -138,6 +138,71 @@ static noinline void __init kmalloc_oob_16(void) kfree(ptr2); } +static noinline void __init kmalloc_oob_memset_2(void) +{ + char *ptr; + size_t size = 8; + + pr_info("out-of-bounds in memset2\n"); + ptr = kmalloc(size, GFP_KERNEL); + if (!ptr) { + pr_err("Allocation failed\n"); + return; + } + + memset(ptr+7, 0, 2); + kfree(ptr); +} + +static noinline void __init kmalloc_oob_memset_4(void) +{ + char *ptr; + size_t size = 8; + + pr_info("out-of-bounds in memset4\n"); + ptr = kmalloc(size, GFP_KERNEL); + if (!ptr) { + pr_err("Allocation failed\n"); + return; + } + + memset(ptr+5, 0, 4); + kfree(ptr); +} + + +static noinline void __init kmalloc_oob_memset_8(void) +{ + char *ptr; + size_t size = 8; + + pr_info("out-of-bounds in memset8\n"); + ptr = kmalloc(size, GFP_KERNEL); + if (!ptr) { + pr_err("Allocation failed\n"); + return; + } + + memset(ptr+1, 0, 8); + kfree(ptr); +} + +static noinline void __init kmalloc_oob_memset_16(void) +{ + char *ptr; + size_t size = 16; + + pr_info("out-of-bounds in memset16\n"); + ptr = kmalloc(size, GFP_KERNEL); + if (!ptr) { + pr_err("Allocation failed\n"); + return; + } + + memset(ptr+1, 0, 16); + kfree(ptr); +} + static noinline void __init kmalloc_oob_in_memset(void) { char *ptr; @@ -264,6 +329,10 @@ static int __init kmalloc_tests_init(void) kmalloc_oob_krealloc_less(); kmalloc_oob_16(); kmalloc_oob_in_memset(); + kmalloc_oob_memset_2(); + kmalloc_oob_memset_4(); + kmalloc_oob_memset_8(); + kmalloc_oob_memset_16(); kmalloc_uaf(); kmalloc_uaf_memset(); kmalloc_uaf2(); -- 1.8.3.4 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/2] lib: test_kasan: add some testcases 2015-09-09 3:59 ` [PATCH 1/2] lib: test_kasan: add some testcases Wang Long @ 2015-09-09 10:10 ` Andrey Ryabinin 0 siblings, 0 replies; 10+ messages in thread From: Andrey Ryabinin @ 2015-09-09 10:10 UTC (permalink / raw) To: Wang Long, ryabinin.a.a, adech.fo Cc: akpm, rusty, linux-mm, linux-kernel, wanglong, peifeiyue, morgan.wang On 09/09/2015 06:59 AM, Wang Long wrote: > This patch add some out of bounds testcases to test_kasan > module. > > Signed-off-by: Wang Long <long.wanglong@huawei.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 2/2] kasan: Fix a type conversion error 2015-09-09 3:59 [PATCH 0/2] KASAN: fix a type conversion error and add test Wang Long 2015-09-09 3:59 ` [PATCH 1/2] lib: test_kasan: add some testcases Wang Long @ 2015-09-09 3:59 ` Wang Long 2015-09-09 9:01 ` Vladimir Murzin 2015-09-09 9:40 ` Andrey Ryabinin 1 sibling, 2 replies; 10+ messages in thread From: Wang Long @ 2015-09-09 3:59 UTC (permalink / raw) To: ryabinin.a.a, adech.fo Cc: akpm, rusty, long.wanglong, linux-mm, linux-kernel, wanglong, peifeiyue, morgan.wang The current KASAN code can find the following out-of-bounds bugs: char *ptr; ptr = kmalloc(8, GFP_KERNEL); memset(ptr+7, 0, 2); the cause of the problem is the type conversion error in *memory_is_poisoned_n* function. So this patch fix that. Signed-off-by: Wang Long <long.wanglong@huawei.com> --- mm/kasan/kasan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 7b28e9c..5d65d06 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -204,7 +204,7 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte); if (unlikely(ret != (unsigned long)last_shadow || - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) + ((long)(last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) return true; } return false; -- 1.8.3.4 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] kasan: Fix a type conversion error 2015-09-09 3:59 ` [PATCH 2/2] kasan: Fix a type conversion error Wang Long @ 2015-09-09 9:01 ` Vladimir Murzin 2015-09-09 9:25 ` long.wanglong 2015-09-09 9:40 ` Andrey Ryabinin 1 sibling, 1 reply; 10+ messages in thread From: Vladimir Murzin @ 2015-09-09 9:01 UTC (permalink / raw) To: Wang Long, ryabinin.a.a@gmail.com, adech.fo@gmail.com Cc: akpm@linux-foundation.org, rusty@rustcorp.com.au, linux-mm@kvack.org, linux-kernel@vger.kernel.org, wanglong@laoqinren.net, peifeiyue@huawei.com, morgan.wang@huawei.com On 09/09/15 04:59, Wang Long wrote: > The current KASAN code can find the following out-of-bounds Should it be "cannot"? Vladimir > bugs: > char *ptr; > ptr = kmalloc(8, GFP_KERNEL); > memset(ptr+7, 0, 2); > > the cause of the problem is the type conversion error in > *memory_is_poisoned_n* function. So this patch fix that. > > Signed-off-by: Wang Long <long.wanglong@huawei.com> > --- > mm/kasan/kasan.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c > index 7b28e9c..5d65d06 100644 > --- a/mm/kasan/kasan.c > +++ b/mm/kasan/kasan.c > @@ -204,7 +204,7 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, > s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte); > > if (unlikely(ret != (unsigned long)last_shadow || > - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) > + ((long)(last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) > return true; > } > return false; > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] kasan: Fix a type conversion error 2015-09-09 9:01 ` Vladimir Murzin @ 2015-09-09 9:25 ` long.wanglong 0 siblings, 0 replies; 10+ messages in thread From: long.wanglong @ 2015-09-09 9:25 UTC (permalink / raw) To: Vladimir Murzin Cc: ryabinin.a.a@gmail.com, adech.fo@gmail.com, akpm@linux-foundation.org, rusty@rustcorp.com.au, linux-mm@kvack.org, linux-kernel@vger.kernel.org, wanglong@laoqinren.net, peifeiyue@huawei.com, morgan.wang@huawei.com On 2015/9/9 17:01, Vladimir Murzin wrote: > On 09/09/15 04:59, Wang Long wrote: >> The current KASAN code can find the following out-of-bounds > > Should it be "cannot"? > > Vladimir > sorry for that mistake, it should be "cannot". >> bugs: >> char *ptr; >> ptr = kmalloc(8, GFP_KERNEL); >> memset(ptr+7, 0, 2); >> >> the cause of the problem is the type conversion error in >> *memory_is_poisoned_n* function. So this patch fix that. >> >> Signed-off-by: Wang Long <long.wanglong@huawei.com> >> --- >> mm/kasan/kasan.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c >> index 7b28e9c..5d65d06 100644 >> --- a/mm/kasan/kasan.c >> +++ b/mm/kasan/kasan.c >> @@ -204,7 +204,7 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, >> s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte); >> >> if (unlikely(ret != (unsigned long)last_shadow || >> - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) >> + ((long)(last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) >> return true; >> } >> return false; >> > > > . > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] kasan: Fix a type conversion error 2015-09-09 3:59 ` [PATCH 2/2] kasan: Fix a type conversion error Wang Long 2015-09-09 9:01 ` Vladimir Murzin @ 2015-09-09 9:40 ` Andrey Ryabinin 2015-09-09 10:22 ` long.wanglong 1 sibling, 1 reply; 10+ messages in thread From: Andrey Ryabinin @ 2015-09-09 9:40 UTC (permalink / raw) To: Wang Long Cc: Andrey Konovalov, Andrew Morton, Rusty Russell, linux-mm@kvack.org, LKML, wanglong, peifeiyue, morgan.wang 2015-09-09 6:59 GMT+03:00 Wang Long <long.wanglong@huawei.com>: > The current KASAN code can find the following out-of-bounds > bugs: > char *ptr; > ptr = kmalloc(8, GFP_KERNEL); > memset(ptr+7, 0, 2); > > the cause of the problem is the type conversion error in > *memory_is_poisoned_n* function. So this patch fix that. > > Signed-off-by: Wang Long <long.wanglong@huawei.com> > --- > mm/kasan/kasan.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c > index 7b28e9c..5d65d06 100644 > --- a/mm/kasan/kasan.c > +++ b/mm/kasan/kasan.c > @@ -204,7 +204,7 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, > s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte); > > if (unlikely(ret != (unsigned long)last_shadow || > - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) > + ((long)(last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) Is there any problem if we just define last_byte as 'long' instead of 'unsigned long' ? > return true; > } > return false; > -- > 1.8.3.4 > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] kasan: Fix a type conversion error 2015-09-09 9:40 ` Andrey Ryabinin @ 2015-09-09 10:22 ` long.wanglong 2015-09-09 10:48 ` Andrey Ryabinin 0 siblings, 1 reply; 10+ messages in thread From: long.wanglong @ 2015-09-09 10:22 UTC (permalink / raw) To: Andrey Ryabinin Cc: Andrey Konovalov, Andrew Morton, Rusty Russell, linux-mm@kvack.org, LKML, wanglong, peifeiyue, morgan.wang On 2015/9/9 17:40, Andrey Ryabinin wrote: > 2015-09-09 6:59 GMT+03:00 Wang Long <long.wanglong@huawei.com>: >> The current KASAN code can find the following out-of-bounds >> bugs: >> char *ptr; >> ptr = kmalloc(8, GFP_KERNEL); >> memset(ptr+7, 0, 2); >> >> the cause of the problem is the type conversion error in >> *memory_is_poisoned_n* function. So this patch fix that. >> >> Signed-off-by: Wang Long <long.wanglong@huawei.com> >> --- >> mm/kasan/kasan.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c >> index 7b28e9c..5d65d06 100644 >> --- a/mm/kasan/kasan.c >> +++ b/mm/kasan/kasan.c >> @@ -204,7 +204,7 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, >> s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte); >> >> if (unlikely(ret != (unsigned long)last_shadow || >> - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) >> + ((long)(last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) > > Is there any problem if we just define last_byte as 'long' instead of > 'unsigned long' ? yes, I think it is not OK, because on my test, if we define last_byte as 'long' instead of 'unsigned long', the bug we talk about can not be found. > >> return true; >> } >> return false; >> -- >> 1.8.3.4 >> > > . > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] kasan: Fix a type conversion error 2015-09-09 10:22 ` long.wanglong @ 2015-09-09 10:48 ` Andrey Ryabinin 2015-09-09 11:04 ` [PATCH v2] " Wang Long 0 siblings, 1 reply; 10+ messages in thread From: Andrey Ryabinin @ 2015-09-09 10:48 UTC (permalink / raw) To: long.wanglong, Andrey Ryabinin Cc: Andrey Konovalov, Andrew Morton, Rusty Russell, linux-mm@kvack.org, LKML, wanglong, peifeiyue, morgan.wang On 09/09/2015 01:22 PM, long.wanglong wrote: > On 2015/9/9 17:40, Andrey Ryabinin wrote: >> 2015-09-09 6:59 GMT+03:00 Wang Long <long.wanglong@huawei.com>: >>> The current KASAN code can find the following out-of-bounds >>> bugs: >>> char *ptr; >>> ptr = kmalloc(8, GFP_KERNEL); >>> memset(ptr+7, 0, 2); >>> >>> the cause of the problem is the type conversion error in >>> *memory_is_poisoned_n* function. So this patch fix that. >>> >>> Signed-off-by: Wang Long <long.wanglong@huawei.com> >>> --- >>> mm/kasan/kasan.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c >>> index 7b28e9c..5d65d06 100644 >>> --- a/mm/kasan/kasan.c >>> +++ b/mm/kasan/kasan.c >>> @@ -204,7 +204,7 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, >>> s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte); >>> >>> if (unlikely(ret != (unsigned long)last_shadow || >>> - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) >>> + ((long)(last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) >> >> Is there any problem if we just define last_byte as 'long' instead of >> 'unsigned long' ? > > yes, I think it is not OK, because on my test, if we define last_byte as 'long' > instead of 'unsigned long', the bug we talk about can not be found. > Ah, right, even if we declare last_byte as signed, 'last_byte & KASAN_SHADOW_MASK' still will be unsigned, so this won't work. So, please, fix up changelog according to Vladimir, and you may consider this patch Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH v2] kasan: Fix a type conversion error 2015-09-09 10:48 ` Andrey Ryabinin @ 2015-09-09 11:04 ` Wang Long 0 siblings, 0 replies; 10+ messages in thread From: Wang Long @ 2015-09-09 11:04 UTC (permalink / raw) To: ryabinin.a.a, adech.fo Cc: akpm, rusty, long.wanglong, linux-mm, linux-kernel, wanglong, peifeiyue, morgan.wang The current KASAN code can not find the following out-of-bounds bugs: char *ptr; ptr = kmalloc(8, GFP_KERNEL); memset(ptr+7, 0, 2); the cause of the problem is the type conversion error in *memory_is_poisoned_n* function. So this patch fix that. Signed-off-by: Wang Long <long.wanglong@huawei.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> --- mm/kasan/kasan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 7b28e9c..5d65d06 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -204,7 +204,7 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte); if (unlikely(ret != (unsigned long)last_shadow || - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) + ((long)(last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) return true; } return false; -- 1.8.3.4 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply related [flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-09-09 11:17 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-09-09 3:59 [PATCH 0/2] KASAN: fix a type conversion error and add test Wang Long 2015-09-09 3:59 ` [PATCH 1/2] lib: test_kasan: add some testcases Wang Long 2015-09-09 10:10 ` Andrey Ryabinin 2015-09-09 3:59 ` [PATCH 2/2] kasan: Fix a type conversion error Wang Long 2015-09-09 9:01 ` Vladimir Murzin 2015-09-09 9:25 ` long.wanglong 2015-09-09 9:40 ` Andrey Ryabinin 2015-09-09 10:22 ` long.wanglong 2015-09-09 10:48 ` Andrey Ryabinin 2015-09-09 11:04 ` [PATCH v2] " Wang Long
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).