From: Andrey Konovalov <andreyknvl@google.com> To: Andrey Ryabinin <ryabinin.a.a@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, Rusty Russell <rusty@rustcorp.com.au>, linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: dvyukov@google.com, glider@google.com, kcc@google.com, Andrey Konovalov <andreyknvl@google.com> Subject: [PATCH v2 3/7] kasan: accurately determine the type of the bad access Date: Mon, 14 Sep 2015 15:46:04 +0200 [thread overview] Message-ID: <7a7cd737b0dd19b9f956df4fba6b6dbff964ddbd.1442238094.git.andreyknvl@google.com> (raw) In-Reply-To: <cover.1442238094.git.andreyknvl@google.com> In-Reply-To: <cover.1442238094.git.andreyknvl@google.com> Makes KASAN accurately determine the type of the bad access. If the shadow byte value is in the [0, KASAN_SHADOW_SCALE_SIZE) range we can look at the next shadow byte to determine the type of the access. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> --- mm/kasan/report.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/mm/kasan/report.c b/mm/kasan/report.c index cdf4c31..be53a8f 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -50,15 +50,26 @@ static const void *find_first_bad_addr(const void *addr, size_t size) static void print_error_description(struct kasan_access_info *info) { const char *bug_type = "unknown-crash"; - u8 shadow_val; + u8 *shadow_addr; info->first_bad_addr = find_first_bad_addr(info->access_addr, info->access_size); - shadow_val = *(u8 *)kasan_mem_to_shadow(info->first_bad_addr); + shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr); - switch (shadow_val) { + /* + * If shadow byte value is in [0, KASAN_SHADOW_SCALE_SIZE) we can look + * at the next shadow byte to determine the type of the bad access. + */ + if (*shadow_addr > 0 && *shadow_addr <= KASAN_SHADOW_SCALE_SIZE - 1) + shadow_addr++; + + switch (*shadow_addr) { case 0 ... KASAN_SHADOW_SCALE_SIZE - 1: + /* + * In theory it's still possible to see these shadow values + * due to a data race in the kernel code. + */ bug_type = "out-of-bounds"; break; case KASAN_PAGE_REDZONE: -- 2.6.0.rc0.131.gf624c3d
WARNING: multiple messages have this Message-ID (diff)
From: Andrey Konovalov <andreyknvl@google.com> To: Andrey Ryabinin <ryabinin.a.a@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, Rusty Russell <rusty@rustcorp.com.au>, linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: dvyukov@google.com, glider@google.com, kcc@google.com, Andrey Konovalov <andreyknvl@google.com> Subject: [PATCH v2 3/7] kasan: accurately determine the type of the bad access Date: Mon, 14 Sep 2015 15:46:04 +0200 [thread overview] Message-ID: <7a7cd737b0dd19b9f956df4fba6b6dbff964ddbd.1442238094.git.andreyknvl@google.com> (raw) In-Reply-To: <cover.1442238094.git.andreyknvl@google.com> In-Reply-To: <cover.1442238094.git.andreyknvl@google.com> Makes KASAN accurately determine the type of the bad access. If the shadow byte value is in the [0, KASAN_SHADOW_SCALE_SIZE) range we can look at the next shadow byte to determine the type of the access. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> --- mm/kasan/report.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/mm/kasan/report.c b/mm/kasan/report.c index cdf4c31..be53a8f 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -50,15 +50,26 @@ static const void *find_first_bad_addr(const void *addr, size_t size) static void print_error_description(struct kasan_access_info *info) { const char *bug_type = "unknown-crash"; - u8 shadow_val; + u8 *shadow_addr; info->first_bad_addr = find_first_bad_addr(info->access_addr, info->access_size); - shadow_val = *(u8 *)kasan_mem_to_shadow(info->first_bad_addr); + shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr); - switch (shadow_val) { + /* + * If shadow byte value is in [0, KASAN_SHADOW_SCALE_SIZE) we can look + * at the next shadow byte to determine the type of the bad access. + */ + if (*shadow_addr > 0 && *shadow_addr <= KASAN_SHADOW_SCALE_SIZE - 1) + shadow_addr++; + + switch (*shadow_addr) { case 0 ... KASAN_SHADOW_SCALE_SIZE - 1: + /* + * In theory it's still possible to see these shadow values + * due to a data race in the kernel code. + */ bug_type = "out-of-bounds"; break; case KASAN_PAGE_REDZONE: -- 2.6.0.rc0.131.gf624c3d -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-09-14 13:48 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-09-14 13:46 [PATCH v2 0/7] kasan: various fixes Andrey Konovalov 2015-09-14 13:46 ` Andrey Konovalov 2015-09-14 13:46 ` [PATCH v2 1/7] kasan: update reported bug types for not user nor kernel memory accesses Andrey Konovalov 2015-09-14 13:46 ` Andrey Konovalov 2015-09-14 13:46 ` [PATCH v2 2/7] kasan: update reported bug types for " Andrey Konovalov 2015-09-14 13:46 ` Andrey Konovalov 2015-09-14 13:46 ` Andrey Konovalov [this message] 2015-09-14 13:46 ` [PATCH v2 3/7] kasan: accurately determine the type of the bad access Andrey Konovalov 2015-09-14 13:46 ` [PATCH v2 4/7] kasan: update log messages Andrey Konovalov 2015-09-14 13:46 ` Andrey Konovalov 2015-09-14 13:46 ` [PATCH v2 5/7] kasan: various fixes in documentation Andrey Konovalov 2015-09-14 13:46 ` Andrey Konovalov 2015-09-14 13:46 ` [PATCH v2 6/7] kasan: move KASAN_SANITIZE in arch/x86/boot/Makefile Andrey Konovalov 2015-09-14 13:46 ` Andrey Konovalov 2015-09-14 13:46 ` [PATCH v2 7/7] kasan: update reference to kasan prototype repo Andrey Konovalov 2015-09-14 13:46 ` Andrey Konovalov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=7a7cd737b0dd19b9f956df4fba6b6dbff964ddbd.1442238094.git.andreyknvl@google.com \ --to=andreyknvl@google.com \ --cc=akpm@linux-foundation.org \ --cc=dvyukov@google.com \ --cc=glider@google.com \ --cc=kcc@google.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=rusty@rustcorp.com.au \ --cc=ryabinin.a.a@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.