Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • L linux-iv
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • linux-arm
  • linux-iv
  • Repository
Switch branch/tag
  • linux-iv
  • mm
  • kasan
  • common.c
Find file BlameHistoryPermalink
  • Walter Wu's avatar
    kasan: detect negative size in memory operation function · 8cceeff4
    Walter Wu authored Apr 01, 2020
    Patch series "fix the missing underflow in memory operation function", v4.
    
    The patchset helps to produce a KASAN report when size is negative in
    memory operation functions.  It is helpful for programmer to solve an
    undefined behavior issue.  Patch 1 based on Dmitry's review and
    suggestion, patch 2 is a test in order to verify the patch 1.
    
    [1]https://bugzilla.kernel.org/show_bug.cgi?id=199341
    [2]https://lore.kernel.org/linux-arm-kernel/20190927034338.15813-1-walter-zh.wu@mediatek.com/
    
    This patch (of 2):
    
    KASAN missed detecting size is a negative number in memset(), memcpy(),
    and memmove(), it will cause out-of-bounds bug.  So needs to be detected
    by KASAN.
    
    If size is a negative number, then it has a reason to be defined as
    out-of-bounds bug type.  Casting negative numbers to size_t would indeed
    turn up as a large size_t and its value will be larger than ULONG_MAX/2,
    so that this can qualify as out-of-bounds.
    
    KASAN report is shown below:
    
     BUG: KASAN: out-of-bounds in kmalloc_memmove_invalid_size+0x70/0xa0
     Read of size 18446744073709551608 at addr ffffff8069660904 by task cat/72
    
     CPU: 2 PID: 72 Comm: cat Not tainted 5.4.0-rc1-next-20191004ajb-00001-gdb8af2f372b2-dirty #1
     Hardware name: linux,dummy-virt (DT)
     Call trace:
      dump_backtrace+0x0/0x288
      show_stack+0x14/0x20
      dump_stack+0x10c/0x164
      print_address_description.isra.9+0x68/0x378
      __kasan_report+0x164/0x1a0
      kasan_report+0xc/0x18
      check_memory_region+0x174/0x1d0
      memmove+0x34/0x88
      kmalloc_memmove_invalid_size+0x70/0xa0
    
    [1] https://bugzilla.kernel.org/show_bug.cgi?id=199341
    
    [cai@lca.pw: fix -Wdeclaration-after-statement warn]
      Link: http://lkml.kernel.org/r/1583509030-27939-1-git-send-email-cai@lca.pw
    [peterz@infradead.org: fix objtool warning]
      Link: http://lkml.kernel.org/r/20200305095436.GV2596@hirez.programming.kicks-ass.net
    
    
    Reported-by: default avatarkernel test robot <lkp@intel.com>
    Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Suggested-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Signed-off-by: default avatarWalter Wu <walter-zh.wu@mediatek.com>
    Signed-off-by: default avatarQian Cai <cai@lca.pw>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Reviewed-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Reviewed-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Alexander Potapenko <glider@google.com>
    Link: http://lkml.kernel.org/r/20191112065302.7015-1-walter-zh.wu@mediatek.com
    
    
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    8cceeff4