kasan: fix type cast in memory_is_poisoned_n

Message ID	8c9e0251c2b8b81016255709d4ec42942dcaf018.1688431866.git.andreyknvl@google.com (mailing list archive)
State	New
Headers	show Return-Path: <owner-linux-mm@kvack.org> From: andrey.konovalov@linux.dev To: Marco Elver <elver@google.com> Cc: Andrey Konovalov <andreyknvl@gmail.com>, Alexander Potapenko <glider@google.com>, Dmitry Vyukov <dvyukov@google.com>, Andrey Ryabinin <ryabinin.a.a@gmail.com>, kasan-dev@googlegroups.com, Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org, Arnd Bergmann <arnd@arndb.de>, stable@vger.kernel.org, linux-kernel@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com> Subject: [PATCH] kasan: fix type cast in memory_is_poisoned_n Date: Tue, 4 Jul 2023 02:52:05 +0200 Message-Id: <8c9e0251c2b8b81016255709d4ec42942dcaf018.1688431866.git.andreyknvl@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	kasan: fix type cast in memory_is_poisoned_n \| expand kasan: fix type cast in memory_is_poisoned_n

Message ID

8c9e0251c2b8b81016255709d4ec42942dcaf018.1688431866.git.andreyknvl@google.com (mailing list archive)

State

New

Headers

From: andrey.konovalov@linux.dev
To: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>,
	Alexander Potapenko <glider@google.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Andrey Ryabinin <ryabinin.a.a@gmail.com>,
	kasan-dev@googlegroups.com,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-mm@kvack.org,
	Arnd Bergmann <arnd@arndb.de>,
	stable@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Andrey Konovalov <andreyknvl@google.com>
Subject: [PATCH] kasan: fix type cast in memory_is_poisoned_n
Date: Tue,  4 Jul 2023 02:52:05 +0200
Message-Id: 
 <8c9e0251c2b8b81016255709d4ec42942dcaf018.1688431866.git.andreyknvl@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

kasan: fix type cast in memory_is_poisoned_n | expand

Commit Message

andrey.konovalov@linux.dev July 4, 2023, 12:52 a.m. UTC

From: Andrey Konovalov <andreyknvl@google.com>

Commit bb6e04a173f0 ("kasan: use internal prototypes matching gcc-13
builtins") introduced a bug into the memory_is_poisoned_n implementation:
it effectively removed the cast to a signed integer type after applying
KASAN_GRANULE_MASK.

As a result, KASAN started failing to properly check memset, memcpy,
and other similar functions.

Fix the bug by adding the cast back (through an additional signed integer
variable to make the code more readable).

Fixes: bb6e04a173f0 ("kasan: use internal prototypes matching gcc-13 builtins")
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 mm/kasan/generic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c
index 5b4c97baa656..4d837ab83f08 100644
--- a/mm/kasan/generic.c
+++ b/mm/kasan/generic.c
@@ -130,9 +130,10 @@  static __always_inline bool memory_is_poisoned_n(const void *addr, size_t size)
 	if (unlikely(ret)) {
 		const void *last_byte = addr + size - 1;
 		s8 *last_shadow = (s8 *)kasan_mem_to_shadow(last_byte);
+		s8 last_accessible_byte = (unsigned long)last_byte & KASAN_GRANULE_MASK;
 
 		if (unlikely(ret != (unsigned long)last_shadow ||
-			(((long)last_byte & KASAN_GRANULE_MASK) >= *last_shadow)))
+			     last_accessible_byte >= *last_shadow))
 			return true;
 	}
 	return false;

kasan: fix type cast in memory_is_poisoned_n

Commit Message

Patch