From: Wang Long long.wanglong@huawei.com
The current KASAN code can not find the following out-of-bounds bugs:
char *ptr; ptr = kmalloc(8, GFP_KERNEL); memset(ptr+7, 0, 2);
the cause of the problem is the type conversion error in *memory_is_poisoned_n* function. So this patch fix that.
Signed-off-by: Wang Long long.wanglong@huawei.com Acked-by: Andrey Ryabinin aryabinin@virtuozzo.com Cc: Vladimir Murzin vladimir.murzin@arm.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org (cherry picked from commit e0d57714394f5e2ce4e2f9bbebf48e3c7a7fd3be) Signed-off-by: Alex Shi alex.shi@linaro.org --- mm/kasan/kasan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 879a33f..d2dca93 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -204,7 +204,7 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte);
if (unlikely(ret != (unsigned long)last_shadow || - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) + ((long)(last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) return true; } return false;