From patchwork Fri Jun 22 09:27:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhen Lei X-Patchwork-Id: 139593 Delivered-To: patch@linaro.org Received: by 2002:a2e:970d:0:0:0:0:0 with SMTP id r13-v6csp646881lji; Fri, 22 Jun 2018 02:28:59 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLm/FdN2rMuCI8kOd/Grw9RWosWWse7lpgZdy8Ahw9hJ44qJnZa9EZktKla1S6+x8etZckw X-Received: by 2002:a17:902:6bc7:: with SMTP id m7-v6mr905407plt.162.1529659739614; Fri, 22 Jun 2018 02:28:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529659739; cv=none; d=google.com; s=arc-20160816; b=wf3s2umRpK9GA43oMfNFgrC0NomxdwvH2NETwsnHyGVWG/Ms5wyZuWPD4XrvX61HQ9 TaN7cgOupwPiHw2Ww99AxfENlnGDFLdIoHEGDjACkkaCdtot4Q76Qt6cReT1BINOvAAf jONtmFqD5W9uL+m2r9Sfb3EmvJ9R9PVuA3vdiAPVQTvhajOqNx+B83Nr5/MM/i+zOR2q ekPvBTfbXHYBYEjq7UnQcUxZCa3q49+vF3e7LQ9xZ0HUY9Nfru2aDJPq99MjD3kxb/ZB HPMe+WmkH215SUziRaTWRn7dhFvlGZSM2zLvjZwESnhzw0VjaLh6Ljyf1TKksaNQIIHG z8cA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=pZjl2u4dbeK/ZEGJJsBXr9Wt5s/zeIhE9JrSHK6HWlE=; b=DwkfcuOfsFsZcPBb1gd3txeq+owv1t+3wLxPgecDp+NhOtXyrO6JMHOZmJq65ysjlq K11RQZ+30K73ezGp5Sy7OQzRm8N8rMK9W2fGnAzh7H6eoo7Zli8ybTMfZZT9LL2Kqgcg kp9sUm3WCeUh6Yikdq9IjJ6drje0WVr6kSHBtRGffMP9l2z4LPa1GS213q0tA2LtES9J +k5oUVbUDOosB/Tu+GlK/skaYfjtFyD2LG+2avL8WazdnBSZ6ACxPJf1wikQpyVNu+P4 +yaawT8g4aaviO/I6y19jbNUMTJDnLWn4eKZeiVyn8gmrVlYp9ENaTMNj4ewN6QEHbfu nXzw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f59-v6si7074259plf.500.2018.06.22.02.28.59; Fri, 22 Jun 2018 02:28:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752222AbeFVJ25 (ORCPT + 30 others); Fri, 22 Jun 2018 05:28:57 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:8724 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751191AbeFVJ24 (ORCPT ); Fri, 22 Jun 2018 05:28:56 -0400 Received: from DGGEMS409-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 7912A2A0857BB; Fri, 22 Jun 2018 17:28:42 +0800 (CST) Received: from localhost (10.177.23.164) by DGGEMS409-HUB.china.huawei.com (10.3.19.209) with Microsoft SMTP Server id 14.3.382.0; Fri, 22 Jun 2018 17:28:04 +0800 From: Zhen Lei To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , kasan-dev , linux-mm , linux-kernel CC: Zhen Lei , Hanjun Guo , Libin Subject: [PATCH 1/1] kasan: fix shadow_size calculation error in kasan_module_alloc Date: Fri, 22 Jun 2018 17:27:06 +0800 Message-ID: <1529659626-12660-1-git-send-email-thunder.leizhen@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.0 MIME-Version: 1.0 X-Originating-IP: [10.177.23.164] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There is a special case that the size is "(N << KASAN_SHADOW_SCALE_SHIFT) Pages plus X", the value of X is [1, KASAN_SHADOW_SCALE_SIZE-1]. The operation "size >> KASAN_SHADOW_SCALE_SHIFT" will drop X, and the roundup operation can not retrieve the missed one page. For example: size=0x28006, PAGE_SIZE=0x1000, KASAN_SHADOW_SCALE_SHIFT=3, we will get shadow_size=0x5000, but actually we need 6 pages. shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE); This can lead kernel to be crashed, when kasan is enabled and the value of mod->core_layout.size or mod->init_layout.size is like above. Because the shadow memory of X has not been allocated and mapped. move_module: ptr = module_alloc(mod->core_layout.size); ... memset(ptr, 0, mod->core_layout.size); //crashed Unable to handle kernel paging request at virtual address ffff0fffff97b000 ...... Call trace: [] __asan_storeN+0x174/0x1a8 [] memset+0x24/0x48 [] layout_and_allocate+0xcd8/0x1800 [] load_module+0x190/0x23e8 [] SyS_finit_module+0x148/0x180 Signed-off-by: Zhen Lei --- mm/kasan/kasan.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 1.8.3 Reviewed-by: Dmitriy Vyukov Acked-by: Andrey Ryabinin diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 81a2f45..f5ac4ac 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -427,12 +427,13 @@ void kasan_kfree_large(const void *ptr) int kasan_module_alloc(void *addr, size_t size) { void *ret; + size_t scaled_size; size_t shadow_size; unsigned long shadow_start; shadow_start = (unsigned long)kasan_mem_to_shadow(addr); - shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, - PAGE_SIZE); + scaled_size = (size + KASAN_SHADOW_MASK) >> KASAN_SHADOW_SCALE_SHIFT; + shadow_size = round_up(scaled_size, PAGE_SIZE); if (WARN_ON(!PAGE_ALIGNED(shadow_start))) return -EINVAL;