Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1334191imm; Thu, 23 Aug 2018 01:00:54 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxutNcs7eQIR7cg091fp8fItQNc3cdt+5PyNdIk9pKSTWIuwesZkKGVWUV06V5Z6vX3ZOWX X-Received: by 2002:a62:6b88:: with SMTP id g130-v6mr19506628pfc.140.1535011254752; Thu, 23 Aug 2018 01:00:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535011254; cv=none; d=google.com; s=arc-20160816; b=w2C3ckx7uAxcxvYLa7vg7ZwEBjc3RiRqoGPV6IFmrXbYAuE6JOEZI/TodHVIg6FutM JoYM5BZwfZZ2GD8gweNsd4DlcD1xGFTRw6lHsJudXPoIjZ2HI1uqF/hfuf0D3GsAzQDC /U+BlvAARpkGk++NiYX4Sg8L/R+DjbkR+i8idb5ToGxR6MbEQUbnQ7IUCEMjfaitjPZL BSFJDO4v8Duxcb78WKlvLQfO8dArXXaxuW8EPeRr3vXVGZBjdIAbDM8xyT9rfG0AKlPX IuenafR9CueqKs5OiXD1uuv6go+U/3PpDD3ALmFcwnE36mHb6xUTZsUHyotwNk5P8s8T sSEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=OveZNC2gph2ij3C7uGn9atkSU+m3WVqhKZuj5Z7RkJ4=; b=vfE0Fy/Qi0FRmw5QunS1aSEZokse3CsLjpT6CrYwrGT9zmix7GPJncq13MwCgiw4dn vBtvrLkUcIq9ysfqGz8mvQa5YdsZabsc+zy4yZH85XT+HJl8NSmTOx2ns4MXHnatcXTj bcEjiS/OtH+BPLUeR4SF45U+UXB1C8NO1+hIPEgP1Gz0D5SuTwqDn8XXja8GcerhqQUu Vmp7rB12EwAmXS2NHCRXGbN3uPGqfecZTe8TUc5dKzFO8mGCRxPx5lhA511JK7foOn9W eYPe6MgD1P564sKBM3zqOHMtg52/j17w7QDBCWxvhH6hLH/9yB+Qmt/pqJOzHcalxKJR WTvA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k18-v6si3900058pff.91.2018.08.23.01.00.39; Thu, 23 Aug 2018 01:00:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728253AbeHWL1S (ORCPT + 99 others); Thu, 23 Aug 2018 07:27:18 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:41900 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726978AbeHWL1R (ORCPT ); Thu, 23 Aug 2018 07:27:17 -0400 Received: from localhost (5355525A.cm-6-6b.dynamic.ziggo.nl [83.85.82.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 271CB9D2; Thu, 23 Aug 2018 07:58:54 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhen Lei , Dmitriy Vyukov , Andrey Ryabinin , Alexander Potapenko , Hanjun Guo , Libin , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 4.4 43/79] kasan: fix shadow_size calculation error in kasan_module_alloc Date: Thu, 23 Aug 2018 09:53:19 +0200 Message-Id: <20180823074921.945921336@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180823074918.641878835@linuxfoundation.org> References: <20180823074918.641878835@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Zhen Lei [ Upstream commit 1e8e18f694a52d703665012ca486826f64bac29d ] There is a special case that the size is "(N << KASAN_SHADOW_SCALE_SHIFT) Pages plus X", the value of X is [1, KASAN_SHADOW_SCALE_SIZE-1]. The operation "size >> KASAN_SHADOW_SCALE_SHIFT" will drop X, and the roundup operation can not retrieve the missed one page. For example: size=0x28006, PAGE_SIZE=0x1000, KASAN_SHADOW_SCALE_SHIFT=3, we will get shadow_size=0x5000, but actually we need 6 pages. shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE); This can lead to a kernel crash when kasan is enabled and the value of mod->core_layout.size or mod->init_layout.size is like above. Because the shadow memory of X has not been allocated and mapped. move_module: ptr = module_alloc(mod->core_layout.size); ... memset(ptr, 0, mod->core_layout.size); //crashed Unable to handle kernel paging request at virtual address ffff0fffff97b000 ...... Call trace: __asan_storeN+0x174/0x1a8 memset+0x24/0x48 layout_and_allocate+0xcd8/0x1800 load_module+0x190/0x23e8 SyS_finit_module+0x148/0x180 Link: http://lkml.kernel.org/r/1529659626-12660-1-git-send-email-thunder.leizhen@huawei.com Signed-off-by: Zhen Lei Reviewed-by: Dmitriy Vyukov Acked-by: Andrey Ryabinin Cc: Alexander Potapenko Cc: Hanjun Guo Cc: Libin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- mm/kasan/kasan.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -427,12 +427,13 @@ void kasan_kfree_large(const void *ptr) int kasan_module_alloc(void *addr, size_t size) { void *ret; + size_t scaled_size; size_t shadow_size; unsigned long shadow_start; shadow_start = (unsigned long)kasan_mem_to_shadow(addr); - shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, - PAGE_SIZE); + scaled_size = (size + KASAN_SHADOW_MASK) >> KASAN_SHADOW_SCALE_SHIFT; + shadow_size = round_up(scaled_size, PAGE_SIZE); if (WARN_ON(!PAGE_ALIGNED(shadow_start))) return -EINVAL;