Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2997357ybl; Mon, 19 Aug 2019 10:28:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqz5imS0cqHNPt+lmSAWWd12FEXU/m1NGhth+LsVRWX368HLhuCR9GGn2dAWpQqln5WF9kod X-Received: by 2002:a63:c442:: with SMTP id m2mr516698pgg.286.1566235725599; Mon, 19 Aug 2019 10:28:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566235725; cv=none; d=google.com; s=arc-20160816; b=yFlY8waM/QOGb4ipTzNpZjbthik+ErMw7DoR1QHUO8VtguqWqmMs+EADhgwv0Xk2th 4ypj+5BuP5TGJUxZ6eO+fUxnxMMzYTyMgnAPRiWQRfpOvelzsZu3k9E3jcdPJ/DXxVw/ pPfp0DBNlGYo+wM93160LtzOgQdhV1IA5AtvJchNcOmW6UHv39V+Kl+IABZfw32e/52T ce2pNHoKPXz04M3/m+OKPsxOo0J+/QGNzTpCLWozczaoF+y1uEKsxJs3ERCwyWZgiU9P CthUU7QFmuMBfbIvz7EnkDLW2acS7QMpw/8MeBaSbIxW4yOzoY/WWrAC03qxNyr7O7g5 vwvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=B7pUOTXcRdu3L+LzlsavEvZpZkCzgW9N07OWgEA8MgU=; b=jmFtaXuwdJDPwDhFD/NJYLh2YNgq6NN0ZEBJN3CJ2JD1/MO9ZhOCw4P7Vd/wvD5GiG Sytg4/y5TEaISoIOStvLEmoz0ED/z6Ng5jubZ7vy/yu23k9brsJjWkZIPw4GBaXL9Iil oxmt4lMo6Av7yQrmXlBU7nPvUk79RnUOCv11gLdyQ37t0J8qcSwO8lvuqyYgXOlUKGpe mqrNPL5pjZi3MlWM5IMN4jKsOp9l5Z26B0LUXZMaYa4KmNRKPoN71WCi6QNVlXP0DDRA Su3wFQZhtfmayCIW6xDCanzAg8HGlvT+6OEMEPVrpviw7DW8q15OdZt8sKkNPVyt8iqw m4cg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f7si10280383pgv.135.2019.08.19.10.28.30; Mon, 19 Aug 2019 10:28:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728067AbfHSR0P (ORCPT + 99 others); Mon, 19 Aug 2019 13:26:15 -0400 Received: from relay.sw.ru ([185.231.240.75]:36986 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727398AbfHSR0O (ORCPT ); Mon, 19 Aug 2019 13:26:14 -0400 Received: from [172.16.25.5] (helo=i7.sw.ru) by relay.sw.ru with esmtp (Exim 4.92) (envelope-from ) id 1hzlPx-000240-5o; Mon, 19 Aug 2019 20:26:05 +0300 From: Andrey Ryabinin To: Andrew Morton Cc: Walter Wu , Alexander Potapenko , Dmitry Vyukov , Catalin Marinas , Will Deacon , Andrey Konovalov , linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, Mark Rutland , Andrey Ryabinin , stable@vger.kernel.org Subject: [PATCH] mm/kasan: Fix false positive invalid-free reports with CONFIG_KASAN_SW_TAGS=y Date: Mon, 19 Aug 2019 20:25:40 +0300 Message-Id: <20190819172540.19581-1-aryabinin@virtuozzo.com> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The code like this: ptr = kmalloc(size, GFP_KERNEL); page = virt_to_page(ptr); offset = offset_in_page(ptr); kfree(page_address(page) + offset); may produce false-positive invalid-free reports on the kernel with CONFIG_KASAN_SW_TAGS=y. In the example above we loose the original tag assigned to 'ptr', so kfree() gets the pointer with 0xFF tag. In kfree() we check that 0xFF tag is different from the tag in shadow hence print false report. Instead of just comparing tags, do the following: 1) Check that shadow doesn't contain KASAN_TAG_INVALID. Otherwise it's double-free and it doesn't matter what tag the pointer have. 2) If pointer tag is different from 0xFF, make sure that tag in the shadow is the same as in the pointer. Fixes: 7f94ffbc4c6a ("kasan: add hooks implementation for tag-based mode") Signed-off-by: Andrey Ryabinin Reported-by: Walter Wu Reported-by: Mark Rutland Cc: --- mm/kasan/common.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/mm/kasan/common.c b/mm/kasan/common.c index 895dc5e2b3d5..3b8cde0cb5b2 100644 --- a/mm/kasan/common.c +++ b/mm/kasan/common.c @@ -406,8 +406,14 @@ static inline bool shadow_invalid(u8 tag, s8 shadow_byte) if (IS_ENABLED(CONFIG_KASAN_GENERIC)) return shadow_byte < 0 || shadow_byte >= KASAN_SHADOW_SCALE_SIZE; - else - return tag != (u8)shadow_byte; + + /* else CONFIG_KASAN_SW_TAGS: */ + if ((u8)shadow_byte == KASAN_TAG_INVALID) + return true; + if ((tag != KASAN_TAG_KERNEL) && (tag != (u8)shadow_byte)) + return true; + + return false; } static bool __kasan_slab_free(struct kmem_cache *cache, void *object, -- 2.21.0