Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp4409188ybl;
        Tue, 20 Aug 2019 11:25:57 -0700 (PDT)
X-Google-Smtp-Source: APXvYqySWJBGGjuLFokZLXAfxQtMKtiglD+d7rGePXqy6v4IEY1P6VLjuDa8i5+Tq9pE3qoFxC1v
X-Received: by 2002:a17:902:5a0d:: with SMTP id q13mr577649pli.5.1566325557297;
        Tue, 20 Aug 2019 11:25:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566325557; cv=none;
        d=google.com; s=arc-20160816;
        b=FfGKbTxoqngWT+EQcOGSGGrmFSN2BmdE89KYy9dMJ2tULAFL/vY4NKh8jYk3KWtdzb
         DtlNNFNvOLTlCQY2EYZ8ADYCemB8X4i/yxII8/puHdofPaK7ySPet1/PcFnHAnxarYkY
         ufEITQUfVID7nj3E9DioTBOUrKPyVfdVAaZCtRmh/8QDVJEBzt16JyQJLLSn2wbuQlmh
         DQyoznDNfzut3FaeH+3Jpkp+MUhkrPhPfJIv2N24k7ZmlSQA8k5k9DPU3SVEyw4yPVMR
         GjIg18N5etUDpEElkdVcl/lFm6RY5/KrSbKZZNcuNKhssEAd5sB4IR0zl6MXYLIuxccB
         dRQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=zOFyNsed5rJiYxQ0MTC7KZVSzKzfGGoAHwsINBTkR8c=;
        b=VFAcMFpy2wJ2GnW6auWCoBbM/3gzMDprrjI/0+VkWeinT5tgDWvQuICB5jTJURJQmq
         4AOLP+4i+ClD+bxsvpxvfmOwdiV3cLrBpqn3FMY45FkI1NLWJY4+xk8Sm7yXe6Mp9PgZ
         ntcsYEH9UcoXFiUvzFW6Ct03vICKtprP8ESC5i1r7t5hT1f3FZm0+kyywWq8VKo5pUAO
         DRrlUeVxVNOtk74ad7G/Ert9S/9B3zB1LyZC5kuzkB8msxjsZWZFIbVncU+yqVZe6SA7
         Y01KdVXp1avTPI7s45zR++T7y1fNcAvFmRZ2G9uJzYqGE5rs791jLSDsUwPBPD+Db5ZV
         KAvA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=RTgt2WBF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 91si12498801plc.427.2019.08.20.11.25.41;
        Tue, 20 Aug 2019 11:25:57 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=RTgt2WBF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730557AbfHTSX3 (ORCPT <rfc822;zjuysxie86@gmail.com>
        + 99 others); Tue, 20 Aug 2019 14:23:29 -0400
Received: from mail-pf1-f196.google.com ([209.85.210.196]:34226 "EHLO
        mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728185AbfHTSX3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Aug 2019 14:23:29 -0400
Received: by mail-pf1-f196.google.com with SMTP id b24so3884686pfp.1
        for <linux-kernel@vger.kernel.org>; Tue, 20 Aug 2019 11:23:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=zOFyNsed5rJiYxQ0MTC7KZVSzKzfGGoAHwsINBTkR8c=;
        b=RTgt2WBFYErhRUqHnDQpEac6HHvi9lJ/Y7KdUeeE6iLFn22BZvfnis5Y2t0G0k5QIv
         wfBfc9ypmkXQjiMGC7/xV0BwM/EldJ7OfcZMyjDWBlhyXPTlXoT9M7CT5shi3knBfzRR
         g0QOcAYoHouObhmxCgJOKRH3AHyLXaptg/qIW60hqCGCVLcB3FC/G8UMPkMKZDBRsjmV
         J2j2x1rdz3vofl0JvNYwnMx7XrZHZR7hwJO96VWMcsi6QI+Q77v06FO4llseMH3rg1yM
         b8WSEtd0HbvlTK1HyuHDjqy4IlwbP4Z97SYn10skLY5AvpckPs56c/a/yALL3+ZEjjkQ
         7LVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=zOFyNsed5rJiYxQ0MTC7KZVSzKzfGGoAHwsINBTkR8c=;
        b=DHAxEQlVSQh7zbaQqskU5ZpNnaeoh9iK1eZikJbIAypfz6vobQkSC617yybyJ/GF9w
         0vDmoBx7d2cbweGVm0IosBalDc96t/5ghX8zixMr7mBPNTizHgbqRZJ9/9I45VhlJL6X
         ktKTkp13c4JRE7TFXHRFeBCXSOYq1RX6xNh5MiIY+ZQvrYaNVSHYCckSO342ouSK+IPA
         ftXtr803BfKbNv53FGYXFKb+fU+cu3OCd9NdXRm2nHDd/fO9CtVkwjjSK4VjOfmGNSqM
         5GMSUCV+EQqL6DMmPW8WlVU1ofpxyjx63OhxXyUvP2syDrfU04tiYCyYwpL2ceNXBOco
         xCVg==
X-Gm-Message-State: APjAAAW/5maXtiNN1ltub2gnslFyJy+ljwYjxAhwbLH58iMY5Qw8OhCe
        8F4oIszVOVz3X12Q6QR7X+MR6Lu7njnOln2CUKQkYg==
X-Received: by 2002:a17:90a:6581:: with SMTP id k1mr1293058pjj.47.1566325408133;
 Tue, 20 Aug 2019 11:23:28 -0700 (PDT)
MIME-Version: 1.0
References: <20190819172540.19581-1-aryabinin@virtuozzo.com>
In-Reply-To: <20190819172540.19581-1-aryabinin@virtuozzo.com>
From:   Andrey Konovalov <andreyknvl@google.com>
Date:   Tue, 20 Aug 2019 20:23:17 +0200
Message-ID: <CAAeHK+yhaZ07ojK4v-=iVTBiEunXOu=V3f9zvTr9P2wZzAq3Zw@mail.gmail.com>
Subject: Re: [PATCH] mm/kasan: Fix false positive invalid-free reports with CONFIG_KASAN_SW_TAGS=y
To:     Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Walter Wu <walter-zh.wu@mediatek.com>,
        Alexander Potapenko <glider@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        LKML <linux-kernel@vger.kernel.org>,
        kasan-dev <kasan-dev@googlegroups.com>,
        Mark Rutland <mark.rutland@arm.com>,
        stable <stable@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Aug 19, 2019 at 7:26 PM Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
>
> The code like this:
>
>         ptr = kmalloc(size, GFP_KERNEL);
>         page = virt_to_page(ptr);
>         offset = offset_in_page(ptr);
>         kfree(page_address(page) + offset);
>
> may produce false-positive invalid-free reports on the kernel with
> CONFIG_KASAN_SW_TAGS=y.
>
> In the example above we loose the original tag assigned to 'ptr',
> so kfree() gets the pointer with 0xFF tag. In kfree() we check that
> 0xFF tag is different from the tag in shadow hence print false report.
>
> Instead of just comparing tags, do the following:
>  1) Check that shadow doesn't contain KASAN_TAG_INVALID. Otherwise it's
>     double-free and it doesn't matter what tag the pointer have.
>
>  2) If pointer tag is different from 0xFF, make sure that tag in the shadow
>     is the same as in the pointer.
>
> Fixes: 7f94ffbc4c6a ("kasan: add hooks implementation for tag-based mode")
> Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
> Reported-by: Walter Wu <walter-zh.wu@mediatek.com>
> Reported-by: Mark Rutland <mark.rutland@arm.com>
> Cc: <stable@vger.kernel.org>

Reviewed-by: Andrey Konovalov <andreyknvl@google.com>

> ---
>  mm/kasan/common.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/mm/kasan/common.c b/mm/kasan/common.c
> index 895dc5e2b3d5..3b8cde0cb5b2 100644
> --- a/mm/kasan/common.c
> +++ b/mm/kasan/common.c
> @@ -406,8 +406,14 @@ static inline bool shadow_invalid(u8 tag, s8 shadow_byte)
>         if (IS_ENABLED(CONFIG_KASAN_GENERIC))
>                 return shadow_byte < 0 ||
>                         shadow_byte >= KASAN_SHADOW_SCALE_SIZE;
> -       else
> -               return tag != (u8)shadow_byte;
> +
> +       /* else CONFIG_KASAN_SW_TAGS: */
> +       if ((u8)shadow_byte == KASAN_TAG_INVALID)
> +               return true;
> +       if ((tag != KASAN_TAG_KERNEL) && (tag != (u8)shadow_byte))
> +               return true;
> +
> +       return false;
>  }
>
>  static bool __kasan_slab_free(struct kmem_cache *cache, void *object,
> --
> 2.21.0
>