Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp6683093ybn; Mon, 30 Sep 2019 01:58:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqwi2bw8GaCqJBI1YJ+HaGfR+G3jhoiWhHb/6alrayE2dcaC09+dLgZ9B714bULrtFC8Dgcc X-Received: by 2002:a17:907:214e:: with SMTP id rk14mr18384156ejb.60.1569833930205; Mon, 30 Sep 2019 01:58:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569833930; cv=none; d=google.com; s=arc-20160816; b=d6ZBWquBQ6PYAP3bhGMoQ/spNd+PwHzb8ynckv1znLbG2NQQape44LQlxCBqmpABys 7R12cibLuXhWpr55xPBw5VF/46P+hXvBX4EN2HoddxfE+41ob//LUaVtB5FyKc41ClWq jeEsVfYZ06wTsqMiaisGzr4URWGxSQ4FU21DbvwRC4SrperJbgjZyfaLXcOkvuNWXI6d YunzaVL/7yyZ9RYCbvst6XkurkAeQp/vT6aXsRQX/NCb5bK7OEyShLPR8BrODtYkkV7B o/JgtTzSHBZ3gKu7zwOR1aniBC0dGB7RddSrTEKVn46sxJx2KcVAqtRD9QNtlrWTyNRC RZWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=mgLLwzKeGJEt8dy/bBZPEztvUg1OpWUVMz/vD9hzvdo=; b=C01rlxtj9IaDigXKyIpg/yWGS7j0SOn5xmdt0J0YgHO0kV4knkn+b2UcLSRCH1aCFn bLPNtBQ+IUtkTz39HgrLE+Bc5ByZETGk8A86br+/jJHU/wGagpOZhVOpoil6Uq+oMB2Q rTUdQy4AWT6TBl5K7SRz+pYIhFxJ5GxKHZjlTVfwxG+cn2gGV3vrQwFUjNzWx7hiR0Sl ayQjCWqmBcHbuvu3HrLTWG8GjyQ8XmscZzDrep0NaPxAs9pHpZ4OeJjFhVYV/rh1A1Xh MK7Ewm+v9FQIbb3fC9qSV20t3UdffgJnq09PZNV0Oaj5v3w7TjDUEm8Y6mA7wz1bRNMo 2vQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f57si6711344ede.78.2019.09.30.01.58.25; Mon, 30 Sep 2019 01:58:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730286AbfI3I5m (ORCPT + 99 others); Mon, 30 Sep 2019 04:57:42 -0400 Received: from ns.iliad.fr ([212.27.33.1]:36058 "EHLO ns.iliad.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730274AbfI3I5m (ORCPT ); Mon, 30 Sep 2019 04:57:42 -0400 Received: from ns.iliad.fr (localhost [127.0.0.1]) by ns.iliad.fr (Postfix) with ESMTP id 5FC0020289; Mon, 30 Sep 2019 10:57:40 +0200 (CEST) Received: from [192.168.108.37] (freebox.vlq16.iliad.fr [213.36.7.13]) by ns.iliad.fr (Postfix) with ESMTP id A431320274; Mon, 30 Sep 2019 10:57:39 +0200 (CEST) Subject: Re: [PATCH] kasan: fix the missing underflow in memmove and memcpy with CONFIG_KASAN_GENERIC=y To: Walter Wu , Dmitry Vyukov Cc: LKML , kasan-dev , Alexander Potapenko , Matthias Brugger , Andrey Ryabinin , Linux ARM References: <20190927034338.15813-1-walter-zh.wu@mediatek.com> <1569594142.9045.24.camel@mtksdccf07> <1569818173.17361.19.camel@mtksdccf07> From: Marc Gonzalez Message-ID: Date: Mon, 30 Sep 2019 10:57:39 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <1569818173.17361.19.camel@mtksdccf07> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP ; ns.iliad.fr ; Mon Sep 30 10:57:40 2019 +0200 (CEST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 30/09/2019 06:36, Walter Wu wrote: > bool check_memory_region(unsigned long addr, size_t size, bool write, > unsigned long ret_ip) > { > + if (long(size) < 0) { > + kasan_report_invalid_size(src, dest, len, _RET_IP_); > + return false; > + } > + > return check_memory_region_inline(addr, size, write, ret_ip); > } Is it expected that memcpy/memmove may sometimes (incorrectly) be passed a negative value? (It would indeed turn up as a "large" size_t) IMO, casting to long is suspicious. There seem to be some two implicit assumptions. 1) size >= ULONG_MAX/2 is invalid input 2) casting a size >= ULONG_MAX/2 to long yields a negative value 1) seems reasonable because we can't copy more than half of memory to the other half of memory. I suppose the constraint could be even tighter, but it's not clear where to draw the line, especially when considering 32b vs 64b arches. 2) is implementation-defined, and gcc works "as expected" (clang too probably) https://gcc.gnu.org/onlinedocs/gcc/Integers-implementation.html A comment might be warranted to explain the rationale. Regards.