Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp5914378ybx; Mon, 11 Nov 2019 00:26:31 -0800 (PST) X-Google-Smtp-Source: APXvYqyJXHS/O5iwekBb/eqeilH+ffGsPYCHWQBvB0FHPEZSSnOPTo4ZmUweqZz+xuV1uHQHFs4l X-Received: by 2002:a17:906:524b:: with SMTP id y11mr21067528ejm.82.1573460791717; Mon, 11 Nov 2019 00:26:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573460791; cv=none; d=google.com; s=arc-20160816; b=YKEF+Nxskc4nXMKz3qYxDQEVHUL1dAUNpCF+Oj2xcRvirOlppluwy5DUVWloLnaoCs /alXFZXmsJISEEe4HG8at19HoRxT6d0PBFOEsNPjuGYgD0oX8eEcxwnSt0KvcKj+4ctz 96x0WUgQEkHulZxKrUDI17N5RxAh2zrUoCToYhnua7hAm6w7bTthf3wbQN7H3jeJcHft EsZclcLwvi8SEW/pJ/Tj2tiZHoqELecezBcwcssvHwtQa7MxMAkkpNpWFKPfAp68dlvr 8KZ5OMFNn1X8u/4kuwY8gYtJwHwDDYZ1XyeW1aK3r2G1E12TxcsS7F5OZ4WrU4t74B+9 L2IA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=Nt3MKERF0kAHPpilsOcZ66FJpLhSTeFXXMcT5u+jJ+w=; b=BdyZiSardhu6uaGZCSNdMyekkljJ3a0/5zBGvQcf+Q1EDfy1lr+/vliGZY4Xa416Zu 4PCsNV62Wgbl1JNmGu3DkTyF/QTm0mAVMs4slEzM84YosiyyCl2MdhNoV7q0l4chRUVP Id+MA7sNgdIV0/3an7XCbiyJA/oSDAmnsm4PDrtJI6PBf6x+xh/JWvKfpp+ZwcwNCFvN V5ud38awKEUtR9QltMvMW4sKQGbS1yZQU1ghbT/ZDGX9ulSpfEiaNlz4jH+/drMhManQ EGivXsjRgoR8N3SsQUN1END/PhD0cssoKwL7x6dO+CTBsajlBKHWJSWmAapAq5LS9jET 9l/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r9si11392201edc.101.2019.11.11.00.26.08; Mon, 11 Nov 2019 00:26:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726808AbfKKIZM (ORCPT + 99 others); Mon, 11 Nov 2019 03:25:12 -0500 Received: from relay.sw.ru ([185.231.240.75]:58224 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726768AbfKKIZM (ORCPT ); Mon, 11 Nov 2019 03:25:12 -0500 Received: from [172.16.25.5] by relay.sw.ru with esmtp (Exim 4.92.3) (envelope-from ) id 1iU50L-00018h-TL; Mon, 11 Nov 2019 11:24:58 +0300 Subject: Re: [PATCH v3 1/2] kasan: detect negative size in memory operation function To: Dmitry Vyukov Cc: Walter Wu , Alexander Potapenko , Matthias Brugger , kasan-dev , Linux-MM , LKML , Linux ARM , wsd_upstream References: <20191104020519.27988-1-walter-zh.wu@mediatek.com> <34bf9c08-d2f2-a6c6-1dbe-29b1456d8284@virtuozzo.com> From: Andrey Ryabinin Message-ID: <20df03c5-e733-98b0-84e9-8d52ddce5c98@virtuozzo.com> Date: Mon, 11 Nov 2019 11:24:36 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/11/19 10:57 AM, Dmitry Vyukov wrote: > On Fri, Nov 8, 2019 at 11:32 PM Andrey Ryabinin wrote: >>> diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c >>> index 36c645939bc9..52a92c7db697 100644 >>> --- a/mm/kasan/generic_report.c >>> +++ b/mm/kasan/generic_report.c >>> @@ -107,6 +107,24 @@ static const char *get_wild_bug_type(struct kasan_access_info *info) >>> >>> const char *get_bug_type(struct kasan_access_info *info) >>> { >>> + /* >>> + * If access_size is negative numbers, then it has three reasons >>> + * to be defined as heap-out-of-bounds bug type. >>> + * 1) Casting negative numbers to size_t would indeed turn up as >>> + * a large size_t and its value will be larger than ULONG_MAX/2, >>> + * so that this can qualify as out-of-bounds. >>> + * 2) If KASAN has new bug type and user-space passes negative size, >>> + * then there are duplicate reports. So don't produce new bug type >>> + * in order to prevent duplicate reports by some systems >>> + * (e.g. syzbot) to report the same bug twice. >>> + * 3) When size is negative numbers, it may be passed from user-space. >>> + * So we always print heap-out-of-bounds in order to prevent that >>> + * kernel-space and user-space have the same bug but have duplicate >>> + * reports. >>> + */ >> >> Completely fail to understand 2) and 3). 2) talks something about *NOT* producing new bug >> type, but at the same time you code actually does that. >> 3) says something about user-space which have nothing to do with kasan. > > The idea was to use one of the existing bug titles so that syzbot does > not produce 2 versions for OOBs where size is user-controlled. We > don't know if it's overflow from heap, global or stack, but heap is > the most common bug, so saying heap overflow will reduce chances of > producing duplicates the most. > But for all of this to work we do need to use one of the existing bug titles. The "heap-out-of-bounds" is not one of the existing bug titles.