lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 8 Sep 2015 17:49:43 +0800
From:	Xishi Qiu <qiuxishi@...wei.com>
To:	Andrey Ryabinin <ryabinin.a.a@...il.com>
CC:	Andrew Morton <akpm@...ux-foundation.org>,
	Andrey Konovalov <adech.fo@...il.com>,
	Rusty Russell <rusty@...tcorp.com.au>,
	Michal Marek <mmarek@...e.cz>, Linux MM <linux-mm@...ck.org>,
	LKML <linux-kernel@...r.kernel.org>, <zhongjiang@...wei.com>
Subject: Re: [PATCH] kasan: fix last shadow judgement in memory_is_poisoned_16()

On 2015/9/8 17:36, Andrey Ryabinin wrote:

> 2015-09-08 4:42 GMT+03:00 Xishi Qiu <qiuxishi@...wei.com>:
>> The shadow which correspond 16 bytes may span 2 or 3 bytes. If shadow
>> only take 2 bytes, we can return in "if (likely(!last_byte)) ...", but
>> it calculates wrong, so fix it.
>>
> 
> Please, be more specific. Describe what is wrong with the current code and why,
> what's the effect of this bug and how you fixed it.
> 
> 

If the 16 bytes memory is aligned on 8, then the shadow takes only 2 bytes.
So we check "shadow_first_bytes" is enough, and need not to call "memory_is_poisoned_1(addr + 15);".
The code "if (likely(IS_ALIGNED(addr, 8)))" is wrong judgement.

e.g. addr=0, so last_byte = 15 & KASAN_SHADOW_MASK = 7, then the code will
continue to call "return memory_is_poisoned_1(addr + 15);"

Thanks,
Xishi Qiu

>> Signed-off-by: Xishi Qiu <qiuxishi@...wei.com>
>> ---
>>  mm/kasan/kasan.c |    3 +--
>>  1 files changed, 1 insertions(+), 2 deletions(-)
>>
>> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
>> index 7b28e9c..8da2114 100644
>> --- a/mm/kasan/kasan.c
>> +++ b/mm/kasan/kasan.c
>> @@ -135,12 +135,11 @@ static __always_inline bool memory_is_poisoned_16(unsigned long addr)
>>
>>         if (unlikely(*shadow_addr)) {
>>                 u16 shadow_first_bytes = *(u16 *)shadow_addr;
>> -               s8 last_byte = (addr + 15) & KASAN_SHADOW_MASK;
>>
>>                 if (unlikely(shadow_first_bytes))
>>                         return true;
>>
>> -               if (likely(!last_byte))
>> +               if (likely(IS_ALIGNED(addr, 8)))
>>                         return false;
>>
>>                 return memory_is_poisoned_1(addr + 15);
>> --
>> 1.7.1
>>
>>
> 
> .
> 



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ