lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220703161552.6a3304c8d316e4fdcce42caa@linux-foundation.org>
Date:   Sun, 3 Jul 2022 16:15:52 -0700
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     Kuan-Ying Lee <Kuan-Ying.Lee@...iatek.com>
Cc:     Andrey Ryabinin <ryabinin.a.a@...il.com>,
        Alexander Potapenko <glider@...gle.com>,
        Andrey Konovalov <andreyknvl@...il.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Vincenzo Frascino <vincenzo.frascino@....com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        <chinwen.chang@...iatek.com>, <yee.lee@...iatek.com>,
        <casper.li@...iatek.com>, <andrew.yang@...iatek.com>,
        <kasan-dev@...glegroups.com>, <linux-mm@...ck.org>,
        <linux-kernel@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>,
        <linux-mediatek@...ts.infradead.org>
Subject: Re: [PATCH] kasan: separate double free case from invalid free

On Wed, 15 Jun 2022 14:22:18 +0800 Kuan-Ying Lee <Kuan-Ying.Lee@...iatek.com> wrote:

> Currently, KASAN describes all invalid-free/double-free bugs as
> "double-free or invalid-free". This is ambiguous.
> 
> KASAN should report "double-free" when a double-free is a more
> likely cause (the address points to the start of an object) and
> report "invalid-free" otherwise [1].
> 
> [1] https://bugzilla.kernel.org/show_bug.cgi?id=212193
> 
> ...

Could we please have some review of this?

Thanks.

> 
> diff --git a/mm/kasan/common.c b/mm/kasan/common.c
> index c40c0e7b3b5f..707c3a527fcb 100644
> --- a/mm/kasan/common.c
> +++ b/mm/kasan/common.c
> @@ -343,7 +343,7 @@ static inline bool ____kasan_slab_free(struct kmem_cache *cache, void *object,
>  
>  	if (unlikely(nearest_obj(cache, virt_to_slab(object), object) !=
>  	    object)) {
> -		kasan_report_invalid_free(tagged_object, ip);
> +		kasan_report_invalid_free(tagged_object, ip, KASAN_REPORT_INVALID_FREE);
>  		return true;
>  	}
>  
> @@ -352,7 +352,7 @@ static inline bool ____kasan_slab_free(struct kmem_cache *cache, void *object,
>  		return false;
>  
>  	if (!kasan_byte_accessible(tagged_object)) {
> -		kasan_report_invalid_free(tagged_object, ip);
> +		kasan_report_invalid_free(tagged_object, ip, KASAN_REPORT_DOUBLE_FREE);
>  		return true;
>  	}
>  
> @@ -377,12 +377,12 @@ bool __kasan_slab_free(struct kmem_cache *cache, void *object,
>  static inline bool ____kasan_kfree_large(void *ptr, unsigned long ip)
>  {
>  	if (ptr != page_address(virt_to_head_page(ptr))) {
> -		kasan_report_invalid_free(ptr, ip);
> +		kasan_report_invalid_free(ptr, ip, KASAN_REPORT_INVALID_FREE);
>  		return true;
>  	}
>  
>  	if (!kasan_byte_accessible(ptr)) {
> -		kasan_report_invalid_free(ptr, ip);
> +		kasan_report_invalid_free(ptr, ip, KASAN_REPORT_DOUBLE_FREE);
>  		return true;
>  	}
>  
> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
> index 610d60d6e5b8..01c03e45acd4 100644
> --- a/mm/kasan/kasan.h
> +++ b/mm/kasan/kasan.h
> @@ -125,6 +125,7 @@ static inline bool kasan_sync_fault_possible(void)
>  enum kasan_report_type {
>  	KASAN_REPORT_ACCESS,
>  	KASAN_REPORT_INVALID_FREE,
> +	KASAN_REPORT_DOUBLE_FREE,
>  };
>  
>  struct kasan_report_info {
> @@ -277,7 +278,7 @@ static inline void kasan_print_address_stack_frame(const void *addr) { }
>  
>  bool kasan_report(unsigned long addr, size_t size,
>  		bool is_write, unsigned long ip);
> -void kasan_report_invalid_free(void *object, unsigned long ip);
> +void kasan_report_invalid_free(void *object, unsigned long ip, enum kasan_report_type type);
>  
>  struct page *kasan_addr_to_page(const void *addr);
>  struct slab *kasan_addr_to_slab(const void *addr);
> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
> index b341a191651d..fe3f606b3a98 100644
> --- a/mm/kasan/report.c
> +++ b/mm/kasan/report.c
> @@ -176,8 +176,12 @@ static void end_report(unsigned long *flags, void *addr)
>  static void print_error_description(struct kasan_report_info *info)
>  {
>  	if (info->type == KASAN_REPORT_INVALID_FREE) {
> -		pr_err("BUG: KASAN: double-free or invalid-free in %pS\n",
> -		       (void *)info->ip);
> +		pr_err("BUG: KASAN: invalid-free in %pS\n", (void *)info->ip);
> +		return;
> +	}
> +
> +	if (info->type == KASAN_REPORT_DOUBLE_FREE) {
> +		pr_err("BUG: KASAN: double-free in %pS\n", (void *)info->ip);
>  		return;
>  	}
>  
> @@ -433,7 +437,7 @@ static void print_report(struct kasan_report_info *info)
>  	}
>  }
>  
> -void kasan_report_invalid_free(void *ptr, unsigned long ip)
> +void kasan_report_invalid_free(void *ptr, unsigned long ip, enum kasan_report_type type)
>  {
>  	unsigned long flags;
>  	struct kasan_report_info info;
> @@ -448,7 +452,7 @@ void kasan_report_invalid_free(void *ptr, unsigned long ip)
>  
>  	start_report(&flags, true);
>  
> -	info.type = KASAN_REPORT_INVALID_FREE;
> +	info.type = type;
>  	info.access_addr = ptr;
>  	info.first_bad_addr = kasan_reset_tag(ptr);
>  	info.access_size = 0;
> -- 
> 2.18.0
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ