kasan: accurately determine the type of the bad access
authorAndrey Konovalov <andreyknvl@google.com>
Fri, 6 Nov 2015 02:51:01 +0000 (18:51 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 6 Nov 2015 03:34:48 +0000 (19:34 -0800)
Makes KASAN accurately determine the type of the bad access. If the shadow
byte value is in the [0, KASAN_SHADOW_SCALE_SIZE) range we can look at
the next shadow byte to determine the type of the access.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Konstantin Serebryany <kcc@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/kasan/report.c

index cdf4c318a8e2915be191ec4c317998eef8838ddd..be53a8f9e5ddc520852a4f5c882636c383ac4ec2 100644 (file)
@@ -50,15 +50,26 @@ static const void *find_first_bad_addr(const void *addr, size_t size)
 static void print_error_description(struct kasan_access_info *info)
 {
        const char *bug_type = "unknown-crash";
-       u8 shadow_val;
+       u8 *shadow_addr;
 
        info->first_bad_addr = find_first_bad_addr(info->access_addr,
                                                info->access_size);
 
-       shadow_val = *(u8 *)kasan_mem_to_shadow(info->first_bad_addr);
+       shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);
 
-       switch (shadow_val) {
+       /*
+        * If shadow byte value is in [0, KASAN_SHADOW_SCALE_SIZE) we can look
+        * at the next shadow byte to determine the type of the bad access.
+        */
+       if (*shadow_addr > 0 && *shadow_addr <= KASAN_SHADOW_SCALE_SIZE - 1)
+               shadow_addr++;
+
+       switch (*shadow_addr) {
        case 0 ... KASAN_SHADOW_SCALE_SIZE - 1:
+               /*
+                * In theory it's still possible to see these shadow values
+                * due to a data race in the kernel code.
+                */
                bug_type = "out-of-bounds";
                break;
        case KASAN_PAGE_REDZONE: