Bug 199341
| Summary: | KASAN: misses underflow in memmove | ||
|---|---|---|---|
| Product: | Memory Management | Reporter: | Dmitry Vyukov (dvyukov) |
| Component: | Sanitizers | Assignee: | Dmitry Vyukov (dvyukov) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | andreyknvl, kasan-dev, walter-zh.wu |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | ALL | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
Hi, It still has the issue at kernel 5.3-rc1. Maybe We should try to fix the missing underflow issue. I first try to see why the shadow start is equal to shadow end and send the patch to fix it. Thanks. Walter Resolved with [1]. I don't have the permissions to close this bug though. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8cceeff48f23eede76de995df08cf665182ec8fb |
The bug fixed in: commit c769accdf3d8a103940bea2979b65556718567e9 Date: Thu Mar 29 19:05:30 2018 +0900 vlan: Fix vlan insertion for packets without ethernet header caused problems for syzbot. The bug lead to underflow in memmove (a-la memmove(p, y, -2)) which was detected as paging fault in memmove, but also caused a splash of assorted crashes all over the place. While memmove was busy squashing all machine memory, we got crashes in (1) interrupts handled during memmove and (2) on other CPUs. It's a shame that KASAN did not catch it earlier. The following test is indeed not caught by KASAN: volatile char* volatile p = kmalloc(64, GFP_KERNEL); memset((char*)p, 0, 64); memmove((char*)p, (char*)p + 4, -2); kfree((char*)p); Presumably checks here: void *memmove(void *dest, const void *src, size_t len) { check_memory_region((unsigned long)src, len, false, _RET_IP_); check_memory_region((unsigned long)dest, len, true, _RET_IP_); return __memmove(dest, src, len); } got shadow start == end and did not actually check anything. Probably need an explicit overflow check and examine other KASAN interceptors.