Bug 199341

Summary: KASAN: misses underflow in memmove
Product: Memory Management Reporter: Dmitry Vyukov (dvyukov)
Component: SanitizersAssignee: Dmitry Vyukov (dvyukov)
Severity: normal CC: andreyknvl, kasan-dev, walter-zh.wu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: ALL Subsystem:
Regression: No Bisected commit-id:

Description Dmitry Vyukov 2018-04-10 09:56:50 UTC
The bug fixed in:

commit c769accdf3d8a103940bea2979b65556718567e9
Date:   Thu Mar 29 19:05:30 2018 +0900
    vlan: Fix vlan insertion for packets without ethernet header

caused problems for syzbot.
The bug lead to underflow in memmove (a-la memmove(p, y, -2)) which was detected as paging fault in memmove, but also caused a splash of assorted crashes all over the place. While memmove was busy squashing all machine memory, we got crashes in (1) interrupts handled during memmove and (2) on other CPUs.

It's a shame that KASAN did not catch it earlier.

The following test is indeed not caught by KASAN:

	volatile char* volatile p = kmalloc(64, GFP_KERNEL);
	memset((char*)p, 0, 64);
	memmove((char*)p, (char*)p + 4, -2);

Presumably checks here:

void *memmove(void *dest, const void *src, size_t len)
	check_memory_region((unsigned long)src, len, false, _RET_IP_);
	check_memory_region((unsigned long)dest, len, true, _RET_IP_);

	return __memmove(dest, src, len);

got shadow start == end and did not actually check anything.

Probably need an explicit overflow check and examine other KASAN interceptors.
Comment 1 Walter Wu 2019-09-25 15:22:04 UTC

It still has the issue at kernel 5.3-rc1. Maybe We should try to fix the missing underflow issue.
I first try to see why the shadow start is equal to shadow end and send the patch to fix it.

Comment 2 Andrey Konovalov 2021-11-14 21:42:46 UTC
Resolved with [1].

I don't have the permissions to close this bug though.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8cceeff48f23eede76de995df08cf665182ec8fb