Bug 199341 - KASAN: misses underflow in memmove
Summary: KASAN: misses underflow in memmove
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Sanitizers (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Dmitry Vyukov
Depends on:
Reported: 2018-04-10 09:56 UTC by Dmitry Vyukov
Modified: 2021-11-15 07:19 UTC (History)
3 users (show)

See Also:
Kernel Version: ALL
Regression: No
Bisected commit-id:


Description Dmitry Vyukov 2018-04-10 09:56:50 UTC
The bug fixed in:

commit c769accdf3d8a103940bea2979b65556718567e9
Date:   Thu Mar 29 19:05:30 2018 +0900
    vlan: Fix vlan insertion for packets without ethernet header

caused problems for syzbot.
The bug lead to underflow in memmove (a-la memmove(p, y, -2)) which was detected as paging fault in memmove, but also caused a splash of assorted crashes all over the place. While memmove was busy squashing all machine memory, we got crashes in (1) interrupts handled during memmove and (2) on other CPUs.

It's a shame that KASAN did not catch it earlier.

The following test is indeed not caught by KASAN:

	volatile char* volatile p = kmalloc(64, GFP_KERNEL);
	memset((char*)p, 0, 64);
	memmove((char*)p, (char*)p + 4, -2);

Presumably checks here:

void *memmove(void *dest, const void *src, size_t len)
	check_memory_region((unsigned long)src, len, false, _RET_IP_);
	check_memory_region((unsigned long)dest, len, true, _RET_IP_);

	return __memmove(dest, src, len);

got shadow start == end and did not actually check anything.

Probably need an explicit overflow check and examine other KASAN interceptors.
Comment 1 Walter Wu 2019-09-25 15:22:04 UTC

It still has the issue at kernel 5.3-rc1. Maybe We should try to fix the missing underflow issue.
I first try to see why the shadow start is equal to shadow end and send the patch to fix it.

Comment 2 Andrey Konovalov 2021-11-14 21:42:46 UTC
Resolved with [1].

I don't have the permissions to close this bug though.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8cceeff48f23eede76de995df08cf665182ec8fb

Note You need to log in before you can comment on or make changes to this bug.