summaryrefslogtreecommitdiffstats
path: root/mm/kasan
diff options
context:
space:
mode:
authorAndrey Konovalov <andreyknvl@google.com>2015-11-05 18:51:01 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2015-11-05 19:34:48 -0800
commitcdf6a273dc4346277ab9d148ef29f6e058624a8c (patch)
treeaed1e0d52ada95dd706597679d80d770fe6deb7f /mm/kasan
parent0952d87fd6a6211ac51b2abdc5c066b49c651fd8 (diff)
downloadlinux-stable-cdf6a273dc4346277ab9d148ef29f6e058624a8c.tar.gz
linux-stable-cdf6a273dc4346277ab9d148ef29f6e058624a8c.tar.bz2
linux-stable-cdf6a273dc4346277ab9d148ef29f6e058624a8c.zip
kasan: accurately determine the type of the bad access
Makes KASAN accurately determine the type of the bad access. If the shadow byte value is in the [0, KASAN_SHADOW_SCALE_SIZE) range we can look at the next shadow byte to determine the type of the access. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Konstantin Serebryany <kcc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm/kasan')
-rw-r--r--mm/kasan/report.c17
1 files changed, 14 insertions, 3 deletions
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index cdf4c318a8e2..be53a8f9e5dd 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -50,15 +50,26 @@ static const void *find_first_bad_addr(const void *addr, size_t size)
static void print_error_description(struct kasan_access_info *info)
{
const char *bug_type = "unknown-crash";
- u8 shadow_val;
+ u8 *shadow_addr;
info->first_bad_addr = find_first_bad_addr(info->access_addr,
info->access_size);
- shadow_val = *(u8 *)kasan_mem_to_shadow(info->first_bad_addr);
+ shadow_addr = (u8 *)kasan_mem_to_shadow(info->first_bad_addr);
- switch (shadow_val) {
+ /*
+ * If shadow byte value is in [0, KASAN_SHADOW_SCALE_SIZE) we can look
+ * at the next shadow byte to determine the type of the bad access.
+ */
+ if (*shadow_addr > 0 && *shadow_addr <= KASAN_SHADOW_SCALE_SIZE - 1)
+ shadow_addr++;
+
+ switch (*shadow_addr) {
case 0 ... KASAN_SHADOW_SCALE_SIZE - 1:
+ /*
+ * In theory it's still possible to see these shadow values
+ * due to a data race in the kernel code.
+ */
bug_type = "out-of-bounds";
break;
case KASAN_PAGE_REDZONE: