On Thu, Jun 1, 2017 at 7:05 PM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote: >>>>>>> We used to read several bytes of the shadow memory in advance. >>>>>>> Therefore additional shadow memory mapped to prevent crash if >>>>>>> speculative load would happen near the end of the mapped shadow memory. >>>>>>> >>>>>>> Now we don't have such speculative loads, so we no longer need to map >>>>>>> additional shadow memory. >>>>>> >>>>>> I see that patch 1 fixed up the Linux helpers for outline >>>>>> instrumentation. >>>>>> >>>>>> Just to check, is it also true that the inline instrumentation never >>>>>> performs unaligned accesses to the shadow memory? >>>>> >>> >>> Correct, inline instrumentation assumes that all accesses are properly aligned as it >>> required by C standard. I knew that the kernel violates this rule in many places, >>> therefore I decided to add checks for unaligned accesses in outline case. >>> >>> >>>>> Inline instrumentation generally accesses only a single byte. >>>> >>>> Sorry to be a little pedantic, but does that mean we'll never access the >>>> additional shadow, or does that mean it's very unlikely that we will? >>>> >>>> I'm guessing/hoping it's the former! >>>> >>> >>> Outline will never access additional shadow byte: https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm#unaligned-accesses >> >> s/Outline/inline of course. > > > I suspect that actual implementations have diverged from that > description. Trying to follow asan_expand_check_ifn in: > https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/asan.c?revision=246703&view=markup > but it's not trivial. > > +Yuri, maybe you know off the top of your head if asan instrumentation > in gcc ever accesses off-by-one shadow byte (i.e. 1 byte after actual > object end)? Thinking of this more. There is at least 1 case in user-space asan where off-by-one shadow access would lead to similar crashes: for mmap-ed regions we don't have redzones and map shadow only for the region itself, so any off-by-one access would lead to crashes. So I guess we are safe here. Or at least any crash would be gcc bug. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
