On 03/13/2018 08:00 PM, Andrey Konovalov wrote:
> On Tue, Mar 13, 2018 at 4:05 PM, 'Alexander Potapenko' via kasan-dev
> <kasan-dev@xxxxxxxxxxxxxxxx> wrote:
>> On Fri, Mar 2, 2018 at 8:44 PM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote:
>>> void *kasan_kmalloc_large(const void *ptr, size_t size, gfp_t flags)
>>> {
>>> - return (void *)ptr;
>>> + unsigned long redzone_start, redzone_end;
>>> + u8 tag;
>>> + struct page *page;
>>> +
>>> + if (!READ_ONCE(khwasan_enabled))
>>> + return (void *)ptr;
>>> +
>>> + if (unlikely(ptr == NULL))
>>> + return NULL;
>>> +
>>> + page = virt_to_page(ptr);
>>> + redzone_start = round_up((unsigned long)(ptr + size),
>>> + KASAN_SHADOW_SCALE_SIZE);
>>> + redzone_end = (unsigned long)ptr + (PAGE_SIZE << compound_order(page));
>>> +
>>> + tag = khwasan_random_tag();
>>> + kasan_poison_shadow(ptr, redzone_start - (unsigned long)ptr, tag);
>>> + kasan_poison_shadow((void *)redzone_start, redzone_end - redzone_start,
>>> + khwasan_random_tag());
>
>> Am I understanding right that the object and the redzone may receive
>> identical tags here?
>
> Correct.
>
>> Does it make sense to generate the redzone tag from the object tag
>> (e.g. by addding 1 to it)?
>
> Yes, I think so, will do!
>
Wouldn't be better to have some reserved tag value for invalid memory (redzones/free), so that
we catch access to such memory with 100% probability?
