On Mon, 2023-01-23 at 22:46 +0100, Andrey Konovalov wrote: > On Wed, Jan 18, 2023 at 10:39 AM Kuan-Ying Lee > <Kuan-Ying.Lee@xxxxxxxxxxxx> wrote: > > > > We scan the shadow memory to infer the requested size instead of > > printing cache->object_size directly. > > > > This patch will fix the confusing kasan slab-out-of-bounds > > report like below. [1] > > Report shows "cache kmalloc-192 of size 192", but user > > actually kmalloc(184). > > > > ================================================================== > > BUG: KASAN: slab-out-of-bounds in _find_next_bit+0x143/0x160 > > lib/find_bit.c:109 > > Read of size 8 at addr ffff8880175766b8 by task kworker/1:1/26 > > ... > > The buggy address belongs to the object at ffff888017576600 > > which belongs to the cache kmalloc-192 of size 192 > > The buggy address is located 184 bytes inside of > > 192-byte region [ffff888017576600, ffff8880175766c0) > > ... > > Memory state around the buggy address: > > ffff888017576580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > > ffff888017576600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > ffff888017576680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc > > > > ^ > > ffff888017576700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ffff888017576780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ================================================================== > > > > After this patch, slab-out-of-bounds report will show as below. > > ================================================================== > > ... > > The buggy address belongs to the object at ffff888017576600 > > which belongs to the cache kmalloc-192 of size 192 > > The buggy address is located 0 bytes right of > > allocated 184-byte region [ffff888017576600, ffff8880175766b8) > > ... > > ================================================================== > > > > Link: > > https://urldefense.com/v3/__https://bugzilla.kernel.org/show_bug.cgi?id=216457__;!!CTRNKA9wMg0ARbw!iEOOICl7DzhvfYobmQ8MsNFAWmbqicXdjd0LYWw9uBOqwj8lai7oEODVdRJyWUEXr11A3-m7wbIX2cdpxLwiW6Tm$ > > $ [1] > > > > Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@xxxxxxxxxxxx> > > --- > > V1 -> V2: > > - Implement getting allocated size of object for tag-based kasan. > > - Refine the kasan report. > > - Check if it is slab-out-of-bounds report type. > > - Thanks for Andrey and Dmitry suggestion. > > Hi Kuan-Ying, > > I came up with a few more things to fix while testing your patch and > decided to address them myself. Please check the v3 here: > > https://urldefense.com/v3/__https://github.com/xairy/linux/commit/012a584a9f11ba08a6051b075f7fd0a0eb54c719__;!!CTRNKA9wMg0ARbw!iEOOICl7DzhvfYobmQ8MsNFAWmbqicXdjd0LYWw9uBOqwj8lai7oEODVdRJyWUEXr11A3-m7wbIX2cdpxNwCtfpJ$ ; > > > The significant changes are to print "freed" for a slab-use-after- > free > and only print the region state for the Generic mode (printing it for > Tag-Based modes doesn't work properly atm, see the comment in the > code). The rest is clean-ups and a few added comments. See the full > list of changes in the commit message. > > Please check whether this v3 looks good to you, and then feel free to > submit it. It looks good to me. I will send the v3. Thank you. > Thank you!
