On 09/09/2015 01:22 PM, long.wanglong wrote: > On 2015/9/9 17:40, Andrey Ryabinin wrote: >> 2015-09-09 6:59 GMT+03:00 Wang Long <long.wanglong@xxxxxxxxxx>: >>> The current KASAN code can find the following out-of-bounds >>> bugs: >>> char *ptr; >>> ptr = kmalloc(8, GFP_KERNEL); >>> memset(ptr+7, 0, 2); >>> >>> the cause of the problem is the type conversion error in >>> *memory_is_poisoned_n* function. So this patch fix that. >>> >>> Signed-off-by: Wang Long <long.wanglong@xxxxxxxxxx> >>> --- >>> mm/kasan/kasan.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c >>> index 7b28e9c..5d65d06 100644 >>> --- a/mm/kasan/kasan.c >>> +++ b/mm/kasan/kasan.c >>> @@ -204,7 +204,7 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, >>> s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void *)last_byte); >>> >>> if (unlikely(ret != (unsigned long)last_shadow || >>> - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) >>> + ((long)(last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) >> >> Is there any problem if we just define last_byte as 'long' instead of >> 'unsigned long' ? > > yes, I think it is not OK, because on my test, if we define last_byte as 'long' > instead of 'unsigned long', the bug we talk about can not be found. > Ah, right, even if we declare last_byte as signed, 'last_byte & KASAN_SHADOW_MASK' still will be unsigned, so this won't work. So, please, fix up changelog according to Vladimir, and you may consider this patch Acked-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx> -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>