+ kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Wed, 27 Jun 2018 16:17:47 -0700

The patch titled
     Subject: kasan: fix shadow_size calculation error in kasan_module_alloc
has been added to the -mm tree.  Its filename is
     kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Zhen Lei <thunder.leizhen@xxxxxxxxxx>
Subject: kasan: fix shadow_size calculation error in kasan_module_alloc

There is a special case that the size is "(N << KASAN_SHADOW_SCALE_SHIFT)
Pages plus X", the value of X is [1, KASAN_SHADOW_SCALE_SIZE-1].  The
operation "size >> KASAN_SHADOW_SCALE_SHIFT" will drop X, and the roundup
operation can not retrieve the missed one page.  For example:
size=0x28006, PAGE_SIZE=0x1000, KASAN_SHADOW_SCALE_SHIFT=3, we will get
shadow_size=0x5000, but actually we need 6 pages.

shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE);

This can lead to a kernel crash when kasan is enabled and the value of
mod->core_layout.size or mod->init_layout.size is like above.  Because the
shadow memory of X has not been allocated and mapped.

move_module:
ptr = module_alloc(mod->core_layout.size);
...
memset(ptr, 0, mod->core_layout.size);		//crashed

Unable to handle kernel paging request at virtual address ffff0fffff97b000
......
Call trace:
[<ffff8000004694d4>] __asan_storeN+0x174/0x1a8
[<ffff800000469844>] memset+0x24/0x48
[<ffff80000025cf28>] layout_and_allocate+0xcd8/0x1800
[<ffff80000025dbe0>] load_module+0x190/0x23e8
[<ffff8000002601e8>] SyS_finit_module+0x148/0x180

Link: http://lkml.kernel.org/r/1529659626-12660-1-git-send-email-thunder.leizhen@xxxxxxxxxx
Signed-off-by: Zhen Lei <thunder.leizhen@xxxxxxxxxx>
Reviewed-by: Dmitriy Vyukov <dvyukov@xxxxxxxxxx>
Acked-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
Cc: Alexander Potapenko <glider@xxxxxxxxxx>
Cc: Hanjun Guo <guohanjun@xxxxxxxxxx>
Cc: Libin <huawei.libin@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---


diff -puN mm/kasan/kasan.c~kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc mm/kasan/kasan.c

--- a/mm/kasan/kasan.c~kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc
+++ a/mm/kasan/kasan.c
@@ -619,12 +619,13 @@ void kasan_kfree_large(void *ptr, unsign
 int kasan_module_alloc(void *addr, size_t size)
 {
 	void *ret;
+	size_t scaled_size;
 	size_t shadow_size;
 	unsigned long shadow_start;
 
 	shadow_start = (unsigned long)kasan_mem_to_shadow(addr);
-	shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT,
-			PAGE_SIZE);
+	scaled_size = (size + KASAN_SHADOW_MASK) >> KASAN_SHADOW_SCALE_SHIFT;
+	shadow_size = round_up(scaled_size, PAGE_SIZE);
 
 	if (WARN_ON(!PAGE_ALIGNED(shadow_start)))
 		return -EINVAL;
_

Patches currently in -mm which might be from thunder.leizhen@xxxxxxxxxx are

kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






