[PATCH 1/2] kasan: detect negative size in memory operation function
25 views
Skip to first unread message
Walter Wu
Oct 14, 2019, 6:36:38 AM10/14/19
to Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, Matthias Brugger, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, linux-ar...@lists.infradead.org, linux-m...@lists.infradead.org, wsd_up...@mediatek.com, Walter Wu
KASAN missed detecting size is negative numbers in memset(), memcpy(),
and memmove(), it will cause out-of-bounds bug, so needs to be detected
by KASAN.
If size is negative numbers, then it has three reasons to be
defined as heap-out-of-bounds bug type.
1) Casting negative numbers to size_t would indeed turn up as
a large size_t and its value will be larger than ULONG_MAX/2,
so that this can qualify as out-of-bounds.
2) If KASAN has new bug type and user-space passes negative size,
then there are duplicate reports. So don't produce new bug type
in order to prevent duplicate reports by some systems (e.g. syzbot)
to report the same bug twice.
3) When size is negative numbers, it may be passed from user-space.
So we always print heap-out-of-bounds in order to prevent that
kernel-space and user-space have the same bug but have duplicate
reports.
KASAN report:
BUG: KASAN: heap-out-of-bounds in kmalloc_memmove_invalid_size+0x70/0xa0
Read of size 18446744073709551608 at addr ffffff8069660904 by task cat/72
CPU: 2 PID: 72 Comm: cat Not tainted 5.4.0-rc1-next-20191004ajb-00001-gdb8af2f372b2-dirty #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x288
show_stack+0x14/0x20
dump_stack+0x10c/0x164
print_address_description.isra.9+0x68/0x378
__kasan_report+0x164/0x1a0
kasan_report+0xc/0x18
check_memory_region+0x174/0x1d0
memmove+0x34/0x88
kmalloc_memmove_invalid_size+0x70/0xa0
[1] https://bugzilla.kernel.org/show_bug.cgi?id=199341
Signed-off-by: Walter Wu <walter...@mediatek.com>
Reported -by: Dmitry Vyukov <dvy...@google.com>
Suggested-by: Dmitry Vyukov <dvy...@google.com>
---
mm/kasan/common.c | 13 ++++++++-----
mm/kasan/generic.c | 5 +++++
mm/kasan/generic_report.c | 18 ++++++++++++++++++
mm/kasan/tags.c | 5 +++++
mm/kasan/tags_report.c | 18 ++++++++++++++++++
5 files changed, 54 insertions(+), 5 deletions(-)
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
index 6814d6d6a023..6ef0abd27f06 100644
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -102,7 +102,8 @@ EXPORT_SYMBOL(__kasan_check_write);
#undef memset
void *memset(void *addr, int c, size_t len)
{
- check_memory_region((unsigned long)addr, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)addr, len, true, _RET_IP_))
+ return NULL;
return __memset(addr, c, len);
}
@@ -110,8 +111,9 @@ void *memset(void *addr, int c, size_t len)
#undef memmove
void *memmove(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
+ return NULL;
return __memmove(dest, src, len);
}
@@ -119,8 +121,9 @@ void *memmove(void *dest, const void *src, size_t len)
#undef memcpy
void *memcpy(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
+ return NULL;
return __memcpy(dest, src, len);
}
diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c
index 616f9dd82d12..02148a317d27 100644
--- a/mm/kasan/generic.c
+++ b/mm/kasan/generic.c
@@ -173,6 +173,11 @@ static __always_inline bool check_memory_region_inline(unsigned long addr,
if (unlikely(size == 0))
return true;
+ if (unlikely((long)size < 0)) {
+ kasan_report(addr, size, write, ret_ip);
+ return false;
+ }
+
if (unlikely((void *)addr <
kasan_shadow_to_mem((void *)KASAN_SHADOW_START))) {
kasan_report(addr, size, write, ret_ip);
diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c
index 36c645939bc9..52a92c7db697 100644
--- a/mm/kasan/generic_report.c
+++ b/mm/kasan/generic_report.c
@@ -107,6 +107,24 @@ static const char *get_wild_bug_type(struct kasan_access_info *info)
const char *get_bug_type(struct kasan_access_info *info)
{
+ /*
+ * If access_size is negative numbers, then it has three reasons
+ * to be defined as heap-out-of-bounds bug type.
+ * 1) Casting negative numbers to size_t would indeed turn up as
+ * a large size_t and its value will be larger than ULONG_MAX/2,
+ * so that this can qualify as out-of-bounds.
+ * 2) If KASAN has new bug type and user-space passes negative size,
+ * then there are duplicate reports. So don't produce new bug type
+ * in order to prevent duplicate reports by some systems
+ * (e.g. syzbot) to report the same bug twice.
+ * 3) When size is negative numbers, it may be passed from user-space.
+ * So we always print heap-out-of-bounds in order to prevent that
+ * kernel-space and user-space have the same bug but have duplicate
+ * reports.
+ */
+ if ((long)info->access_size < 0)
+ return "heap-out-of-bounds";
+
if (addr_has_shadow(info->access_addr))
return get_shadow_bug_type(info);
return get_wild_bug_type(info);
diff --git a/mm/kasan/tags.c b/mm/kasan/tags.c
index 0e987c9ca052..b829535a3ad7 100644
--- a/mm/kasan/tags.c
+++ b/mm/kasan/tags.c
@@ -86,6 +86,11 @@ bool check_memory_region(unsigned long addr, size_t size, bool write,
if (unlikely(size == 0))
return true;
+ if (unlikely((long)size < 0)) {
+ kasan_report(addr, size, write, ret_ip);
+ return false;
+ }
+
tag = get_tag((const void *)addr);
/*
diff --git a/mm/kasan/tags_report.c b/mm/kasan/tags_report.c
index 969ae08f59d7..f7ae474aef3a 100644
--- a/mm/kasan/tags_report.c
+++ b/mm/kasan/tags_report.c
@@ -36,6 +36,24 @@
const char *get_bug_type(struct kasan_access_info *info)
{
+ /*
+ * If access_size is negative numbers, then it has three reasons
+ * to be defined as heap-out-of-bounds bug type.
+ * 1) Casting negative numbers to size_t would indeed turn up as
+ * a large size_t and its value will be larger than ULONG_MAX/2,
+ * so that this can qualify as out-of-bounds.
+ * 2) If KASAN has new bug type and user-space passes negative size,
+ * then there are duplicate reports. So don't produce new bug type
+ * in order to prevent duplicate reports by some systems
+ * (e.g. syzbot) to report the same bug twice.
+ * 3) When size is negative numbers, it may be passed from user-space.
+ * So we always print heap-out-of-bounds in order to prevent that
+ * kernel-space and user-space have the same bug but have duplicate
+ * reports.
+ */
+ if ((long)info->access_size < 0)
+ return "heap-out-of-bounds";
+
#ifdef CONFIG_KASAN_SW_TAGS_IDENTIFY
struct kasan_alloc_meta *alloc_meta;
struct kmem_cache *cache;
--
2.18.0
and memmove(), it will cause out-of-bounds bug, so needs to be detected
by KASAN.
If size is negative numbers, then it has three reasons to be
defined as heap-out-of-bounds bug type.
1) Casting negative numbers to size_t would indeed turn up as
a large size_t and its value will be larger than ULONG_MAX/2,
so that this can qualify as out-of-bounds.
2) If KASAN has new bug type and user-space passes negative size,
then there are duplicate reports. So don't produce new bug type
in order to prevent duplicate reports by some systems (e.g. syzbot)
to report the same bug twice.
3) When size is negative numbers, it may be passed from user-space.
So we always print heap-out-of-bounds in order to prevent that
kernel-space and user-space have the same bug but have duplicate
reports.
KASAN report:
BUG: KASAN: heap-out-of-bounds in kmalloc_memmove_invalid_size+0x70/0xa0
Read of size 18446744073709551608 at addr ffffff8069660904 by task cat/72
CPU: 2 PID: 72 Comm: cat Not tainted 5.4.0-rc1-next-20191004ajb-00001-gdb8af2f372b2-dirty #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x288
show_stack+0x14/0x20
dump_stack+0x10c/0x164
print_address_description.isra.9+0x68/0x378
__kasan_report+0x164/0x1a0
kasan_report+0xc/0x18
check_memory_region+0x174/0x1d0
memmove+0x34/0x88
kmalloc_memmove_invalid_size+0x70/0xa0
[1] https://bugzilla.kernel.org/show_bug.cgi?id=199341
Signed-off-by: Walter Wu <walter...@mediatek.com>
Reported -by: Dmitry Vyukov <dvy...@google.com>
Suggested-by: Dmitry Vyukov <dvy...@google.com>
---
mm/kasan/common.c | 13 ++++++++-----
mm/kasan/generic.c | 5 +++++
mm/kasan/generic_report.c | 18 ++++++++++++++++++
mm/kasan/tags.c | 5 +++++
mm/kasan/tags_report.c | 18 ++++++++++++++++++
5 files changed, 54 insertions(+), 5 deletions(-)
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
index 6814d6d6a023..6ef0abd27f06 100644
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -102,7 +102,8 @@ EXPORT_SYMBOL(__kasan_check_write);
#undef memset
void *memset(void *addr, int c, size_t len)
{
- check_memory_region((unsigned long)addr, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)addr, len, true, _RET_IP_))
+ return NULL;
return __memset(addr, c, len);
}
@@ -110,8 +111,9 @@ void *memset(void *addr, int c, size_t len)
#undef memmove
void *memmove(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
+ return NULL;
return __memmove(dest, src, len);
}
@@ -119,8 +121,9 @@ void *memmove(void *dest, const void *src, size_t len)
#undef memcpy
void *memcpy(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
+ return NULL;
return __memcpy(dest, src, len);
}
diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c
index 616f9dd82d12..02148a317d27 100644
--- a/mm/kasan/generic.c
+++ b/mm/kasan/generic.c
@@ -173,6 +173,11 @@ static __always_inline bool check_memory_region_inline(unsigned long addr,
if (unlikely(size == 0))
return true;
+ if (unlikely((long)size < 0)) {
+ kasan_report(addr, size, write, ret_ip);
+ return false;
+ }
+
if (unlikely((void *)addr <
kasan_shadow_to_mem((void *)KASAN_SHADOW_START))) {
kasan_report(addr, size, write, ret_ip);
diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c
index 36c645939bc9..52a92c7db697 100644
--- a/mm/kasan/generic_report.c
+++ b/mm/kasan/generic_report.c
@@ -107,6 +107,24 @@ static const char *get_wild_bug_type(struct kasan_access_info *info)
const char *get_bug_type(struct kasan_access_info *info)
{
+ /*
+ * If access_size is negative numbers, then it has three reasons
+ * to be defined as heap-out-of-bounds bug type.
+ * 1) Casting negative numbers to size_t would indeed turn up as
+ * a large size_t and its value will be larger than ULONG_MAX/2,
+ * so that this can qualify as out-of-bounds.
+ * 2) If KASAN has new bug type and user-space passes negative size,
+ * then there are duplicate reports. So don't produce new bug type
+ * in order to prevent duplicate reports by some systems
+ * (e.g. syzbot) to report the same bug twice.
+ * 3) When size is negative numbers, it may be passed from user-space.
+ * So we always print heap-out-of-bounds in order to prevent that
+ * kernel-space and user-space have the same bug but have duplicate
+ * reports.
+ */
+ if ((long)info->access_size < 0)
+ return "heap-out-of-bounds";
+
if (addr_has_shadow(info->access_addr))
return get_shadow_bug_type(info);
return get_wild_bug_type(info);
diff --git a/mm/kasan/tags.c b/mm/kasan/tags.c
index 0e987c9ca052..b829535a3ad7 100644
--- a/mm/kasan/tags.c
+++ b/mm/kasan/tags.c
@@ -86,6 +86,11 @@ bool check_memory_region(unsigned long addr, size_t size, bool write,
if (unlikely(size == 0))
return true;
+ if (unlikely((long)size < 0)) {
+ kasan_report(addr, size, write, ret_ip);
+ return false;
+ }
+
tag = get_tag((const void *)addr);
/*
diff --git a/mm/kasan/tags_report.c b/mm/kasan/tags_report.c
index 969ae08f59d7..f7ae474aef3a 100644
--- a/mm/kasan/tags_report.c
+++ b/mm/kasan/tags_report.c
@@ -36,6 +36,24 @@
const char *get_bug_type(struct kasan_access_info *info)
{
+ /*
+ * If access_size is negative numbers, then it has three reasons
+ * to be defined as heap-out-of-bounds bug type.
+ * 1) Casting negative numbers to size_t would indeed turn up as
+ * a large size_t and its value will be larger than ULONG_MAX/2,
+ * so that this can qualify as out-of-bounds.
+ * 2) If KASAN has new bug type and user-space passes negative size,
+ * then there are duplicate reports. So don't produce new bug type
+ * in order to prevent duplicate reports by some systems
+ * (e.g. syzbot) to report the same bug twice.
+ * 3) When size is negative numbers, it may be passed from user-space.
+ * So we always print heap-out-of-bounds in order to prevent that
+ * kernel-space and user-space have the same bug but have duplicate
+ * reports.
+ */
+ if ((long)info->access_size < 0)
+ return "heap-out-of-bounds";
+
#ifdef CONFIG_KASAN_SW_TAGS_IDENTIFY
struct kasan_alloc_meta *alloc_meta;
struct kmem_cache *cache;
--
2.18.0
Dmitry Vyukov
Oct 14, 2019, 6:40:49 AM10/14/19
to Walter Wu, Andrey Ryabinin, Alexander Potapenko, Matthias Brugger, kasan-dev, Linux-MM, LKML, Linux ARM, linux-m...@lists.infradead.org, wsd_upstream
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20191014103632.17930-1-walter-zh.wu%40mediatek.com.
Matthew Wilcox
Oct 14, 2019, 11:05:14 AM10/14/19
to Walter Wu, Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, Matthias Brugger, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, linux-ar...@lists.infradead.org, linux-m...@lists.infradead.org, wsd_up...@mediatek.com
On Mon, Oct 14, 2019 at 06:36:32PM +0800, Walter Wu wrote:
> @@ -110,8 +111,9 @@ void *memset(void *addr, int c, size_t len)
> #undef memmove
> void *memmove(void *dest, const void *src, size_t len)
> {
> - check_memory_region((unsigned long)src, len, false, _RET_IP_);
> - check_memory_region((unsigned long)dest, len, true, _RET_IP_);
> + if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
> + !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
This indentation is wrong. Should be:
> @@ -110,8 +111,9 @@ void *memset(void *addr, int c, size_t len)
> #undef memmove
> void *memmove(void *dest, const void *src, size_t len)
> {
> - check_memory_region((unsigned long)src, len, false, _RET_IP_);
> - check_memory_region((unsigned long)dest, len, true, _RET_IP_);
> + if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
> + !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
+ if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
(also in one subsequent function)
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
Walter Wu
Oct 14, 2019, 11:58:53 AM10/14/19
to Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, Matthias Brugger, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, linux-ar...@lists.infradead.org, linux-m...@lists.infradead.org, wsd_up...@mediatek.com, Walter Wu
KASAN missed detecting size is negative numbers in memset(), memcpy(),
and memmove(), it will cause underflow bug, so needs to be detected
fix the indentation, thanks for the reminder Matthew.
Signed-off-by: Walter Wu <walter...@mediatek.com>
Reported -by: Dmitry Vyukov <dvy...@google.com>
Suggested-by: Dmitry Vyukov <dvy...@google.com>
Reviewed-by: Dmitry Vyukov <dvy...@google.com>
---
mm/kasan/common.c | 13 ++++++++-----
mm/kasan/generic.c | 5 +++++
mm/kasan/generic_report.c | 18 ++++++++++++++++++
mm/kasan/tags.c | 5 +++++
mm/kasan/tags_report.c | 18 ++++++++++++++++++
5 files changed, 54 insertions(+), 5 deletions(-)
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -102,7 +102,8 @@ EXPORT_SYMBOL(__kasan_check_write);
#undef memset
+++ b/mm/kasan/common.c
@@ -102,7 +102,8 @@ EXPORT_SYMBOL(__kasan_check_write);
#undef memset
void *memset(void *addr, int c, size_t len)
{
- check_memory_region((unsigned long)addr, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)addr, len, true, _RET_IP_))
+ return NULL;
return __memset(addr, c, len);
}
- check_memory_region((unsigned long)addr, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)addr, len, true, _RET_IP_))
+ return NULL;
return __memset(addr, c, len);
}
@@ -110,8 +111,9 @@ void *memset(void *addr, int c, size_t len)
#undef memmove
void *memmove(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
#undef memmove
void *memmove(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
+ return NULL;
return __memmove(dest, src, len);
}
@@ -119,8 +121,9 @@ void *memmove(void *dest, const void *src, size_t len)
return __memmove(dest, src, len);
}
#undef memcpy
void *memcpy(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_))
Walter Wu
Oct 14, 2019, 12:23:25 PM10/14/19
to Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, Matthias Brugger, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, linux-ar...@lists.infradead.org, linux-m...@lists.infradead.org, wsd_up...@mediatek.com, Walter Wu
KASAN missed detecting size is negative numbers in memset(), memcpy(),
and memmove(), it will cause out-of-bounds bug, so needs to be detected
Walter Wu
Oct 16, 2019, 9:50:51 PM10/16/19
to Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, Matthias Brugger, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, linux-ar...@lists.infradead.org, linux-m...@lists.infradead.org, wsd_up...@mediatek.com, Walter Wu
Cc: Andrey Ryabinin <arya...@virtuozzo.com>
Cc: Alexander Potapenko <gli...@google.com>
Walter Wu
Oct 24, 2019, 4:57:13 AM10/24/19
to Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, Matthias Brugger, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, linux-ar...@lists.infradead.org, wsd_upstream, Walter Wu
Add a confition for memory operation function, need to
avoid the false alarm when KASAN un-initialized.
Signed-off-by: Walter Wu <walter...@mediatek.com>
Reported-by: Dmitry Vyukov <dvy...@google.com>
Suggested-by: Dmitry Vyukov <dvy...@google.com>
Reviewed-by: Dmitry Vyukov <dvy...@google.com>
Cc: Andrey Ryabinin <arya...@virtuozzo.com>
Cc: Alexander Potapenko <gli...@google.com>
---
mm/kasan/common.c | 18 +++++++++++++-----
mm/kasan/generic.c | 5 +++++
mm/kasan/generic_report.c | 18 ++++++++++++++++++
mm/kasan/report.c | 2 +-
mm/kasan/generic_report.c | 18 ++++++++++++++++++
mm/kasan/tags.c | 5 +++++
mm/kasan/tags_report.c | 18 ++++++++++++++++++
6 files changed, 60 insertions(+), 6 deletions(-)
mm/kasan/tags_report.c | 18 ++++++++++++++++++
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
index 6814d6d6a023..4ff67e2fd2db 100644
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -99,10 +99,14 @@ bool __kasan_check_write(const volatile void *p, unsigned int size)
}
EXPORT_SYMBOL(__kasan_check_write);
+extern bool report_enabled(void);
+
#undef memset
void *memset(void *addr, int c, size_t len)
{
- check_memory_region((unsigned long)addr, len, true, _RET_IP_);
+ if (report_enabled() &&
void *memset(void *addr, int c, size_t len)
{
- check_memory_region((unsigned long)addr, len, true, _RET_IP_);
+ !check_memory_region((unsigned long)addr, len, true, _RET_IP_))
+ return NULL;
return __memset(addr, c, len);
}
@@ -110,8 +114,10 @@ void *memset(void *addr, int c, size_t len)
return __memset(addr, c, len);
}
#undef memmove
void *memmove(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (report_enabled() &&
void *memmove(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_)))
+ return NULL;
return __memmove(dest, src, len);
}
@@ -119,8 +125,10 @@ void *memmove(void *dest, const void *src, size_t len)
return __memmove(dest, src, len);
}
#undef memcpy
void *memcpy(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ if (report_enabled() &&
void *memcpy(void *dest, const void *src, size_t len)
{
- check_memory_region((unsigned long)src, len, false, _RET_IP_);
- check_memory_region((unsigned long)dest, len, true, _RET_IP_);
+ (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
+ !check_memory_region((unsigned long)dest, len, true, _RET_IP_)))
index 621782100eaa..c79e28814e8f 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -446,7 +446,7 @@ static void print_shadow_for_address(const void *addr)
}
}
-static bool report_enabled(void)
+bool report_enabled(void)
{
if (current->kasan_depth)
return false;
Reply all
Reply to author
Forward
0 new messages