[PATCH] kasan: fix bug type classification for SW_TAGS mode
0 views
Skip to first unread message
Andrey Ryabinin
Mar 5, 2026, 1:57:48 PMMar 5
to Andrew Morton, Maciej Wieczor-Retman, Alexander Potapenko, Andrey Konovalov, Dmitry Vyukov, Vincenzo Frascino, kasa...@googlegroups.com, linux-...@vger.kernel.org, linu...@kvack.org, Andrey Ryabinin
kasan_non_canonical_hook() derives orig_addr from kasan_shadow_to_mem(),
but the pointer tag may remain in the top byte. In SW_TAGS mode this
tagged address is compared against PAGE_SIZE and TASK_SIZE, which leads
to incorrect bug classification.
As a result, NULL pointer dereferences may be reported as
"wild-memory-access".
Strip the tag before performing these range checks and use the untagged
value when reporting addresses in these ranges.
Before:
[ ] Unable to handle kernel paging request at virtual address ffef800000000000
[ ] KASAN: maybe wild-memory-access in range [0xff00000000000000-0xff0000000000000f]
After:
[ ] Unable to handle kernel paging request at virtual address ffef800000000000
[ ] KASAN: null-ptr-deref in range [0x0000000000000000-0x000000000000000f]
Signed-off-by: Andrey Ryabinin <ryabin...@gmail.com>
---
mm/kasan/report.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 27efb78eb32d..e804b1e1f886 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -638,7 +638,7 @@ void kasan_report_async(void)
*/
void kasan_non_canonical_hook(unsigned long addr)
{
- unsigned long orig_addr;
+ unsigned long orig_addr, user_orig_addr;
const char *bug_type;
/*
@@ -650,6 +650,9 @@ void kasan_non_canonical_hook(unsigned long addr)
orig_addr = (unsigned long)kasan_shadow_to_mem((void *)addr);
+ /* Strip pointer tag before comparing against userspace ranges */
+ user_orig_addr = (unsigned long)set_tag((void *)orig_addr, 0);
+
/*
* For faults near the shadow address for NULL, we can be fairly certain
* that this is a KASAN shadow memory access.
@@ -661,11 +664,13 @@ void kasan_non_canonical_hook(unsigned long addr)
* address, but make it clear that this is not necessarily what's
* actually going on.
*/
- if (orig_addr < PAGE_SIZE)
+ if (user_orig_addr < PAGE_SIZE) {
bug_type = "null-ptr-deref";
- else if (orig_addr < TASK_SIZE)
+ orig_addr = user_orig_addr;
+ } else if (user_orig_addr < TASK_SIZE) {
bug_type = "probably user-memory-access";
- else if (addr_in_shadow((void *)addr))
+ orig_addr = user_orig_addr;
+ } else if (addr_in_shadow((void *)addr))
bug_type = "probably wild-memory-access";
else
bug_type = "maybe wild-memory-access";
--
2.52.0
but the pointer tag may remain in the top byte. In SW_TAGS mode this
tagged address is compared against PAGE_SIZE and TASK_SIZE, which leads
to incorrect bug classification.
As a result, NULL pointer dereferences may be reported as
"wild-memory-access".
Strip the tag before performing these range checks and use the untagged
value when reporting addresses in these ranges.
Before:
[ ] Unable to handle kernel paging request at virtual address ffef800000000000
[ ] KASAN: maybe wild-memory-access in range [0xff00000000000000-0xff0000000000000f]
After:
[ ] Unable to handle kernel paging request at virtual address ffef800000000000
[ ] KASAN: null-ptr-deref in range [0x0000000000000000-0x000000000000000f]
Signed-off-by: Andrey Ryabinin <ryabin...@gmail.com>
---
mm/kasan/report.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 27efb78eb32d..e804b1e1f886 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -638,7 +638,7 @@ void kasan_report_async(void)
*/
void kasan_non_canonical_hook(unsigned long addr)
{
- unsigned long orig_addr;
+ unsigned long orig_addr, user_orig_addr;
const char *bug_type;
/*
@@ -650,6 +650,9 @@ void kasan_non_canonical_hook(unsigned long addr)
orig_addr = (unsigned long)kasan_shadow_to_mem((void *)addr);
+ /* Strip pointer tag before comparing against userspace ranges */
+ user_orig_addr = (unsigned long)set_tag((void *)orig_addr, 0);
+
/*
* For faults near the shadow address for NULL, we can be fairly certain
* that this is a KASAN shadow memory access.
@@ -661,11 +664,13 @@ void kasan_non_canonical_hook(unsigned long addr)
* address, but make it clear that this is not necessarily what's
* actually going on.
*/
- if (orig_addr < PAGE_SIZE)
+ if (user_orig_addr < PAGE_SIZE) {
bug_type = "null-ptr-deref";
- else if (orig_addr < TASK_SIZE)
+ orig_addr = user_orig_addr;
+ } else if (user_orig_addr < TASK_SIZE) {
bug_type = "probably user-memory-access";
- else if (addr_in_shadow((void *)addr))
+ orig_addr = user_orig_addr;
+ } else if (addr_in_shadow((void *)addr))
bug_type = "probably wild-memory-access";
else
bug_type = "maybe wild-memory-access";
--
2.52.0
Reply all
Reply to author
Forward
0 new messages