]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
kasan: fix type cast in memory_is_poisoned_n
authorAndrey Konovalov <andreyknvl@google.com>
Tue, 4 Jul 2023 00:52:05 +0000 (02:52 +0200)
committerAndrew Morton <akpm@linux-foundation.org>
Sat, 8 Jul 2023 16:29:32 +0000 (09:29 -0700)
Commit bb6e04a173f0 ("kasan: use internal prototypes matching gcc-13
builtins") introduced a bug into the memory_is_poisoned_n implementation:
it effectively removed the cast to a signed integer type after applying
KASAN_GRANULE_MASK.

As a result, KASAN started failing to properly check memset, memcpy, and
other similar functions.

Fix the bug by adding the cast back (through an additional signed integer
variable to make the code more readable).

Link: https://lkml.kernel.org/r/8c9e0251c2b8b81016255709d4ec42942dcaf018.1688431866.git.andreyknvl@google.com
Fixes: bb6e04a173f0 ("kasan: use internal prototypes matching gcc-13 builtins")
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Marco Elver <elver@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
mm/kasan/generic.c

index 5b4c97baa656497140888b42e5e6a93f281e263d..4d837ab83f0834e3d0d62ad96bcb4bd09fd01e28 100644 (file)
@@ -130,9 +130,10 @@ static __always_inline bool memory_is_poisoned_n(const void *addr, size_t size)
        if (unlikely(ret)) {
                const void *last_byte = addr + size - 1;
                s8 *last_shadow = (s8 *)kasan_mem_to_shadow(last_byte);
+               s8 last_accessible_byte = (unsigned long)last_byte & KASAN_GRANULE_MASK;
 
                if (unlikely(ret != (unsigned long)last_shadow ||
-                       (((long)last_byte & KASAN_GRANULE_MASK) >= *last_shadow)))
+                            last_accessible_byte >= *last_shadow))
                        return true;
        }
        return false;