Walter Wu 8cceeff48f kasan: detect negative size in memory operation function ... Patch series "fix the missing underflow in memory operation function", v4. The patchset helps to produce a KASAN report when size is negative in memory operation functions. It is helpful for programmer to solve an undefined behavior issue. Patch 1 based on Dmitry's review and suggestion, patch 2 is a test in order to verify the patch 1. [1]https://bugzilla.kernel.org/show_bug.cgi?id=199341 [2]https://lore.kernel.org/linux-arm-kernel/20190927034338.15813-1-walter-zh.wu@mediatek.com/ This patch (of 2): KASAN missed detecting size is a negative number in memset(), memcpy(), and memmove(), it will cause out-of-bounds bug. So needs to be detected by KASAN. If size is a negative number, then it has a reason to be defined as out-of-bounds bug type. Casting negative numbers to size_t would indeed turn up as a large size_t and its value will be larger than ULONG_MAX/2, so that this can qualify as out-of-bounds. KASAN report is shown below: BUG: KASAN: out-of-bounds in kmalloc_memmove_invalid_size+0x70/0xa0 Read of size 18446744073709551608 at addr ffffff8069660904 by task cat/72 CPU: 2 PID: 72 Comm: cat Not tainted 5.4.0-rc1-next-20191004ajb-00001-gdb8af2f372b2-dirty #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x288 show_stack+0x14/0x20 dump_stack+0x10c/0x164 print_address_description.isra.9+0x68/0x378 __kasan_report+0x164/0x1a0 kasan_report+0xc/0x18 check_memory_region+0x174/0x1d0 memmove+0x34/0x88 kmalloc_memmove_invalid_size+0x70/0xa0 [1] https://bugzilla.kernel.org/show_bug.cgi?id=199341 [cai@lca.pw: fix -Wdeclaration-after-statement warn] Link: http://lkml.kernel.org/r/1583509030-27939-1-git-send-email-cai@lca.pw [peterz@infradead.org: fix objtool warning] Link: http://lkml.kernel.org/r/20200305095436.GV2596@hirez.programming.kicks-ass.net Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Suggested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Walter Wu <walter-zh.wu@mediatek.com> Signed-off-by: Qian Cai <cai@lca.pw> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Link: http://lkml.kernel.org/r/20191112065302.7015-1-walter-zh.wu@mediatek.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>		2020-04-02 09:35:30 -07:00
..
acpi	Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2020-03-30 16:17:15 -07:00
asm-generic	asm-generic: make more kernel-space headers mandatory	2020-04-02 09:35:25 -07:00
clocksource	clocksource/drivers/timer-ti-dm: Implement cpu_pm notifier for context save and restore	2020-03-16 12:40:29 +01:00
crypto	crypto: x86/curve25519 - support assemblers with no adx support	2020-03-05 18:28:09 +11:00
drm	drm/dp_mst: Use full_pbn instead of available_pbn for bandwidth checks	2020-03-12 19:07:24 -04:00
dt-bindings	media updates for v5.7-rc1	2020-03-30 13:42:05 -07:00
keys
kunit
kvm	irqchip/gic-v4.1: Move doorbell management to the GICv4 abstraction layer	2020-03-24 12:15:51 +00:00
linux	kasan: detect negative size in memory operation function	2020-04-02 09:35:30 -07:00
math-emu
media	media: cec-notifier: make cec_notifier_get_conn() static	2020-03-20 09:02:45 +01:00
misc
net	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next	2020-03-31 17:29:33 -07:00
pcmcia
ras
rdma
scsi	scsi: simplify scsi_partsize	2020-03-24 07:57:07 -06:00
soc	net: dsa: felix: add port policers	2020-03-30 11:44:00 -07:00
sound	ASoC: Fixes for v5.6	2020-03-07 07:24:36 +01:00
target
trace	mm: mmap: add trace point of vm_unmapped_area	2020-04-02 09:35:30 -07:00
uapi	mm/mremap: add MREMAP_DONTUNMAP to mremap()	2020-04-02 09:35:30 -07:00
vdso	vdso: Fix clocksource.h macro detection	2020-03-23 18:51:08 +01:00
video
xen	xen/xenbus: fix locking	2020-03-05 09:42:23 -06:00