On 2015/9/9 17:40, Andrey Ryabinin wrote: > 2015-09-09 6:59 GMT+03:00 Wang Long <long.wangl...@huawei.com>: >> The current KASAN code can find the following out-of-bounds >> bugs: >> char *ptr; >> ptr = kmalloc(8, GFP_KERNEL); >> memset(ptr+7, 0, 2); >> >> the cause of the problem is the type conversion error in >> *memory_is_poisoned_n* function. So this patch fix that. >> >> Signed-off-by: Wang Long <long.wangl...@huawei.com> >> --- >> mm/kasan/kasan.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c >> index 7b28e9c..5d65d06 100644 >> --- a/mm/kasan/kasan.c >> +++ b/mm/kasan/kasan.c >> @@ -204,7 +204,7 @@ static __always_inline bool >> memory_is_poisoned_n(unsigned long addr, >> s8 *last_shadow = (s8 *)kasan_mem_to_shadow((void >> *)last_byte); >> >> if (unlikely(ret != (unsigned long)last_shadow || >> - ((last_byte & KASAN_SHADOW_MASK) >= *last_shadow))) >> + ((long)(last_byte & KASAN_SHADOW_MASK) >= >> *last_shadow))) > > Is there any problem if we just define last_byte as 'long' instead of > 'unsigned long' ?
yes, I think it is not OK, because on my test, if we define last_byte as 'long' instead of 'unsigned long', the bug we talk about can not be found. > >> return true; >> } >> return false; >> -- >> 1.8.3.4 >> > > . > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
