mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-15 15:15:47 +00:00
a0503b8a0b
1. Move kasan_get_free_track() and kasan_set_free_info() into tags.c and combine these two functions for SW_TAGS and HW_TAGS kasan mode. 2. Move kasan_get_bug_type() to report_tags.c and make this function compatible for SW_TAGS and HW_TAGS kasan mode. Link: https://lkml.kernel.org/r/20210626100931.22794-3-Kuan-Ying.Lee@mediatek.com Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com> Suggested-by: Marco Elver <elver@google.com> Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com> Reviewed-by: Marco Elver <elver@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Chinwen Chang <chinwen.chang@mediatek.com> Cc: Matthias Brugger <matthias.bgg@gmail.com> Cc: Nicholas Tang <nicholas.tang@mediatek.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
51 lines
1.3 KiB
C
51 lines
1.3 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Copyright (c) 2014 Samsung Electronics Co., Ltd.
|
|
* Copyright (c) 2020 Google, Inc.
|
|
*/
|
|
|
|
#include "kasan.h"
|
|
#include "../slab.h"
|
|
|
|
const char *kasan_get_bug_type(struct kasan_access_info *info)
|
|
{
|
|
#ifdef CONFIG_KASAN_TAGS_IDENTIFY
|
|
struct kasan_alloc_meta *alloc_meta;
|
|
struct kmem_cache *cache;
|
|
struct page *page;
|
|
const void *addr;
|
|
void *object;
|
|
u8 tag;
|
|
int i;
|
|
|
|
tag = get_tag(info->access_addr);
|
|
addr = kasan_reset_tag(info->access_addr);
|
|
page = kasan_addr_to_page(addr);
|
|
if (page && PageSlab(page)) {
|
|
cache = page->slab_cache;
|
|
object = nearest_obj(cache, page, (void *)addr);
|
|
alloc_meta = kasan_get_alloc_meta(cache, object);
|
|
|
|
if (alloc_meta) {
|
|
for (i = 0; i < KASAN_NR_FREE_STACKS; i++) {
|
|
if (alloc_meta->free_pointer_tag[i] == tag)
|
|
return "use-after-free";
|
|
}
|
|
}
|
|
return "out-of-bounds";
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* If access_size is a negative number, then it has reason to be
|
|
* defined as out-of-bounds bug type.
|
|
*
|
|
* Casting negative numbers to size_t would indeed turn up as
|
|
* a large size_t and its value will be larger than ULONG_MAX/2,
|
|
* so that this can qualify as out-of-bounds.
|
|
*/
|
|
if (info->access_addr + info->access_size < info->access_addr)
|
|
return "out-of-bounds";
|
|
|
|
return "invalid-access";
|
|
}
|