Skip to content

Commit 2ef3cec

Browse files
ramosian-gliderakpm00
ramosian-glider
authored and
akpm00
committed
kmsan: do not wipe out origin when doing partial unpoisoning
As noticed by Brian, KMSAN should not be zeroing the origin when unpoisoning parts of a four-byte uninitialized value, e.g.: char a[4]; kmsan_unpoison_memory(a, 1); This led to false negatives, as certain poisoned values could receive zero origins, preventing those values from being reported. To fix the problem, check that kmsan_internal_set_shadow_origin() writes zero origins only to slots which have zero shadow. Link: https://lkml.kernel.org/r/[email protected] Fixes: f80be45 ("kmsan: add KMSAN runtime core") Signed-off-by: Alexander Potapenko <[email protected]> Reported-by: Brian Johannesmeyer <[email protected]> Link: https://lore.kernel.org/lkml/[email protected]/T/ Reviewed-by: Marco Elver <[email protected]> Tested-by: Brian Johannesmeyer <[email protected]> Cc: Dmitry Vyukov <[email protected]> Cc: Kees Cook <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]>
1 parent 0105eaa commit 2ef3cec

File tree

1 file changed

+11
-4
lines changed

1 file changed

+11
-4
lines changed

mm/kmsan/core.c

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -196,8 +196,7 @@ void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b,
196196
u32 origin, bool checked)
197197
{
198198
u64 address = (u64)addr;
199-
void *shadow_start;
200-
u32 *origin_start;
199+
u32 *shadow_start, *origin_start;
201200
size_t pad = 0;
202201

203202
KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size));
@@ -225,8 +224,16 @@ void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b,
225224
origin_start =
226225
(u32 *)kmsan_get_metadata((void *)address, KMSAN_META_ORIGIN);
227226

228-
for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++)
229-
origin_start[i] = origin;
227+
/*
228+
* If the new origin is non-zero, assume that the shadow byte is also non-zero,
229+
* and unconditionally overwrite the old origin slot.
230+
* If the new origin is zero, overwrite the old origin slot iff the
231+
* corresponding shadow slot is zero.
232+
*/
233+
for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) {
234+
if (origin || !shadow_start[i])
235+
origin_start[i] = origin;
236+
}
230237
}
231238

232239
struct page *kmsan_vmalloc_to_page_or_null(void *vaddr)

0 commit comments

Comments
 (0)