diff options
author | Mark Johnston <markj@FreeBSD.org> | 2021-05-05 21:05:46 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2021-11-01 14:05:22 +0000 |
commit | 28c338b3426330b5c9668651e4e91b2dfafde6cf (patch) | |
tree | cfb0297eadcde13551cb38aca7b476ee193da3e9 | |
parent | 9710b74dd0f46c58a603c0bee7fad7f5bc71a80f (diff) | |
download | src-28c338b3426330b5c9668651e4e91b2dfafde6cf.tar.gz src-28c338b3426330b5c9668651e4e91b2dfafde6cf.zip |
realloc: Fix KASAN(9) shadow map updates
When copying from the old buffer to the new buffer, we don't know the
requested size of the old allocation, but only the size of the
allocation provided by UMA. This value is "alloc". Because the copy
may access bytes in the old allocation's red zone, we must mark the full
allocation valid in the shadow map. Do so using the correct size.
Reported by: kp
Tested by: kp
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 9a7c2de36460cdb916734a6969aac666707a639b)
-rw-r--r-- | sys/kern/kern_malloc.c | 2 | ||||
-rw-r--r-- | sys/vm/uma_core.c | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/sys/kern/kern_malloc.c b/sys/kern/kern_malloc.c index 6adb16c95528..3061cb91568f 100644 --- a/sys/kern/kern_malloc.c +++ b/sys/kern/kern_malloc.c @@ -1033,7 +1033,7 @@ realloc(void *addr, size_t size, struct malloc_type *mtp, int flags) * Copy over original contents. For KASAN, the redzone must be marked * valid before performing the copy. */ - kasan_mark(addr, size, size, 0); + kasan_mark(addr, alloc, alloc, 0); bcopy(addr, newaddr, min(size, alloc)); free(addr, mtp); return (newaddr); diff --git a/sys/vm/uma_core.c b/sys/vm/uma_core.c index 1398796ee2e7..e3c7e2cc81e9 100644 --- a/sys/vm/uma_core.c +++ b/sys/vm/uma_core.c @@ -540,6 +540,9 @@ bucket_zone_drain(int domain) } #ifdef KASAN +_Static_assert(UMA_SMALLEST_UNIT % KASAN_SHADOW_SCALE == 0, + "Base UMA allocation size not a multiple of the KASAN scale factor"); + static void kasan_mark_item_valid(uma_zone_t zone, void *item) { |