realloc: Fix KASAN(9) shadow map updates

When copying from the old buffer to the new buffer, we don't know the requested size of the old allocation, but only the size of the allocation provided by UMA. This value is "alloc". Because the copy may access bytes in the old allocation's red zone, we must mark the full allocation valid in the shadow map. Do so using the correct size. Reported by: kp Tested by: kp Sponsored by: The FreeBSD Foundation
2021-05-05 17:05:46 -04:00 · 2021-05-05 17:05:46 -04:00 · 9a7c2de364
commit 9a7c2de364
parent 1b2806931a
2 changed files with 4 additions and 1 deletions
--- a/sys/kern/kern_malloc.c
+++ b/sys/kern/kern_malloc.c
@ -1024,7 +1024,7 @@ realloc(void *addr, size_t size, struct malloc_type *mtp, int flags)
 	 * Copy over original contents.  For KASAN, the redzone must be marked
 	 * valid before performing the copy.
 	 */
-	kasan_mark(addr, size, size, 0);
+	kasan_mark(addr, alloc, alloc, 0);
 	bcopy(addr, newaddr, min(size, alloc));
 	free(addr, mtp);
 	return (newaddr);
--- a/sys/vm/uma_core.c
+++ b/sys/vm/uma_core.c
@ -540,6 +540,9 @@ bucket_zone_drain(int domain)
 }

 #ifdef KASAN
+_Static_assert(UMA_SMALLEST_UNIT % KASAN_SHADOW_SCALE == 0,
+    "Base UMA allocation size not a multiple of the KASAN scale factor");
+
 static void
 kasan_mark_item_valid(uma_zone_t zone, void *item)
 {