[PATCH v8 01/14] kasan: sw_tags: Use arithmetic shift for shadow computation
Maciej Wieczor-Retman
m.wieczorretman at pm.me
Fri Jan 16 05:11:32 PST 2026
Thanks for looking at the patches :)
On 2026-01-15 at 23:42:02 +0100, Andrey Ryabinin wrote:
>
>
>On 1/12/26 6:27 PM, Maciej Wieczor-Retman wrote:
>
>> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
>> index 62c01b4527eb..b5beb1b10bd2 100644
>> --- a/mm/kasan/report.c
>> +++ b/mm/kasan/report.c
>> @@ -642,11 +642,39 @@ void kasan_non_canonical_hook(unsigned long addr)
>> const char *bug_type;
>>
>> /*
>> - * All addresses that came as a result of the memory-to-shadow mapping
>> - * (even for bogus pointers) must be >= KASAN_SHADOW_OFFSET.
>> + * For Generic KASAN, kasan_mem_to_shadow() uses the logical right shift
>> + * and never overflows with the chosen KASAN_SHADOW_OFFSET values (on
>> + * both x86 and arm64). Thus, the possible shadow addresses (even for
>> + * bogus pointers) belong to a single contiguous region that is the
>> + * result of kasan_mem_to_shadow() applied to the whole address space.
>> */
>> - if (addr < KASAN_SHADOW_OFFSET)
>> - return;
>> + if (IS_ENABLED(CONFIG_KASAN_GENERIC)) {
>> + if (addr < (unsigned long)kasan_mem_to_shadow((void *)(0ULL)) ||
>> + addr > (unsigned long)kasan_mem_to_shadow((void *)(~0ULL)))
>> + return;
>> + }
>> +
>> + /*
>> + * For Software Tag-Based KASAN, kasan_mem_to_shadow() uses the
>> + * arithmetic shift. Normally, this would make checking for a possible
>> + * shadow address complicated, as the shadow address computation
>> + * operation would overflow only for some memory addresses. However, due
>> + * to the chosen KASAN_SHADOW_OFFSET values and the fact the
>> + * kasan_mem_to_shadow() only operates on pointers with the tag reset,
>> + * the overflow always happens.
>> + *
>> + * For arm64, the top byte of the pointer gets reset to 0xFF. Thus, the
>> + * possible shadow addresses belong to a region that is the result of
>> + * kasan_mem_to_shadow() applied to the memory range
>> + * [0xFF000000000000, 0xFFFFFFFFFFFFFFFF]. Despite the overflow, the
> ^ Missing couple 00 here
>
>> + * resulting possible shadow region is contiguous, as the overflow
>> + * happens for both 0xFF000000000000 and 0xFFFFFFFFFFFFFFFF.
> ^ same as above
Hah, right, thank you!
>
>> + */
>> + if (IS_ENABLED(CONFIG_KASAN_SW_TAGS) && IS_ENABLED(CONFIG_ARM64)) {
>> + if (addr < (unsigned long)kasan_mem_to_shadow((void *)(0xFFULL << 56)) ||
>
>This will not work for inline mode because compiler uses logical shift.
>Consider NULL-ptr derefernce. Compiler will calculate shadow address for 0 as:
> (((0x0 | 0xffULL) << 56) >> 4)+0xffff800000000000ULL = 0x0fef8000....0
>Which is less than ((0xFF00...00LL) >> 4) + 0xffff800000000000ULL = 0xffff800...0
>So we will bail out here.
>Perhaps we could do addr |= 0xFFLL to fix this
I suppose it should work; tried it in a python script by shoving various
addresses into this check. Pushing addresses through a logical shift
memory_to_shadow normally would return early as you noticed, and after 'addr |=
0xFFLL' it seems to work as expected. And I didn't really catch any incorrect
address slipping by this scheme either. Thanks, I'll correct it.
>
>> + addr > (unsigned long)kasan_mem_to_shadow((void *)(~0ULL)))
>> + return;
>> + }
>>
>> orig_addr = (unsigned long)kasan_shadow_to_mem((void *)addr);
>>
--
Kind regards
Maciej Wieczór-Retman
More information about the linux-arm-kernel
mailing list