kasan: Potential recursive registration shadow area error

When initializing a memory block, the shadow area record of the first memory block is used first.When uninitializing, unpoison is required, otherwise the memory will be marked incorrectly. The following case will cause problems: void *mem = malloc(1024); struct mm_heap_s *a = mm_initialize("hello", mem, 1024); int *b = mm_malloc(a, sizeof(int *)); *b = 100; printf("Hello, World!! %d\n", *b); mm_free(a, b); mm_uninitialize(a); free(mem); Signed-off-by: wangmingrong1 <wangmingrong1@xiaomi.com>
2025-06-19 15:56:18 +08:00 · 2025-06-19 15:56:18 +08:00 · aead1981a7
commit aead1981a7
parent e57d2a5247
2 changed files with 8 additions and 2 deletions
--- a/mm/kasan/generic.c
+++ b/mm/kasan/generic.c
@ -268,10 +268,13 @@ void kasan_unregister(FAR void *addr)
    {
      if (g_region[i]->begin == (uintptr_t)addr)
        {
+          size_t size = g_region[i]->end - g_region[i]->begin;
          g_region_count--;
          memmove(&g_region[i], &g_region[i + 1],
                  (g_region_count - i) * sizeof(g_region[0]));
-          break;
+          spin_unlock_irqrestore(&g_lock, flags);
+          kasan_unpoison(addr, size);
+          return;
        }
    }

--- a/mm/kasan/sw_tags.c
+++ b/mm/kasan/sw_tags.c
@ -217,10 +217,13 @@ void kasan_unregister(FAR void *addr)
    {
      if (g_region[i]->begin == (uintptr_t)addr)
        {
+          size_t size = g_region[i]->end - g_region[i]->begin;
          g_region_count--;
          memmove(&g_region[i], &g_region[i + 1],
                  (g_region_count - i) * sizeof(g_region[0]));
-          break;
+          spin_unlock_irqrestore(&g_lock, flags);
+          kasan_unpoison(addr, size);
+          return;
        }
    }