From 5258e48be637caf69b9e65d20a8bea8e890fae52 Mon Sep 17 00:00:00 2001 From: ligd Date: Mon, 25 Mar 2024 21:04:49 +0800 Subject: [PATCH] mm/heap: fix heap crash when use KASAN SW_TAG Signed-off-by: ligd --- mm/mm_heap/mm_free.c | 3 ++- mm/mm_heap/mm_memalign.c | 2 ++ mm/mm_heap/mm_realloc.c | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/mm/mm_heap/mm_free.c b/mm/mm_heap/mm_free.c index 6848ad3ab8..013c155142 100644 --- a/mm/mm_heap/mm_free.c +++ b/mm/mm_heap/mm_free.c @@ -116,7 +116,8 @@ void mm_delayfree(FAR struct mm_heap_s *heap, FAR void *mem, bool delay) /* Map the memory chunk into a free node */ - node = (FAR struct mm_freenode_s *)((FAR char *)mem - MM_SIZEOF_ALLOCNODE); + node = (FAR struct mm_freenode_s *) + ((FAR char *)kasan_reset_tag(mem) - MM_SIZEOF_ALLOCNODE); nodesize = MM_SIZEOF_NODE(node); /* Sanity check against double-frees */ diff --git a/mm/mm_heap/mm_memalign.c b/mm/mm_heap/mm_memalign.c index aa0621889f..cdf6338b1e 100644 --- a/mm/mm_heap/mm_memalign.c +++ b/mm/mm_heap/mm_memalign.c @@ -141,6 +141,8 @@ FAR void *mm_memalign(FAR struct mm_heap_s *heap, size_t alignment, kasan_poison((FAR void *)rawchunk, mm_malloc_size(heap, (FAR void *)rawchunk)); + rawchunk = (uintptr_t)kasan_reset_tag((FAR void *)rawchunk); + /* We need to hold the MM mutex while we muck with the chunks and * nodelist. */ diff --git a/mm/mm_heap/mm_realloc.c b/mm/mm_heap/mm_realloc.c index 13fc849541..d41619a66a 100644 --- a/mm/mm_heap/mm_realloc.c +++ b/mm/mm_heap/mm_realloc.c @@ -132,7 +132,7 @@ FAR void *mm_realloc(FAR struct mm_heap_s *heap, FAR void *oldmem, /* Map the memory chunk into an allocated node structure */ oldnode = (FAR struct mm_allocnode_s *) - ((FAR char *)oldmem - MM_SIZEOF_ALLOCNODE); + ((FAR char *)kasan_reset_tag(oldmem) - MM_SIZEOF_ALLOCNODE); /* We need to hold the MM mutex while we muck with the nodelist. */