@@ -10,7 +10,7 @@
extern struct kasan_stack_ring stack_ring;
-static const char *get_bug_type(struct kasan_report_info *info)
+static const char *get_common_bug_type(struct kasan_report_info *info)
{
/*
* If access_size is a negative number, then it has reason to be
@@ -37,9 +37,8 @@ void kasan_complete_mode_report_info(struct kasan_report_info *info)
bool is_free;
bool alloc_found = false, free_found = false;
- info->bug_type = get_bug_type(info);
-
- if (!info->cache || !info->object)
+ if (!info->cache || !info->object) {
+ info->bug_type = get_common_bug_type(info);
return;
}
@@ -89,6 +88,13 @@ void kasan_complete_mode_report_info(struct kasan_report_info *info)
info->free_track.pid = pid;
info->free_track.stack = stack;
free_found = true;
+
+ /*
+ * If a free entry is found first, the bug is likely
+ * a use-after-free.
+ */
+ if (!info->bug_type)
+ info->bug_type = "use-after-free";
} else {
/* Second alloc of the same object. Give up. */
if (alloc_found)
@@ -97,8 +103,19 @@ void kasan_complete_mode_report_info(struct kasan_report_info *info)
info->alloc_track.pid = pid;
info->alloc_track.stack = stack;
alloc_found = true;
+
+ /*
+ * If an alloc entry is found first, the bug is likely
+ * an out-of-bounds.
+ */
+ if (!info->bug_type)
+ info->bug_type = "slab-out-of-bounds";
}
}
write_unlock_irqrestore(&stack_ring.lock, flags);
+
+ /* Assign the common bug type if no entries were found. */
+ if (!info->bug_type)
+ info->bug_type = get_common_bug_type(info);
}