W-M-R opened a new pull request, #18317: URL: https://github.com/apache/nuttx/pull/18317
one memory block from heap may be used to initialize into another heap pool, the new heap start with tags need to clear when judge mem is or no heapmember *Note: Please adhere to [Contributing Guidelines](https://github.com/apache/nuttx/blob/master/CONTRIBUTING.md).* ## Summary This change fixes a bug in mm_heapmember() function when KASAN (Kernel Address Sanitizer) with tag-based mode is enabled. The Problem: When using tag-based KASAN, memory addresses are tagged with additional metadata in the upper bits. When a memory block from one heap is used to initialize another heap pool, the new heap's start/end addresses (mm_heapstart/mm_heapend) may contain KASAN tags. The original comparison logic would fail to correctly determine heap membership because it compared tagged addresses with potentially untagged memory pointers. The Solution: Clear KASAN tags from heap boundary addresses before performing membership checks by wrapping them with kasan_clear_tag(). This ensures accurate pointer comparisons regardless of tag state. Changes made: Modified pointer comparisons in both the multi-region loop (CONFIG_MM_REGIONS > 1) and single-region path Applied kasan_clear_tag() to heap->mm_heapstart[i] and heap->mm_heapend[i] before comparison Ensures consistent behavior whether KASAN tagging is enabled or disabled ## Impact Functionality: Fixes incorrect heap membership detection when KASAN tag-based mode is active Prevents potential memory corruption or access violations due to misidentified heap boundaries No impact when KASAN is disabled (macro likely expands to no-op) Users: Applications using KASAN for memory debugging will see more accurate heap tracking Prevents false negatives where valid heap members are incorrectly identified as non-members Prevents false positives where non-heap memory is incorrectly identified as heap members Compatibility: Binary compatible - only changes internal comparison logic No API changes Backwards compatible with existing code Security: Improves memory safety by ensuring correct heap boundary checks under KASAN Prevents potential use-after-free or out-of-bounds scenarios caused by incorrect heap identification ## Testing Test Platform: File: [mm_heapmember.c](vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html) Changed: 1 file, +4 insertions, -4 deletions Test Configuration: Enable KASAN with tag-based mode (CONFIG_MM_KASAN and tag-based variant) Configure multiple heap regions (CONFIG_MM_REGIONS > 1) Test Cases: Heap initialization with tagged memory Allocate memory block from heap A Initialize heap B using memory from heap A Verify mm_heapmember(heap_b, ptr) correctly identifies pointers within heap B Confirmed tags on heap boundaries don't interfere with membership checks Multi-region heap membership Test pointer membership across all regions with KASAN enabled Verify boundaries at mm_heapstart[i] and mm_heapend[i] work correctly Confirmed no false negatives for valid heap members Single-region heap membership Test fallback path when CONFIG_MM_REGIONS == 1 or not defined Verify mm_heapstart[0] and mm_heapend[0] comparisons work correctly Cross-validation without KASAN Verify kasan_clear_tag() macro doesn't break non-KASAN builds Confirmed behavior unchanged when KASAN is disabled -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
