Bug 199359

Summary: KASAN: double-free is not detected on kzfree
Product: Memory Management Reporter: Dmitry Vyukov (dvyukov)
Component: SanitizersAssignee: Marco Elver (melver)
Status: RESOLVED CODE_FIX    
Severity: normal CC: andreyknvl, kasan-dev
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: ALL Subsystem:
Regression: No Bisected commit-id:

Description Dmitry Vyukov 2018-04-11 15:49:06 UTC 
KASAN did not properly detect this bug:
https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/cvPh_4JXBgAJ
and it caused silent memory corruptions and explosion of assorted bugs reported by syzbot.

The crux is that double-free happens via kzfree. kzfree calls ksize to do memset before before calling kfree. ksize _unpoisons_ whole object (which was already free). And finally we call kfree, which checks first shadow byte and decides that the object is good.

Probably need an additional kasan check in ksize.
Comment 1 Andrey Konovalov 2020-10-16 19:46:31 UTC 
This is fixed by the "mm/kasan: Add object validation in ksize()" series, right?
Comment 2 Dmitry Vyukov 2020-10-17 08:00:00 UTC 
Yes, fixed by 0d4ca4c9bab3 ("mm/kasan: add object validation in ksize()")