Bug 212173

Summary: KASAN (tags): explore possibility of not using a match-all pointer tag
Product: Memory Management Reporter: Andrey Konovalov (andreyknvl)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: NEW ---    
Severity: normal CC: kasan-dev
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: upstream Subsystem:
Regression: No Bisected commit-id:

Description Andrey Konovalov 2021-03-09 13:52:14 UTC 
Currently, tag-based KASAN modes uses 0xFF as a match-all pinter tag. This means that memory with arbitrary memory tags can be accessed through such pointer. This is a weakness against memory corruption exploits if the attacker can craft such pointers.

Ideally, there should be no match-all pointer tags. The feasibility of this needs to be investigated.
Comment 1 Andrey Konovalov 2024-10-21 17:32:57 UTC 
If we manage to get rid of the match-all tag, we can also rethink the strategy of marking freed memory with a reserved tag (0xFE). This would prevent attackers from being able to reliably access metadata stored within freed memory via crafted pointers. As long as the match-all tag is there, getting rid of the reserved free tag likely makes little impact against attacks via crafted pointers.