Bug 212177

Summary: KASAN (tags): improve use-after-reallocate detection
Product: Memory Management Reporter: Andrey Konovalov (andreyknvl)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: NEW ---    
Severity: normal CC: kasan-dev
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: upstream Subsystem:
Regression: No Bisected commit-id:

Description Andrey Konovalov 2021-03-09 14:00:01 UTC 
Currently, a fully random tag is generated for each allocated memory block. This means, that there's a 1/14 probability that the same tag will be used when memory is freed and then allocated. KASAN could generate a non-matching tag in such cases.

Related bug: https://bugzilla.kernel.org/show_bug.cgi?id=203505
Comment 1 Andrey Konovalov 2023-10-22 13:17:16 UTC 
For reference, this is how SCUDO does this:

https://github.com/llvm/llvm-project/commit/8fac07a12

However note that SCUDO does not use a dedicated tag to mark freed memory and only retags memory on deallocation. Perhaps, KASAN could use this approach as well.