Bug 214761

Summary: KASAN (tags): consider stripping pointer tags in kcmp and FUSE
Product: Memory Management Reporter: Andrey Konovalov (andreyknvl)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: NEW ---    
Severity: normal CC: kasan-dev
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: upstream Subsystem:
Regression: No Bisected commit-id:

Description Andrey Konovalov 2021-10-19 22:12:32 UTC 
The kcmp syscall and fuse_lock_owner_id() might allow bypassing Tag-Based KASAN mode in use-after-free exploits. See the "Against UAF access: Probabilistic UAF mitigation; pointer leaks" section of [1] for details. This needs to be investigated.

[1] https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html