Bug 216657

Summary: KASAN: catch object/redzone overwrite by uninstrumented accesses
Product: Memory Management Reporter: Dmitry Vyukov (dvyukov)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: NEW ---    
Severity: normal CC: kasan-dev
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: ALL Subsystem:
Regression: No Bisected commit-id:

Description Dmitry Vyukov 2022-11-03 16:53:09 UTC 
Comparing KASAN with slub_debug there is one type of bugs that can be caught by slub_debug, but not by KASAN.
If freed object or redzone is overwritten by something that's not instrumented with KASAN (uncommon asm, DMA, VM guest), then KASAN won't catch it, while slub_debug still can catch it later (with no access stack, but still).
To achieve full parity we could fill object/redzone with a pattern and check that it's not overwritten when the object is evicted from quarantine. We will still have alloc/free stacks + quarantine gives better detection for UAFs.
But not sure how frequent are such bugs.