Bug 216762

Summary: KASAN: more reliably detect page OOBs
Product: Memory Management Reporter: Dmitry Vyukov (dvyukov)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: NEW ---    
Severity: normal CC: andreyknvl, kasan-dev
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: ALL Subsystem:
Regression: No Bisected commit-id:

Description Dmitry Vyukov 2022-12-01 12:39:33 UTC 
Page allocations don't have redzones. So when we are checking shadow for OOB accesses (in particular, memset/cpy) we can miss OOB if the next page happens to be allocated (for kernel/user/pagecache).

As the result such OOBs can lead to silent memory corruptions, which are very expensive to debug.

I think it's an overkill to add additional checks for normal memory accesses, but for memory_is_poisoned_n (memset/cpy) we could well check that all accessed pages belong to the same allocation:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/kasan/generic.c?id=04aa64375f48a5d430b5550d9271f8428883e550#n123

Simiarly to how copy_to/from_user checks that the access does not cross object boundaries.
Comment 1 Andrey Konovalov 2023-11-06 17:36:05 UTC 
This is a partial duplicate of https://bugzilla.kernel.org/show_bug.cgi?id=203967.