Bug 217612

Summary: KASAN: consider checking container_of
Product: Memory Management Reporter: Andrey Konovalov (andreyknvl)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: NEW ---    
Severity: normal CC: dvyukov, kasan-dev
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:

Description Andrey Konovalov 2023-06-29 21:11:03 UTC 
Consider adding checks that the start of the container is accessible on container_of invocations. The idea is inspired by the "UNCONTAINED: Uncovering Container Confusion in the Linux Kernel" paper [1, 2].

As mentioned in the "Time-of-use Checking" section in the paper, using container_of with wrong types might not immediately lead to a memory corruption. But arguably such uses are bugs on their own, and it's worth reporting them.

Note that the approach used in the paper goes beyond the mentioned simple checks and also checks container_of for nested container, see the "Container Nesting" section.

[1] https://www.vusec.net/projects/uncontained/
[2] https://download.vusec.net/papers/uncontained_sec23.pdf
Comment 1 Andrey Konovalov 2023-06-29 23:30:48 UTC 
For reference, a comment from one of the paper's authors wrt the idea [1]:

> The simple case (checking if the first and last byte are NOT redzones)
> probably provides a good tradeoff between adaptability and accuracy.

> Ofc doing it 'proper' will be much more complicated with incomplete redzones
> ('complex allocs, arrays, etc).

[1] https://twitter.com/JakobKoschel/status/1674548273338515456
Comment 2 Dmitry Vyukov 2023-06-30 03:52:46 UTC 
Another potential idea: if we introduce NEW(foo) macro instead of (struct foo*)kmalloc(sizeof(foo)) (or perhaps make compiler automatically detect such patterns), then we can have full object type info at runtime and check not just sizes during casts, but also types.
void* is frequently downcasted to struct pointers, that could be checked as well.