Bug 218153

Summary: KASAN: detect accesses to user-mapped pages
Product: Memory Management Reporter: Dmitry Vyukov (dvyukov)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: NEW ---    
Severity: enhancement CC: kasan-dev
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:

Description Dmitry Vyukov 2023-11-16 11:34:46 UTC 
If we have a use-after-free or out-of-bounds that accesses a page that is mapped to userspace (e.g. with a normal anon mmap), then currently we do not detect it as bug, since all pages returned by page_alloc are unpoisoned, so pages allocated for userspace are unpoisoned as well. As the result kernel code can freely corrupt them.

We should try to keep these pages KASAN-poioned.
But need to double-check what happens with non-anon mappings, and what happens with kmap.

For future reference: current path that allocates pages for user-space is: handle_mm_fault -> handle_pte_fault -> vm_normal_page -> do_anonymous_page -> vma_alloc_folio -> __folio_alloc -> __alloc_pages.
Perhaps we could add a gfp flag that tells __alloc_pages to not unpoison.

There should also be an eager allocation path in mmap(MAP_POPULATE).