Bug 218433

Summary: KASAN (generic): avoid init_on_free zeroing metadata
Product: Memory Management Reporter: Andrey Konovalov (andreyknvl)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: NEW ---    
Severity: normal CC: kasan-dev
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:

Description Andrey Konovalov 2024-01-29 21:08:38 UTC 
When init_on_free is enabled, slab_free_hook memsets everything past s->inuse, including Generic KASAN metadata (free meta for small objects and alloc meta for all object). This happens before KASAN puts the object into quarantine.

As a result, with init_on_free, use-after-free reports are always missing the alloc stack trace and sometimes the free stack trace. E.g. all kmalloc_uaf tests are missing the alloc stack trace.

We should teach init_on_free to not memset Generic KASAN metadata.

Reported-by: Brad Spengler <@spendergrsec>