Bug 199359 - KASAN: double-free is not detected on kzfree
Summary: KASAN: double-free is not detected on kzfree
Status: NEW
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Sanitizers (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Dmitry Vyukov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-11 15:49 UTC by Dmitry Vyukov
Modified: 2018-09-19 09:03 UTC (History)
1 user (show)

See Also:
Kernel Version: ALL
Tree: Mainline
Regression: No


Attachments

Description Dmitry Vyukov 2018-04-11 15:49:06 UTC
KASAN did not properly detect this bug:
https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/cvPh_4JXBgAJ
and it caused silent memory corruptions and explosion of assorted bugs reported by syzbot.

The crux is that double-free happens via kzfree. kzfree calls ksize to do memset before before calling kfree. ksize _unpoisons_ whole object (which was already free). And finally we call kfree, which checks first shadow byte and decides that the object is good.

Probably need an additional kasan check in ksize.

Note You need to log in before you can comment on or make changes to this bug.