199359 – KASAN: double-free is not detected on kzfree

Bug 199359 - KASAN: double-free is not detected on kzfree

Summary: KASAN: double-free is not detected on kzfree

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Sanitizers (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Marco Elver

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-11 15:49 UTC by Dmitry Vyukov
Modified:	2020-10-17 08:00 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	ALL
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dmitry Vyukov 2018-04-11 15:49:06 UTC

KASAN did not properly detect this bug:
https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/cvPh_4JXBgAJ
and it caused silent memory corruptions and explosion of assorted bugs reported by syzbot.

The crux is that double-free happens via kzfree. kzfree calls ksize to do memset before before calling kfree. ksize _unpoisons_ whole object (which was already free). And finally we call kfree, which checks first shadow byte and decides that the object is good.

Probably need an additional kasan check in ksize.

Comment 1 Andrey Konovalov 2020-10-16 19:46:31 UTC

This is fixed by the "mm/kasan: Add object validation in ksize()" series, right?

Comment 2 Dmitry Vyukov 2020-10-17 08:00:00 UTC

Yes, fixed by 0d4ca4c9bab3 ("mm/kasan: add object validation in ksize()")

Note You need to log in before you can comment on or make changes to this bug.