Bug 199359 - KASAN: double-free is not detected on kzfree
Summary: KASAN: double-free is not detected on kzfree
Status: RESOLVED CODE_FIX
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Sanitizers (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Marco Elver
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-11 15:49 UTC by Dmitry Vyukov
Modified: 2020-10-17 08:00 UTC (History)
2 users (show)

See Also:
Kernel Version: ALL
Tree: Mainline
Regression: No


Attachments

Description Dmitry Vyukov 2018-04-11 15:49:06 UTC
KASAN did not properly detect this bug:
https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/cvPh_4JXBgAJ
and it caused silent memory corruptions and explosion of assorted bugs reported by syzbot.

The crux is that double-free happens via kzfree. kzfree calls ksize to do memset before before calling kfree. ksize _unpoisons_ whole object (which was already free). And finally we call kfree, which checks first shadow byte and decides that the object is good.

Probably need an additional kasan check in ksize.
Comment 1 Andrey Konovalov 2020-10-16 19:46:31 UTC
This is fixed by the "mm/kasan: Add object validation in ksize()" series, right?
Comment 2 Dmitry Vyukov 2020-10-17 08:00:00 UTC
Yes, fixed by 0d4ca4c9bab3 ("mm/kasan: add object validation in ksize()")

Note You need to log in before you can comment on or make changes to this bug.