212173 – KASAN (tags): explore possibility of not using a match-all pointer tag

Bug 212173 - KASAN (tags): explore possibility of not using a match-all pointer tag

Summary: KASAN (tags): explore possibility of not using a match-all pointer tag

Status:	NEW

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Sanitizers (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	MM/Sanitizers virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-03-09 13:52 UTC by Andrey Konovalov
Modified:	2024-10-21 17:32 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	upstream
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Andrey Konovalov 2021-03-09 13:52:14 UTC

Currently, tag-based KASAN modes uses 0xFF as a match-all pinter tag. This means that memory with arbitrary memory tags can be accessed through such pointer. This is a weakness against memory corruption exploits if the attacker can craft such pointers.

Ideally, there should be no match-all pointer tags. The feasibility of this needs to be investigated.

Comment 1 Andrey Konovalov 2024-10-21 17:32:57 UTC

If we manage to get rid of the match-all tag, we can also rethink the strategy of marking freed memory with a reserved tag (0xFE). This would prevent attackers from being able to reliably access metadata stored within freed memory via crafted pointers. As long as the match-all tag is there, getting rid of the reserved free tag likely makes little impact against attacks via crafted pointers.

Note You need to log in before you can comment on or make changes to this bug.