212177 – KASAN (tags): improve use-after-reallocate detection

Bug 212177 - KASAN (tags): improve use-after-reallocate detection

Summary: KASAN (tags): improve use-after-reallocate detection

Status:	NEW

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Sanitizers (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	MM/Sanitizers virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-03-09 14:00 UTC by Andrey Konovalov
Modified:	2023-10-22 13:17 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	upstream
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Andrey Konovalov 2021-03-09 14:00:01 UTC

Currently, a fully random tag is generated for each allocated memory block. This means, that there's a 1/14 probability that the same tag will be used when memory is freed and then allocated. KASAN could generate a non-matching tag in such cases.

Related bug: https://bugzilla.kernel.org/show_bug.cgi?id=203505

Comment 1 Andrey Konovalov 2023-10-22 13:17:16 UTC

For reference, this is how SCUDO does this:

https://github.com/llvm/llvm-project/commit/8fac07a12

However note that SCUDO does not use a dedicated tag to mark freed memory and only retags memory on deallocation. Perhaps, KASAN could use this approach as well.

Note You need to log in before you can comment on or make changes to this bug.