214761 – KASAN (tags): consider stripping pointer tags in kcmp and FUSE

Bug 214761 - KASAN (tags): consider stripping pointer tags in kcmp and FUSE

Summary: KASAN (tags): consider stripping pointer tags in kcmp and FUSE

Status:	NEW

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Sanitizers (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	MM/Sanitizers virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-10-19 22:12 UTC by Andrey Konovalov
Modified:	2021-10-19 22:12 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	upstream
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Andrey Konovalov 2021-10-19 22:12:32 UTC

The kcmp syscall and fuse_lock_owner_id() might allow bypassing Tag-Based KASAN mode in use-after-free exploits. See the "Against UAF access: Probabilistic UAF mitigation; pointer leaks" section of [1] for details. This needs to be investigated.

[1] https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html

Note You need to log in before you can comment on or make changes to this bug.