Bug 215051 - KASAN (generic): gcc does not reliably detect globals left-out-of-bounds accesses
Summary: KASAN (generic): gcc does not reliably detect globals left-out-of-bounds acce...
Status: NEW
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Sanitizers (show other bugs)
Hardware: All Linux
: P1 enhancement
Assignee: MM/Sanitizers virtual assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-17 11:11 UTC by Marco Elver
Modified: 2021-11-18 04:26 UTC (History)
3 users (show)

See Also:
Kernel Version: 5.15
Subsystem:
Regression: No
Bisected commit-id:


Attachments

Description Marco Elver 2021-11-17 11:11:08 UTC
GCC does not appear to detect left-out-of-bounds accesses. We think it is a compiler issue, given that clang (11+) can detect left-out-of-bounds in test_kasan: https://lkml.kernel.org/r/20211117110916.97944-1-elver@google.com
Comment 1 Marco Elver 2021-11-17 14:15:31 UTC
From the patch adding the test: "... The main difference between GCC's globals redzoning and Clang's is that GCC relies on using increased alignment to producing padding, where Clang's redzoning implementation actually adds real data after the global and doesn't rely on alignment to produce padding. I believe this
is the main reason why GCC can't reliably catch globals out-of-bounds in
this case."
Comment 2 Chi-Thanh Hoang 2021-11-18 04:24:58 UTC
Kaiwan N Billimoria asked that I check why KASAN does not detect left-out-of-bounds accesses on global array in .bss, he started the discussion with Marco.
I am adding my findings as suggested by Marco.

Using gcc 9.3.0

char global_arr[10];

The following code:
{
 char w;

 char *ptr = global_var;
 ptr = ptr - 1;
 w = *ptr;  >>>> this code does not trigger kasan

}

I found thru inspection of the shadow memory that there is no redzone declared before global_arr[10], i.e. no 0xf9 and shadow memory before global_arr[10] are zero (good value).

I therefore create 3 arrays 
char a[10];
char b[10];
char c[10;

{
 char *ptr = b;
 char w;

 ptr = ptr - 1;
 w = *ptr;  >>>>> this would trigger KASAN as -1 will reference redzone from array a[10]

 ptr = a;
 ptr = ptr - 1;
 w = *ptr;  >>>>> no detection from KASAN since no redzone

} 

So the bug is due to absent of redzone for the first global declared in either .bss or .data, I have to admit it is a corner case.
Another question I have is how to increase redzone size to better detect OOB?

Note You need to log in before you can comment on or make changes to this bug.