Bug 216457 - KASAN: confusing object size description for OOB bugs
Summary: KASAN: confusing object size description for OOB bugs
Status: NEW
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Sanitizers (show other bugs)
Hardware: All Linux
: P2 enhancement
Assignee: MM/Sanitizers virtual assignee
Depends on:
Reported: 2022-09-07 07:15 UTC by Dmitry Vyukov
Modified: 2022-09-07 07:22 UTC (History)
1 user (show)

See Also:
Kernel Version: ALL
Regression: No
Bisected commit-id:


Description Dmitry Vyukov 2022-09-07 07:15:20 UTC
KASAN says:

BUG: KASAN: slab-out-of-bounds in _find_next_bit+0x143/0x160 lib/find_bit.c:109
Read of size 8 at addr ffff8880175766b8 by task kworker/1:1/26
The buggy address belongs to the object at ffff888017576600
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 184 bytes inside of
 192-byte region [ffff888017576600, ffff8880175766c0)
Memory state around the buggy address:
>ffff888017576680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc

This "address is located 184 bytes inside of 192-byte region" is confusing b/c it does not look like an out-of-bounds access.

What happens here is that the allocation request was for 184 bytes, so the last 8 bytes in the 192-byte slab are poisoned. But KASAN does not store the requested size in the object header, so it just prints the full slab size everywhere.

User-space ASAN does store 48-bit requested size in the header. But KASAN uses additional bytes in the header for:

struct kasan_alloc_meta {
	depot_stack_handle_t aux_stack[2];

So we don't have space for requested size w/o increasing header size (currently should be 16 bytes).

We could either try to infer requested size from the shadow (count poisoned bytes at the end); or improve wording of the message at least to make it clear that 192 is just full slab size.

For context see:

Note You need to log in before you can comment on or make changes to this bug.