216657 – KASAN: catch object/redzone overwrite by uninstrumented accesses

Bug 216657 - KASAN: catch object/redzone overwrite by uninstrumented accesses

Summary: KASAN: catch object/redzone overwrite by uninstrumented accesses

Status:	NEW

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Sanitizers (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	MM/Sanitizers virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-03 16:53 UTC by Dmitry Vyukov
Modified:	2022-11-03 16:53 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	ALL
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dmitry Vyukov 2022-11-03 16:53:09 UTC

Comparing KASAN with slub_debug there is one type of bugs that can be caught by slub_debug, but not by KASAN.
If freed object or redzone is overwritten by something that's not instrumented with KASAN (uncommon asm, DMA, VM guest), then KASAN won't catch it, while slub_debug still can catch it later (with no access stack, but still).
To achieve full parity we could fill object/redzone with a pattern and check that it's not overwritten when the object is evicted from quarantine. We will still have alloc/free stacks + quarantine gives better detection for UAFs.
But not sure how frequent are such bugs.

Note You need to log in before you can comment on or make changes to this bug.