216662 – KASAN: detect use-after-return bugs

Bug 216662 - KASAN: detect use-after-return bugs

Summary: KASAN: detect use-after-return bugs

Status:	NEW

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Sanitizers (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	MM/Sanitizers virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-04 18:01 UTC by Dmitry Vyukov
Modified:	2022-11-04 18:01 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	ALL
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dmitry Vyukov 2022-11-04 18:01:53 UTC

User-space ASAN can detect use-after-return (UAR) bugs by using fake stack frames, and poisoning and quarantining them on return.

KASAN does not support this yet.
Some kernel structures are frequently allocated on the stack and shared between threads, e.g. completion. C may be also be more amenable to UARs due raw struct copies (no RAII, no copy ctors, etc).

Implementing UAR support may be trickier in the kernel since it will need to work in IRQ/NMI contexts. But perhaps we could do something in best-effort manner and fallback to the real frames on the stack if fake frame allocation fails/cannot be done in the current context. ASAN instrumentation may already support fallback to real frames since UAR detection can be turned off at runtime.

Note You need to log in before you can comment on or make changes to this bug.