216762 – KASAN: more reliably detect page OOBs

Bug 216762 - KASAN: more reliably detect page OOBs

Summary: KASAN: more reliably detect page OOBs

Status:	NEW

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Sanitizers (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	MM/Sanitizers virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-12-01 12:39 UTC by Dmitry Vyukov
Modified:	2023-11-06 17:36 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	ALL
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dmitry Vyukov 2022-12-01 12:39:33 UTC

Page allocations don't have redzones. So when we are checking shadow for OOB accesses (in particular, memset/cpy) we can miss OOB if the next page happens to be allocated (for kernel/user/pagecache).

As the result such OOBs can lead to silent memory corruptions, which are very expensive to debug.

I think it's an overkill to add additional checks for normal memory accesses, but for memory_is_poisoned_n (memset/cpy) we could well check that all accessed pages belong to the same allocation:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/kasan/generic.c?id=04aa64375f48a5d430b5550d9271f8428883e550#n123

Simiarly to how copy_to/from_user checks that the access does not cross object boundaries.

Comment 1 Andrey Konovalov 2023-11-06 17:36:05 UTC

This is a partial duplicate of https://bugzilla.kernel.org/show_bug.cgi?id=203967.

Note You need to log in before you can comment on or make changes to this bug.