Consider adding checks that the start of the container is accessible on container_of invocations. The idea is inspired by the "UNCONTAINED: Uncovering Container Confusion in the Linux Kernel" paper [1, 2]. As mentioned in the "Time-of-use Checking" section in the paper, using container_of with wrong types might not immediately lead to a memory corruption. But arguably such uses are bugs on their own, and it's worth reporting them. Note that the approach used in the paper goes beyond the mentioned simple checks and also checks container_of for nested container, see the "Container Nesting" section. [1] https://www.vusec.net/projects/uncontained/ [2] https://download.vusec.net/papers/uncontained_sec23.pdf
For reference, a comment from one of the paper's authors wrt the idea [1]: > The simple case (checking if the first and last byte are NOT redzones) > probably provides a good tradeoff between adaptability and accuracy. > Ofc doing it 'proper' will be much more complicated with incomplete redzones > ('complex allocs, arrays, etc). [1] https://twitter.com/JakobKoschel/status/1674548273338515456
Another potential idea: if we introduce NEW(foo) macro instead of (struct foo*)kmalloc(sizeof(foo)) (or perhaps make compiler automatically detect such patterns), then we can have full object type info at runtime and check not just sizes during casts, but also types. void* is frequently downcasted to struct pointers, that could be checked as well.