218153 – KASAN: detect accesses to user-mapped pages

Bug 218153 - KASAN: detect accesses to user-mapped pages

Summary: KASAN: detect accesses to user-mapped pages

Status:	NEW

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Sanitizers (show other bugs)
Hardware:	All Linux

Importance:	P3 enhancement
Assignee:	MM/Sanitizers virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-11-16 11:34 UTC by Dmitry Vyukov
Modified:	2023-11-16 11:34 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dmitry Vyukov 2023-11-16 11:34:46 UTC

If we have a use-after-free or out-of-bounds that accesses a page that is mapped to userspace (e.g. with a normal anon mmap), then currently we do not detect it as bug, since all pages returned by page_alloc are unpoisoned, so pages allocated for userspace are unpoisoned as well. As the result kernel code can freely corrupt them.

We should try to keep these pages KASAN-poioned.
But need to double-check what happens with non-anon mappings, and what happens with kmap.

For future reference: current path that allocates pages for user-space is: handle_mm_fault -> handle_pte_fault -> vm_normal_page -> do_anonymous_page -> vma_alloc_folio -> __folio_alloc -> __alloc_pages.
Perhaps we could add a gfp flag that tells __alloc_pages to not unpoison.

There should also be an eager allocation path in mmap(MAP_POPULATE).

Note You need to log in before you can comment on or make changes to this bug.