218433 – KASAN (generic): avoid init_on_free zeroing metadata

Bug 218433 - KASAN (generic): avoid init_on_free zeroing metadata

Summary: KASAN (generic): avoid init_on_free zeroing metadata

Status:	NEW

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Sanitizers (show other bugs)
Hardware:	All Linux

Importance:	P3 normal
Assignee:	MM/Sanitizers virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-01-29 21:08 UTC by Andrey Konovalov
Modified:	2024-01-29 21:08 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Andrey Konovalov 2024-01-29 21:08:38 UTC

When init_on_free is enabled, slab_free_hook memsets everything past s->inuse, including Generic KASAN metadata (free meta for small objects and alloc meta for all object). This happens before KASAN puts the object into quarantine.

As a result, with init_on_free, use-after-free reports are always missing the alloc stack trace and sometimes the free stack trace. E.g. all kmalloc_uaf tests are missing the alloc stack trace.

We should teach init_on_free to not memset Generic KASAN metadata.

Reported-by: Brad Spengler <@spendergrsec>

Note You need to log in before you can comment on or make changes to this bug.