* some problems about kasan
@ 2015-10-15 6:59 zhong jiang
2015-10-15 7:49 ` Dmitry Vyukov
0 siblings, 1 reply; 2+ messages in thread
From: zhong jiang @ 2015-10-15 6:59 UTC (permalink / raw)
To: akpm, adech.fo, ryabinin.a.a
Cc: linux-mm, linux-kernel, kasan-dev, qiuxishi, guohanjun, zhangdianfang
1a?? I feel confused about one of the cases when testing the cases kasan can solve . the function come from the kernel in the /lib/test_kasan.c.
static noinline void __init kmalloc_uaf2(void)
{
char *ptr1, *ptr2;
size_t size = 43;
pr_info("use-after-free after another kmalloc\n");
ptr1 = kmalloc(size, GFP_KERNEL);
if (!ptr1) {
pr_err("Allocation failed\n");
return;
}
kfree(ptr1);
ptr2 = kmalloc(size, GFP_KERNEL);
if (!ptr2) {
pr_err("Allocation failed\n");
return;
}
ptr1[40] = 'x';
kfree(ptr2);
}
In the above function, the point ptr1 are probably the same as the ptr2 . so the error not certain to occur.
2a??Is the stack local variable out of bound access set by the GCC ? I don't see any operate in the kernel
3a??I want to know that the global variable size include redzone is allocated by the module_alloc().
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: some problems about kasan
2015-10-15 6:59 some problems about kasan zhong jiang
@ 2015-10-15 7:49 ` Dmitry Vyukov
0 siblings, 0 replies; 2+ messages in thread
From: Dmitry Vyukov @ 2015-10-15 7:49 UTC (permalink / raw)
To: zhong jiang
Cc: Andrew Morton, Andrey Konovalov, Andrey Ryabinin, linux-mm, LKML,
kasan-dev, Xishi Qiu, guohanjun, zhangdianfang
On Thu, Oct 15, 2015 at 8:59 AM, zhong jiang <zhongjiang@huawei.com> wrote:
> 1、 I feel confused about one of the cases when testing the cases kasan can solve . the function come from the kernel in the /lib/test_kasan.c.
>
> static noinline void __init kmalloc_uaf2(void)
> {
> char *ptr1, *ptr2;
> size_t size = 43;
>
> pr_info("use-after-free after another kmalloc\n");
> ptr1 = kmalloc(size, GFP_KERNEL);
> if (!ptr1) {
> pr_err("Allocation failed\n");
> return;
> }
>
> kfree(ptr1);
> ptr2 = kmalloc(size, GFP_KERNEL);
> if (!ptr2) {
> pr_err("Allocation failed\n");
> return;
> }
>
> ptr1[40] = 'x';
> kfree(ptr2);
> }
>
> In the above function, the point ptr1 are probably the same as the ptr2 . so the error not certain to occur.
Hi Zhong,
You are right that ptr1 and ptr2 are most likely will be equal.
To detect such bugs KASAN it meant to use "quarantine" and delay reuse
of heap objects. We have quarantine implementation in the following
branch:
https://github.com/google/kasan/blob/dmitryc-patches-original/mm/kasan/quarantine.c
It is not committed upstream yet.
> 2、Is the stack local variable out of bound access set by the GCC ? I don't see any operate in the kernel
Yes, stack redzones and code to poison/unpoison them is emitted by compiler.
You can use objdump to look at generated machine code, you should see
instructions that poison/unpoison stack redzones.
> 3、I want to know that the global variable size include redzone is allocated by the module_alloc().
I don't understand the question. Please re-phrase it.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-10-15 7:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-10-15 6:59 some problems about kasan zhong jiang
2015-10-15 7:49 ` Dmitry Vyukov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox