lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 15 Oct 2015 09:49:16 +0200
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	zhong jiang <zhongjiang@...wei.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Andrey Konovalov <adech.fo@...il.com>,
	Andrey Ryabinin <ryabinin.a.a@...il.com>,
	"linux-mm@...ck.org" <linux-mm@...ck.org>,
	LKML <linux-kernel@...r.kernel.org>,
	kasan-dev <kasan-dev@...glegroups.com>,
	Xishi Qiu <qiuxishi@...wei.com>, guohanjun@...wei.com,
	zhangdianfang@...wei.com
Subject: Re: some problems about kasan

On Thu, Oct 15, 2015 at 8:59 AM, zhong jiang <zhongjiang@...wei.com> wrote:
> 1、 I feel confused about one of the cases when  testing the cases  kasan can solve . the function come from the kernel in the /lib/test_kasan.c.
>
>   static noinline void __init kmalloc_uaf2(void)
> {
>         char *ptr1, *ptr2;
>         size_t size = 43;
>
>         pr_info("use-after-free after another kmalloc\n");
>         ptr1 = kmalloc(size, GFP_KERNEL);
>         if (!ptr1) {
>                 pr_err("Allocation failed\n");
>                 return;
>         }
>
>         kfree(ptr1);
>         ptr2 = kmalloc(size, GFP_KERNEL);
>         if (!ptr2) {
>                 pr_err("Allocation failed\n");
>                 return;
>         }
>
>         ptr1[40] = 'x';
>         kfree(ptr2);
> }
>
> In the above function, the point ptr1 are probably  the same as the ptr2 . so the error not certain to occur.

Hi Zhong,

You are right that ptr1 and ptr2 are most likely will be equal.
To detect such bugs KASAN it meant to use "quarantine" and delay reuse
of heap objects. We have quarantine implementation in the following
branch:

https://github.com/google/kasan/blob/dmitryc-patches-original/mm/kasan/quarantine.c

It is not committed upstream yet.


> 2、Is the stack local variable out of bound access set by the GCC  ? I don't see any operate in the kernel

Yes, stack redzones and code to poison/unpoison them is emitted by compiler.
You can use objdump to look at generated machine code, you should see
instructions that poison/unpoison stack redzones.



> 3、I want to know that the global variable size include redzone is allocated by the module_alloc().

I don't understand the question. Please re-phrase it.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ