| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202601071226.8DF7C63@keescook>
Date: Wed, 7 Jan 2026 12:28:27 -0800
From: Kees Cook <kees@...nel.org>
To: Maciej Żenczykowski <maze@...gle.com>
Cc: Maciej Wieczor-Retman <m.wieczorretman@...me>,
joonki.min@...sung-slsi.corp-partner.google.com,
Andrew Morton <akpm@...gle.com>,
Andrey Ryabinin <ryabinin.a.a@...il.com>,
Alexander Potapenko <glider@...gle.com>,
Andrey Konovalov <andreyknvl@...il.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Vincenzo Frascino <vincenzo.frascino@....com>,
Marco Elver <elver@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Uladzislau Rezki <urezki@...il.com>,
Danilo Krummrich <dakr@...nel.org>, jiayuan.chen@...ux.dev,
syzbot+997752115a851cb0cf36@...kaller.appspotmail.com,
Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>,
kasan-dev@...glegroups.com,
Kernel hackers <linux-kernel@...r.kernel.org>, linux-mm@...ck.org
Subject: Re: KASAN vs realloc
On Tue, Jan 06, 2026 at 01:42:45PM +0100, Maciej Żenczykowski wrote:
> We've got internal reports (b/467571011 - from CC'ed Samsung
> developer) that kasan realloc is broken for sizes that are not a
> multiple of the granule. This appears to be triggered during Android
> bootup by some ebpf program loading operations (a struct is 88 bytes
> in size, which is a multiple of 8, but not 16, which is the granule
> size).
>
> (this is on 6.18 with
> https://lore.kernel.org/all/38dece0a4074c43e48150d1e242f8242c73bf1a5.1764874575.git.m.wieczorretman@pm.me/
> already included)
>
> joonki.min@...sung-slsi.corp-partner.google.com summarized it as
> "When newly requested size is not bigger than allocated size and old
> size was not 16 byte aligned, it failed to unpoison extended area."
>
> and *very* rough comment:
>
> Right. "size - old_size" is not guaranteed 16-byte alignment in this case.
>
> I think we may unpoison 16-byte alignment size, but it allowed more
> than requested :(
>
> I'm not sure that's right approach.
>
> if (size <= alloced_size) {
> - kasan_unpoison_vmalloc(p + old_size, size - old_size,
> + kasan_unpoison_vmalloc(p + old_size, round_up(size -
> old_size, KASAN_GRANULE_SIZE),
> KASAN_VMALLOC_PROT_NORMAL |
> KASAN_VMALLOC_VM_ALLOC |
> KASAN_VMALLOC_KEEP_TAG);
> /*
> * No need to zero memory here, as unused memory will have
> * already been zeroed at initial allocation time or during
> * realloc shrink time.
> */
> - vm->requested_size = size;
> + vm->requested_size = round_up(size, KASAN_GRANULE_SIZE);
>
> my personal guess is that
>
> But just above the code you quoted in mm/vmalloc.c I see:
> if (size <= old_size) {
> ...
> kasan_poison_vmalloc(p + size, old_size - size);
>
> is also likely wrong?? Considering:
>
> mm/kasan/shadow.c
>
> void __kasan_poison_vmalloc(const void *start, unsigned long size)
> {
> if (!is_vmalloc_or_module_addr(start))
> return;
>
> size = round_up(size, KASAN_GRANULE_SIZE);
> kasan_poison(start, size, KASAN_VMALLOC_INVALID, false);
> }
>
> This doesn't look right - if start isn't a multiple of the granule.
I don't think we can ever have the start not be a granule multiple, can
we?
I'm not sure how any of this is supposed to be handled by KASAN, though.
It does seem like a round_up() is missing, though?
-Kees
--
Kees Cook
Powered by blists - more mailing lists