[PATCH 0/5] kasan: detect invalid frees

Dmitry Vyukov <dvyukov@xxxxxxxxxx> · Wed, 27 Dec 2017 13:44:31 +0100

KASAN detects double-frees, but does not detect invalid-frees
(when a pointer into a middle of heap object is passed to free).
We recently had a very unpleasant case in crypto code which freed
an inner object inside of a heap allocation. This left unnoticed
during free, but totally corrupted heap and later lead to a bunch
of random crashes all over kernel code.

Detect invalid frees.

Dmitry Vyukov (5):
  kasan: detect invalid frees for large objects
  kasan: don't use __builtin_return_address(1)
  kasan: detect invalid frees for large mempool objects
  kasan: unify code between kasan_slab_free() and kasan_poison_kfree()
  kasan: detect invalid frees

 include/linux/kasan.h | 13 ++++----
 lib/test_kasan.c      | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++
 mm/kasan/kasan.c      | 57 +++++++++++++++++++----------------
 mm/kasan/kasan.h      |  3 +-
 mm/kasan/report.c     |  5 ++--
 mm/mempool.c          |  6 ++--
 mm/slab.c             |  6 ++--
 mm/slub.c             | 10 +++----
 8 files changed, 135 insertions(+), 48 deletions(-)

-- 
2.15.1.620.gb9897f4670-goog

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>