On Thu, Jun 13, 2019 at 2:27 PM Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx> wrote: > On 6/13/19 11:13 AM, Walter Wu wrote: > > This patch adds memory corruption identification at bug report for > > software tag-based mode, the report show whether it is "use-after-free" > > or "out-of-bound" error instead of "invalid-access" error.This will make > > it easier for programmers to see the memory corruption problem. > > > > Now we extend the quarantine to support both generic and tag-based kasan. > > For tag-based kasan, the quarantine stores only freed object information > > to check if an object is freed recently. When tag-based kasan reports an > > error, we can check if the tagged addr is in the quarantine and make a > > good guess if the object is more like "use-after-free" or "out-of-bound". > > > > > We already have all the information and don't need the quarantine to make such guess. > Basically if shadow of the first byte of object has the same tag as tag in pointer than it's out-of-bounds, > otherwise it's use-after-free. > > In pseudo-code it's something like this: > > u8 object_tag = *(u8 *)kasan_mem_to_shadow(nearest_object(cacche, page, access_addr)); > > if (access_addr_tag == object_tag && object_tag != KASAN_TAG_INVALID) > // out-of-bounds > else > // use-after-free But we don't have redzones in tag mode (intentionally), so unless I am missing something we don't have the necessary info. Both cases look the same -- we hit a different tag. There may only be a small trailer for kmalloc-allocated objects that is painted with a different tag. I don't remember if we actually use a different tag for the trailer. Since tag mode granularity is 16 bytes, for smaller objects the trailer is impossible at all.
