On Thu, Aug 1, 2024 at 6:01 AM Jann Horn <jannh@xxxxxxxxxx> wrote: > > > > @@ -503,15 +509,22 @@ bool __kasan_mempool_poison_object(void *ptr, unsigned long ip) > > > kasan_poison(ptr, folio_size(folio), KASAN_PAGE_FREE, false); > > > return true; > > > } > > > > > > if (is_kfence_address(ptr)) > > > return false; > > > + if (!kasan_arch_is_ready()) > > > + return true; > > > > Hm, I think we had a bug here: the function should return true in both > > cases. This seems reasonable: if KASAN is not checking the object, the > > caller can do whatever they want with it. > > But if the object is a kfence allocation, we maybe do want the caller > to free it quickly so that kfence can catch potential UAF access? So > "return false" in that case seems appropriate. Return false would mean: allocation is buggy, do not use it and do not free it (note that the return value meaning here is inverse compared to the newly added check_slab_allocation()). And this doesn't seem like something we want for KFENCE-managed objects. But regardless of the return value here, the callers tend not to free these allocations to the slab allocator, that's the point of mempools. So KFENCE won't catch a UAF either way. > Or maybe we don't > because that makes the probability of catching an OOB access much > lower if the mempool is going to always return non-kfence allocations > as long as the pool isn't empty? Also I guess whether kfence vetoes > reuse of kfence objects probably shouldn't depend on whether the > kernel is built with KASAN... so I guess it would be more consistent > to either put "return true" there or change the !KASAN stub of this to > check for kfence objects or something like that? Honestly I think the > latter would be most appropriate, though then maybe the hook shouldn't > have "kasan" in its name... Yeah, we could add some custom handling of mempool to KFENCE as well. But that would be a separate effort. > Either way, I agree that the current situation wrt mempools and kfence > is inconsistent, but I think I should probably leave that as-is in my > series for now, and the kfence mempool issue can be addressed > separately afterwards? I also would like to avoid changing kfence > behavior as part of this patch. Sure, sounds good to me. > If you want, I can add a comment above the "if (is_kfence_address())" > that notes the inconsistency? Up to you, I'll likely add a note to the bug tracker to fix this once the patch lands anyway. Thanks!
