On Thu, Oct 15, 2015 at 8:59 AM, zhong jiang <zhongjiang@xxxxxxxxxx> wrote:
> 1、 I feel confused about one of the cases when testing the cases kasan can solve . the function come from the kernel in the /lib/test_kasan.c.
>
> static noinline void __init kmalloc_uaf2(void)
> {
> char *ptr1, *ptr2;
> size_t size = 43;
>
> pr_info("use-after-free after another kmalloc\n");
> ptr1 = kmalloc(size, GFP_KERNEL);
> if (!ptr1) {
> pr_err("Allocation failed\n");
> return;
> }
>
> kfree(ptr1);
> ptr2 = kmalloc(size, GFP_KERNEL);
> if (!ptr2) {
> pr_err("Allocation failed\n");
> return;
> }
>
> ptr1[40] = 'x';
> kfree(ptr2);
> }
>
> In the above function, the point ptr1 are probably the same as the ptr2 . so the error not certain to occur.
Hi Zhong,
You are right that ptr1 and ptr2 are most likely will be equal.
To detect such bugs KASAN it meant to use "quarantine" and delay reuse
of heap objects. We have quarantine implementation in the following
branch:
https://github.com/google/kasan/blob/dmitryc-patches-original/mm/kasan/quarantine.c
It is not committed upstream yet.
> 2、Is the stack local variable out of bound access set by the GCC ? I don't see any operate in the kernel
Yes, stack redzones and code to poison/unpoison them is emitted by compiler.
You can use objdump to look at generated machine code, you should see
instructions that poison/unpoison stack redzones.
> 3、I want to know that the global variable size include redzone is allocated by the module_alloc().
I don't understand the question. Please re-phrase it.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href