[PATCH 0/5] kasan: detect invalid frees

From: Dmitry Vyukov
Date: Wed Dec 27 2017 - 07:44:50 EST


KASAN detects double-frees, but does not detect invalid-frees
(when a pointer into a middle of heap object is passed to free).
We recently had a very unpleasant case in crypto code which freed
an inner object inside of a heap allocation. This left unnoticed
during free, but totally corrupted heap and later lead to a bunch
of random crashes all over kernel code.

Detect invalid frees.

Dmitry Vyukov (5):
kasan: detect invalid frees for large objects
kasan: don't use __builtin_return_address(1)
kasan: detect invalid frees for large mempool objects
kasan: unify code between kasan_slab_free() and kasan_poison_kfree()
kasan: detect invalid frees

include/linux/kasan.h | 13 ++++----
lib/test_kasan.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++
mm/kasan/kasan.c | 57 +++++++++++++++++++----------------
mm/kasan/kasan.h | 3 +-
mm/kasan/report.c | 5 ++--
mm/mempool.c | 6 ++--
mm/slab.c | 6 ++--
mm/slub.c | 10 +++----
8 files changed, 135 insertions(+), 48 deletions(-)

--
2.15.1.620.gb9897f4670-goog