Closed void0red closed 1 year ago
This can happen if an object is reused by the slab allocator, and then freed (by the net subsystem), while some pointer (here in ntfs) is still hanging around. Once that memory is dereferenced, KASAN will report the UAF, however, the alloc and free stacks might no longer be related to the original allocation/free.
Either way, invalid memory was accessed.
The sequence could be:
a = kmalloc(...); // in ntfs
kfree(a);
...
b = kmalloc(...); // in net, where b == a
kfree(b);
...
*a; // UAF in ntfs
Thank you for your replay. The log above shows KASAN will only record the latest alloc/free?
For any given slab object, yes. Separate objects (i.e. different addresses) have their own alloc/free stacks recorded.
However, normally KASAN places free'd objects into quarantine, to reduce the probability of reporting misleading alloc/free stacks. In the case above I suppose the quarantine was flushed.
Okay, I get it, thank you very much for your patient answer.
Here is a UAF bug report, however KASAN reports the mem used in ntfs was allocated and freed by tcp module. I don't know if kasan is working properly.