KASAN detects double-frees, but does not detect invalid-frees (when a pointer into a middle of heap object is passed to free). We recently had a very unpleasant case in crypto code which freed an inner object inside of a heap allocation. This left unnoticed during free, but totally corrupted heap and later lead to a bunch of random crashes all over kernel code.
Detect invalid frees. Dmitry Vyukov (5): kasan: detect invalid frees for large objects kasan: don't use __builtin_return_address(1) kasan: detect invalid frees for large mempool objects kasan: unify code between kasan_slab_free() and kasan_poison_kfree() kasan: detect invalid frees include/linux/kasan.h | 13 ++++---- lib/test_kasan.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++ mm/kasan/kasan.c | 57 +++++++++++++++++++---------------- mm/kasan/kasan.h | 3 +- mm/kasan/report.c | 5 ++-- mm/mempool.c | 6 ++-- mm/slab.c | 6 ++-- mm/slub.c | 10 +++---- 8 files changed, 135 insertions(+), 48 deletions(-) -- 2.15.1.620.gb9897f4670-goog
