[Bug 220169] New: KASAN: detect mapping of freed pages to userspace
4 views
Skip to first unread message
bugzill...@kernel.org
May 28, 2025, 11:22:53 AM5/28/25
to kasa...@googlegroups.com
https://bugzilla.kernel.org/show_bug.cgi?id=220169
Bug ID: 220169
Summary: KASAN: detect mapping of freed pages to userspace
Product: Memory Management
Version: 2.5
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Sanitizers
Assignee: mm_san...@kernel-bugs.kernel.org
Reporter: andre...@gmail.com
CC: kasa...@googlegroups.com
Regression: No
Add KASAN checks to the routines that map kernel memory to userspace that
checks that the memory being mmapped is allocated. Possibly relevant for all
KASAN modes (unless there are other debug configs that do this) but likely a
nice hardening for the HW_TAGS KASAN specifically.
This could help to detect side-effects of logical vulnerabilities similar to
the one in [1].
(AFAIK, this won't help with the vulnerability from [1] specifically, as there,
the kernel pages are freed only after having been mapped to userspace. In
addition to the pages not being freed to page_alloc but to the Mali-internal
allocator instead.)
(Another thing kernel/KASAN could do is to try detecting the freeing of kernel
pages that are still mapped to userspace, but I don't know whether this is
feasible.)
[1]
https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-2025-0072/
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are on the CC list for the bug.
Bug ID: 220169
Summary: KASAN: detect mapping of freed pages to userspace
Product: Memory Management
Version: 2.5
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Sanitizers
Assignee: mm_san...@kernel-bugs.kernel.org
Reporter: andre...@gmail.com
CC: kasa...@googlegroups.com
Regression: No
Add KASAN checks to the routines that map kernel memory to userspace that
checks that the memory being mmapped is allocated. Possibly relevant for all
KASAN modes (unless there are other debug configs that do this) but likely a
nice hardening for the HW_TAGS KASAN specifically.
This could help to detect side-effects of logical vulnerabilities similar to
the one in [1].
(AFAIK, this won't help with the vulnerability from [1] specifically, as there,
the kernel pages are freed only after having been mapped to userspace. In
addition to the pages not being freed to page_alloc but to the Mali-internal
allocator instead.)
(Another thing kernel/KASAN could do is to try detecting the freeing of kernel
pages that are still mapped to userspace, but I don't know whether this is
feasible.)
[1]
https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-2025-0072/
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are on the CC list for the bug.
bugzill...@kernel.org
Aug 9, 2025, 5:23:12 AM8/9/25
to kasa...@googlegroups.com
https://bugzilla.kernel.org/show_bug.cgi?id=220169
Ujwal Kundur (ujwal....@gmail.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ujwal....@gmail.com
--- Comment #1 from Ujwal Kundur (ujwal....@gmail.com) ---
I'd like to try my hand at this, seems pretty interesting to me.
Ujwal Kundur (ujwal....@gmail.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ujwal....@gmail.com
--- Comment #1 from Ujwal Kundur (ujwal....@gmail.com) ---
I'd like to try my hand at this, seems pretty interesting to me.
Reply all
Reply to author
Forward
0 new messages