Ancestors

Toot

Written by Jann Horn on 2024-09-07 at 00:48

I added code to Linux to help KASAN detect specific types of UAFs more reliably (https://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab.git/commit/?h=slab/for-6.12/rcu_barriers&id=b8c8ba73c68bb3c3e9dad22f488b86c540c839f9), it's been in the linux-next integration tree for, I don't know, a month or so maybe (though it's not in the mainline tree yet), and still there are zero hits on LKML of bugs caught where the stack trace involves my detection...

It's nice that there apparently aren't a lot of easy-to-find bugs of this type around but it's also a little disappointing to not immediately get some nice results from my work...

=> More informations about this toot | More toots from jann@infosec.exchange

Descendants

Written by Damien Miller on 2024-09-07 at 00:55

@jann the defenders' dilemma...

=> More informations about this toot | More toots from djm@cybervillains.com

Written by Jann Horn on 2024-09-07 at 01:25

@djm if it's not blowing up before the change, and it's not blowing up after the change, has anything really changed

=> More informations about this toot | More toots from jann@infosec.exchange

Written by Frederik Braun � on 2024-09-07 at 07:42

@jann @djm defense work sucks in that regard :-( on the flip-side, you can take pride in knowing that future kernels will never have that kind of simple uaf bugs. ever. 😊

=> More informations about this toot | More toots from freddy@security.plumbing

Written by Jann Horn on 2024-09-07 at 13:25

@freddy @djm the detection is not that good, sadly...

=> More informations about this toot | More toots from jann@infosec.exchange

Written by stefanct on 2024-09-07 at 01:04

@jann I'd argue this is actually a very nice result ;)

=> More informations about this toot | More toots from stefanct@chaos.social

Written by Joshua J. Drake on 2024-09-07 at 08:27

@jann i guess no one is actually using it?

=> More informations about this toot | More toots from jduck@infosec.exchange

Written by Jann Horn on 2024-09-07 at 13:26

@jduck no, I'm pretty sure at least syzkaller has some instances with this stuff enabled

=> More informations about this toot | More toots from jann@infosec.exchange

Written by Joshua J. Drake on 2024-09-07 at 19:32

@jann that would be my first guess. Another idea, maybe the detection prevents the badness from happening? It works in your "unit tests"?

=> More informations about this toot | More toots from jduck@infosec.exchange

Written by Jann Horn on 2024-09-07 at 20:37

@jduck there is a kasan unit test, yes, and it validates that the kernel detects UAF access to SLAB_TYPESAFE_BY_RCU slabs.

the number of slabs that actually use this feature is not thaaaat big, it may have been unreasonable to expect some test bot to immediately hit such a bug

=> More informations about this toot | More toots from jann@infosec.exchange

Written by Joshua J. Drake on 2024-09-08 at 04:12

@jann ok. Just spitballing. Can usage be increased or this is only usable in specific scenarios?

=> More informations about this toot | More toots from jduck@infosec.exchange

Written by Jann Horn on 2024-09-08 at 04:25

@jduck it's just for detecting UAFs in SLAB_TYPESAFE_BY_RCU slabs under KASAN, so it's pretty specific.

=> More informations about this toot | More toots from jann@infosec.exchange