From: Kees Cook <kees@kernel.org>
To: "Maciej Żenczykowski" <maze@google.com>
Cc: Maciej Wieczor-Retman <m.wieczorretman@pm.me>,
joonki.min@samsung-slsi.corp-partner.google.com,
Andrew Morton <akpm@google.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Alexander Potapenko <glider@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Marco Elver <elver@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Uladzislau Rezki <urezki@gmail.com>,
Danilo Krummrich <dakr@kernel.org>,
jiayuan.chen@linux.dev,
syzbot+997752115a851cb0cf36@syzkaller.appspotmail.com,
Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>,
kasan-dev@googlegroups.com,
Kernel hackers <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org
Subject: Re: KASAN vs realloc
Date: Wed, 7 Jan 2026 12:28:27 -0800 [thread overview]
Message-ID: <202601071226.8DF7C63@keescook> (raw)
In-Reply-To: <CANP3RGeuRW53vukDy7WDO3FiVgu34-xVJYkfpm08oLO3odYFrA@mail.gmail.com>
On Tue, Jan 06, 2026 at 01:42:45PM +0100, Maciej Żenczykowski wrote:
> We've got internal reports (b/467571011 - from CC'ed Samsung
> developer) that kasan realloc is broken for sizes that are not a
> multiple of the granule. This appears to be triggered during Android
> bootup by some ebpf program loading operations (a struct is 88 bytes
> in size, which is a multiple of 8, but not 16, which is the granule
> size).
>
> (this is on 6.18 with
> https://lore.kernel.org/all/38dece0a4074c43e48150d1e242f8242c73bf1a5.1764874575.git.m.wieczorretman@pm.me/
> already included)
>
> joonki.min@samsung-slsi.corp-partner.google.com summarized it as
> "When newly requested size is not bigger than allocated size and old
> size was not 16 byte aligned, it failed to unpoison extended area."
>
> and *very* rough comment:
>
> Right. "size - old_size" is not guaranteed 16-byte alignment in this case.
>
> I think we may unpoison 16-byte alignment size, but it allowed more
> than requested :(
>
> I'm not sure that's right approach.
>
> if (size <= alloced_size) {
> - kasan_unpoison_vmalloc(p + old_size, size - old_size,
> + kasan_unpoison_vmalloc(p + old_size, round_up(size -
> old_size, KASAN_GRANULE_SIZE),
> KASAN_VMALLOC_PROT_NORMAL |
> KASAN_VMALLOC_VM_ALLOC |
> KASAN_VMALLOC_KEEP_TAG);
> /*
> * No need to zero memory here, as unused memory will have
> * already been zeroed at initial allocation time or during
> * realloc shrink time.
> */
> - vm->requested_size = size;
> + vm->requested_size = round_up(size, KASAN_GRANULE_SIZE);
>
> my personal guess is that
>
> But just above the code you quoted in mm/vmalloc.c I see:
> if (size <= old_size) {
> ...
> kasan_poison_vmalloc(p + size, old_size - size);
>
> is also likely wrong?? Considering:
>
> mm/kasan/shadow.c
>
> void __kasan_poison_vmalloc(const void *start, unsigned long size)
> {
> if (!is_vmalloc_or_module_addr(start))
> return;
>
> size = round_up(size, KASAN_GRANULE_SIZE);
> kasan_poison(start, size, KASAN_VMALLOC_INVALID, false);
> }
>
> This doesn't look right - if start isn't a multiple of the granule.
I don't think we can ever have the start not be a granule multiple, can
we?
I'm not sure how any of this is supposed to be handled by KASAN, though.
It does seem like a round_up() is missing, though?
-Kees
--
Kees Cook
next prev parent reply other threads:[~2026-01-07 20:28 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 12:42 KASAN vs realloc Maciej Żenczykowski
2026-01-07 20:28 ` Kees Cook [this message]
2026-01-07 20:47 ` Maciej Wieczor-Retman
2026-01-07 21:47 ` Maciej Żenczykowski
2026-01-07 21:50 ` Maciej Żenczykowski
2026-01-07 21:55 ` Maciej Żenczykowski
2026-01-09 18:55 ` Maciej Wieczor-Retman
2026-01-09 20:05 ` Maciej Żenczykowski
2026-02-06 19:07 ` Maciej Żenczykowski
2026-02-06 20:14 ` Maciej Wieczor-Retman
2026-02-06 21:26 ` Maciej Żenczykowski
2026-01-13 19:15 ` [PATCH 1/2] mm/kasan: Fix KASAN poisoning in vrealloc() Andrey Ryabinin
2026-01-13 19:15 ` [PATCH 2/2] mm/kasan/kunit: extend vmalloc OOB tests to cover vrealloc() Andrey Ryabinin
2026-01-15 3:56 ` Andrey Konovalov
2026-01-16 13:28 ` [PATCH] mm-kasan-kunit-extend-vmalloc-oob-tests-to-cover-vrealloc-fix Andrey Ryabinin
2026-01-16 18:53 ` Maciej Wieczor-Retman
2026-01-17 1:16 ` Andrey Konovalov
2026-01-14 12:17 ` [PATCH 1/2] mm/kasan: Fix KASAN poisoning in vrealloc() Maciej Wieczor-Retman
2026-01-15 3:56 ` Andrey Konovalov
2026-01-16 13:26 ` Andrey Ryabinin
2026-01-17 1:16 ` Andrey Konovalov
2026-01-17 17:08 ` Andrey Konovalov
2026-01-19 0:48 ` Andrew Morton
2026-01-19 14:43 ` Andrey Ryabinin
2026-01-19 14:45 ` [PATCH] mm-kasan-fix-kasan-poisoning-in-vrealloc-fix Andrey Ryabinin
2026-01-20 17:46 ` Andrey Konovalov
2026-01-21 16:01 ` Andrey Ryabinin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202601071226.8DF7C63@keescook \
--to=kees@kernel.org \
--cc=akpm@google.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=dakr@kernel.org \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=jiayuan.chen@linux.dev \
--cc=joonki.min@samsung-slsi.corp-partner.google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=m.wieczorretman@pm.me \
--cc=maciej.wieczor-retman@intel.com \
--cc=maze@google.com \
--cc=ryabinin.a.a@gmail.com \
--cc=syzbot+997752115a851cb0cf36@syzkaller.appspotmail.com \
--cc=urezki@gmail.com \
--cc=vincenzo.frascino@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.