Home

Andrey Konovalov edited this page Jan 26, 2018 · 17 revisions
Clone this wiki locally

KernelAddressSanitizer (KASAN)

Overview

KernelAddressSanitizer (KASAN) is a dynamic memory error detector. It provides a fast and comprehensive solution for finding use-after-free and out-of-bounds bugs in Linux kernel.

KASAN is available in the upstream Linux kernel starting from 4.0. Can be enabled with CONFIG_KASAN=y.

Kernel documentation: https://www.kernel.org/doc/html/latest/dev-tools/kasan.html

KernelAddressSanitizer:

  • Is based on compiler instrumentation (fast)
  • Detects OOB for both writes and reads
  • Provides strong UAF detection (based on delayed memory reuse)
  • Does prompt detection of bad memory accesses
  • Prints informative reports

Details

Project mailing list: kasan-dev@googlegroups.com, which you can subscribe to either with an google account or by sending an email to kasan-dev+subscribe@googlegroups.com.

Reports

To simplify reading the reports you can use our symbolizer script:

$ cat report
...
[  107.327411]  [<ffffffff8110424c>] call_usermodehelper_freeinfo+0x2c/0x30
[  107.328668]  [<ffffffff811049d5>] call_usermodehelper_exec+0xa5/0x1c0
[  107.329816]  [<ffffffff811052b0>] call_usermodehelper+0x40/0x60
[  107.330987]  [<ffffffff8146c15e>] kobject_uevent_env+0x5ee/0x620
[  107.332035]  [<ffffffff8146c19b>] kobject_uevent+0xb/0x10
[  107.333108]  [<ffffffff8173bd7f>] net_rx_queue_update_kobjects+0xaf/0x150
...
$ cat report | ./kasan_symbolize.py --linux=path/to/kernel/ --strip=path/to/kernel/
...
 [<ffffffff8110424c>] call_usermodehelper_freeinfo+0x2c/0x30 kernel/kmod.c:265
 [<ffffffff811049d5>] call_usermodehelper_exec+0xa5/0x1c0 kernel/kmod.c:612
 [<ffffffff811052b0>] call_usermodehelper+0x40/0x60 kernel/kmod.c:642
 [<ffffffff8146c15e>] kobject_uevent_env+0x5ee/0x620 lib/kobject_uevent.c:311
 [<ffffffff8146c19b>] kobject_uevent+0xb/0x10 lib/kobject_uevent.c:333
 [<     inlined    >] net_rx_queue_update_kobjects+0xaf/0x150 rx_queue_add_kobject net/core/net-sysfs.c:771
 [<ffffffff8173bd7f>] net_rx_queue_update_kobjects+0xaf/0x150 net/core/net-sysfs.c:786
...

Trophies

https://github.com/google/kasan/wiki/Found-Bugs