Re: Catching use-after-free easily in linux kernel.

Next message: Danilo Krummrich: "[PATCH] MAINTAINERS: update auxiliary bus entry"
Previous message: Jan Kara: "Re: [REGRESSION] 6.12: Workqueue lockups in inode_switch_wbs_work_fn (suspect commit 66c14dccd810)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Amit

Date: Tue Jan 13 2026 - 07:03:19 EST

On Tue, 11 Mar 2025 at 06:05, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>
> On Mon, Mar 10, 2025 at 01:24:54PM +0530, Amit wrote:
> > Hi,
> >
> > We can catch use-after-free easily if we do the following:
> >
> > kfree(x);
> > (x) = NULL;
> >
> > Now, if someone uses 'x' again then the kernel will crash and we will know where
> > the use-after-free is happening and then we can fix it.
>
> That assumes that no pointer is ever stored in more than one place.
> Which is very clearly false.

In general, I don't think that in linux kernel ""lots of dynamic
pointers"" are being cached/saved/duplicated in global structures - I
haven't gone through all the kernel code but I can't think of logical
scenarios where ""lots of dynamic pointers"" will be
cached/saved/duplicated in global structures.

By dynamic pointers, I mean pointers to transient memory/data that can
come and go (not like pointers to pre-allocated inodes of filesystems
like ext4, etc.).

And, obviously, local caching/saving/duplication
(caching/saving/duplication in a function) doesn't matter. So, the
above code should be very effective.

Also, something is better than nothing.

----