Over the years KASAN has found thousands of issues in the Linux kernel. Thus, maintaining a full list is pointless.
This page contains links to a few old bugs found with KASAN back in the days when it was being developed. Just for historical purposes.
| Description | Links | Status |
|---|---|---|
| Out-of-bounds read in net/ipv4 | kernel.org | Fixed |
| Out-of-bounds in sd_revalidate_disk (drivers/scsi/sd.c) | spinics.net kernel.org | Fixed |
| Use-after-free in aio_migratepage | kernel.org code.google.com | Fixed |
| Out-of-bounds in ip6_finish_output2 | spinics.net seclists.org kernel.org | Fixed |
| Out-of-bounds in ftrace_regex_release (kernel/trace/ftrace.c) | spinics.net lkml.org | Fixed |
| Use-after-free in ext4_mb_new_blocks | permalink.gmane.org permalink.gmane.org | Fixed |
| Race (use-after-free) in ip4_datagram_release_cb | spinics.net kernel.org | Fixed |
| Use-after-free in __put_anon_vma | lkml.org | Confirmed |
| Out-of-bounds read in __d_lookup_rcu (fs/dcache.c) | code.google.com lkml.org | Confirmed |
| Out-of-bounds in get_wchan (arch/x86/kernel/process_64.c) | lkml.org spinics.net | Confirmed |
| Stack-out-of-bounds in idr_for_each | lkml.org | Confirmed |
| Out-of-bounds memory write in fs/ecryptfs/crypto.c | lkml.org | Confirmed |
| Use-after-free in drivers/net/ethernet/intel/e1000 | permalink.gmane.org | Not confirmed |
| Use-after-free in ____call_usermodehelper (kernel/kmod.c) | lkml.org | Not confirmed |
| Use-after-free in SyS_remap_file_pages | lkml.org | Not confirmed |
| Use-after-free in ata_qc_issue (drivers/ata/libata-core.c) | spinics.net | Not confirmed |
| Racy use-after-free in list_del_event | lkml.org | Not confirmed |
| Description | Links | Status |
|---|---|---|
| drm/i915: Fix command parser table validator | cgit.freedesktop.org | Fixed |
| iwlwifi: out-of-bounds access in iwl_init_sband_channel | lkml.org | Fixed |
| sched: memory corruption on completing completions / out of bounds on stack in do_raw_spin_unlock | lkml.org [article.gmane.org] (http://article.gmane.org/gmane.linux.kernel/1883900) | Fixed |
| net: raw socket accessing invalid memory / out of bounds on stack in memcpy_fromiovec | lkml.org | Not confirmed |
| mm: compaction: buffer overflow in isolate_migratepages_range | lkml.org | Confirmed |
| out of bounds access in i915_cmd_parser_init_ring | lkml.org | Fixed |
| out of bounds access in hash_net4_add_cidr | spinics.net spinics.net | Fixed |
| null-ptr-deref in __rds_conn_create | lkml.org | Fixed |
| out of bounds on stack in iov_iter_advance | lkml.org | Confirmed |
| use after free in dio_bio_complet | redhat.com | Fixed |
| null-ptr-deref in mincore_page/shmem_mapping | lkml.org | Fixed |
| out of bounds in gic_raise_softirq/gic_compute_target_list | infradead.org | Fixed |
| out of bounds in trace_event_enum_update | lkml.org | Fixed |
| use-after-free in mlxsw_sx_port_xmit | ozlabs.org | Fixed |
| use after free in page_cache_async_readahead | lkml.org spinics.net | Fixed |
| Use-after-free in kobject_put (scsi_host_dev_release) | lkml.org | No response |
| Out-of-bounds in crc16 (ext4_group_desc_csum) | lkml.org | No response |
| User-memory-access in ext4_orphan_del | lkml.org | No response |
| out of bounds on stack in csum_partial_copy_fromiovecend | spinics.net | Not confirmed |
| NULL ptr deref in handle_mm_fault | spinics.net | Not confirmed |
| use-after-free in shrink_page_list | lkml.org | TODO |