kernel-sanitizers

KASAN: Found bugs

Over the years KASAN has found thousands of issues in the Linux kernel. Thus, maintaining a full list is pointless.

This page contains links to a few old bugs found with KASAN back in the days when it was being developed. Just for historical purposes.

Old Bugs

Description Links Status
Out-of-bounds read in net/ipv4 kernel.org Fixed
Out-of-bounds in sd_revalidate_disk (drivers/scsi/sd.c) spinics.net kernel.org Fixed
Use-after-free in aio_migratepage kernel.org code.google.com Fixed
Out-of-bounds in ip6_finish_output2 spinics.net seclists.org kernel.org Fixed
Out-of-bounds in ftrace_regex_release (kernel/trace/ftrace.c) spinics.net lkml.org Fixed
Use-after-free in ext4_mb_new_blocks permalink.gmane.org permalink.gmane.org Fixed
Race (use-after-free) in ip4_datagram_release_cb spinics.net kernel.org Fixed
Use-after-free in __put_anon_vma lkml.org Confirmed
Out-of-bounds read in __d_lookup_rcu (fs/dcache.c) code.google.com lkml.org Confirmed
Out-of-bounds in get_wchan (arch/x86/kernel/process_64.c) lkml.org spinics.net Confirmed
Stack-out-of-bounds in idr_for_each lkml.org Confirmed
Out-of-bounds memory write in fs/ecryptfs/crypto.c lkml.org Confirmed
Use-after-free in drivers/net/ethernet/intel/e1000 permalink.gmane.org Not confirmed
Use-after-free in ____call_usermodehelper (kernel/kmod.c) lkml.org Not confirmed
Use-after-free in SyS_remap_file_pages lkml.org Not confirmed
Use-after-free in ata_qc_issue (drivers/ata/libata-core.c) spinics.net Not confirmed
Racy use-after-free in list_del_event lkml.org Not confirmed
Description Links Status
drm/i915: Fix command parser table validator cgit.freedesktop.org Fixed
iwlwifi: out-of-bounds access in iwl_init_sband_channel lkml.org Fixed
sched: memory corruption on completing completions / out of bounds on stack in do_raw_spin_unlock lkml.org [article.gmane.org] (http://article.gmane.org/gmane.linux.kernel/1883900) Fixed
net: raw socket accessing invalid memory / out of bounds on stack in memcpy_fromiovec lkml.org Not confirmed
mm: compaction: buffer overflow in isolate_migratepages_range lkml.org Confirmed
out of bounds access in i915_cmd_parser_init_ring lkml.org Fixed
out of bounds access in hash_net4_add_cidr spinics.net spinics.net Fixed
null-ptr-deref in __rds_conn_create lkml.org Fixed
out of bounds on stack in iov_iter_advance lkml.org Confirmed
use after free in dio_bio_complet redhat.com Fixed
null-ptr-deref in mincore_page/shmem_mapping lkml.org Fixed
out of bounds in gic_raise_softirq/gic_compute_target_list infradead.org Fixed
out of bounds in trace_event_enum_update lkml.org Fixed
use-after-free in mlxsw_sx_port_xmit ozlabs.org Fixed
use after free in page_cache_async_readahead lkml.org spinics.net Fixed
Use-after-free in kobject_put (scsi_host_dev_release) lkml.org No response
Out-of-bounds in crc16 (ext4_group_desc_csum) lkml.org No response
User-memory-access in ext4_orphan_del lkml.org No response
out of bounds on stack in csum_partial_copy_fromiovecend spinics.net Not confirmed
NULL ptr deref in handle_mm_fault spinics.net Not confirmed
use-after-free in shrink_page_list lkml.org TODO

More bugs found by external users