Skip to content

pkg/report: double-free is at least as severe as UAF write #6691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tarasmadan merged 1 commit into from
Jan 26, 2026
Merged

pkg/report: double-free is at least as severe as UAF write #6691

tarasmadan merged 1 commit into from
Jan 26, 2026

Conversation

@koczkatamas
Copy link
Contributor

@koczkatamas koczkatamas commented Jan 26, 2026

Double-free is at least as severe as a UAF write because in case of UAF write, the vulnerable object is given and you have to find the right victim object - the writable offset and size needs to match.

In case of double-free you can choose both your victim and attacker object, giving more options for a successful exploitation (there are attacker objects which can basically write all offset and sizes).

This assumes that double-free is controlled in a way that the attacker can spray a victim object between the two kfree()s.

@a-nogikh a-nogikh requested a review from tarasmadan January 26, 2026 14:26
@a-nogikh
Copy link
Collaborator

a-nogikh commented Jan 26, 2026

Note that we don't use merge commits here, we rebase. The checks will now fail.

@koczkatamas koczkatamas force-pushed the patch-3 branch 2 times, most recently from 85a6c9b to 9bd6c22 Compare January 26, 2026 15:04
@tarasmadan
Copy link
Collaborator

tarasmadan commented Jan 26, 2026

This documentation reflects https://github.com/google/syzkaller/blob/master/pkg/report/impact_score.go .
Reorder the names there please.

@dvyukov
Copy link
Collaborator

dvyukov commented Jan 26, 2026

Please also change logic in pkg/report/impact_score.go, that's what actually matters and affects syzbot presentation.

@koczkatamas
pkg/report: double-free is at least as severe UAF write
f09f801 
Double-free is at least as severe as a UAF write because in case of UAF write, the vulnerable object is given and
you have to find the right victim object - the writable offset and size needs to match.

In case of double-free you can choose both your victim and attacker object, giving more options for a successful
exploitation (there are attacker objects which can basically write all offset and sizes).

This assumes that double-free is controlled in a way that the attacker can spray a victim object between the two
`kfree()`s.
@tarasmadan tarasmadan enabled auto-merge January 26, 2026 18:17
@tarasmadan tarasmadan added this pull request to the merge queue Jan 26, 2026
Merged via the queue into google:master with commit efb3e89 Jan 26, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarasmadan tarasmadan tarasmadan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@koczkatamas @a-nogikh @tarasmadan @dvyukov