lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 3 May 2009 15:18:58 +0300
From:	Pekka Enberg <penberg@...helsinki.fi>
To:	Jack Steiner <steiner@....com>
Cc:	akpm@...ux-foundation.org, npiggin@...e.de,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] - Fix memory corruption in slbq

Hi Jack,

(Please cc me when sending patches to SL*B.)

On Fri, May 1, 2009 at 3:41 AM, Jack Steiner <steiner@....com> wrote:
> Fix memory corruption caused by slqb overrunning the end
> of the page allocated in kmem_cache_dyn_array_alloc() for
> initial caches.
>
> Signed-off-by: Jack Steiner <steiner@....com>
>
> ---
>  mm/slqb.c |    5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
>
> Index: linux/mm/slqb.c
> ===================================================================
> --- linux.orig/mm/slqb.c        2009-04-30 15:47:16.000000000 -0500
> +++ linux/mm/slqb.c     2009-04-30 19:08:33.000000000 -0500
> @@ -2194,15 +2194,14 @@ static void *kmem_cache_dyn_array_alloc(
>                 * never get freed by definition so we can do it rather
>                 * simply.
>                 */
> -               if (!nextmem) {
> +               if (!nextmem || offset_in_page(nextmem) + size > PAGE_SIZE) {
>                        nextmem = alloc_pages_exact(size, GFP_KERNEL);
>                        if (!nextmem)
>                                return NULL;
>                }
>                ret = nextmem;
>                nextmem = (void *)((unsigned long)ret + size);
> -               if ((unsigned long)ret >> PAGE_SHIFT !=
> -                               (unsigned long)nextmem >> PAGE_SHIFT)
> +               if (offset_in_page(ret) + size >= PAGE_SIZE)
>                        nextmem = NULL;
>                memset(ret, 0, size);
>                return ret;

I don't think this is needed now that commit 8804e6f ("SLQB:  fix dumb
early allocation cache") is merged:

http://git.kernel.org/?p=linux/kernel/git/penberg/slab-2.6.git;a=commitdiff_plain;h=8804e6f0001668656d4cb2a329e1a6e69e695a0f

Or do you still see the corruption with it?

                                              Pekka
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ