lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 27 Feb 2007 19:24:12 -0300
From:	"Arnaldo Carvalho de Melo" <arnaldo.melo@...il.com>
To:	"David Miller" <davem@...emloft.net>
Cc:	johnpol@....mipt.ru, paul.moore@...com, kaber@...sh.net,
	netdev@...r.kernel.org
Subject: Re: [NET]: Fix kfree(skb)

On 2/27/07, David Miller <davem@...emloft.net> wrote:
> From: Evgeniy Polyakov <johnpol@....mipt.ru>
> Date: Tue, 27 Feb 2007 21:20:01 +0300
>
> > On Tue, Feb 27, 2007 at 09:14:25PM +0300, Evgeniy Polyakov (johnpol@....mipt.ru) wrote:
> > > On Tue, Feb 27, 2007 at 10:00:52AM -0800, David Miller (davem@...emloft.net) wrote:
> > > > It's unfortunately an easy mistake to make since kfree() accepts any
> > > > pointer type without warning.
> > > >
> > > > What would be really nice is if someone could come up with a way for
> > > > kfree() to disallow being passed objects that are meant to be released
> > > > via some other mechanism.  So that, for example:
> > > >
> > > >   kfree(skb);
> > > >
> > > > would warn or fail to compile, but the kfree_skb() code could go:
> > > >
> > > >   kmem_cache_free_I_KNOW_WHAT_I_AM_DOING(skbuff_head_cache, skb);
> > > >
> > > > :-)
> > >
> > > Something like that? (not tested, will do if starting point looks
> > > correct - it checks if requested to be freed size is equal to one of the
> > > kmalloc() size, and warns if kmalloc cache is not that one where
> > > we are going to free an object):
> > >
> > > diff --git a/mm/slab.c b/mm/slab.c
> > > index c610062..bcb29df 100644
> > > --- a/mm/slab.c
> > > +++ b/mm/slab.c
> > > @@ -3757,6 +3757,15 @@ void kfree(const void *objp)
> > >     local_irq_save(flags);
> > >     kfree_debugcheck(objp);
> > >     c = virt_to_cache(objp);
> > > +
> > > +   {
> > > +           int size = kmem_cache_size(c);
> > > +           struct cache_sizes *csizep = malloc_sizes;
> > > +           while (size != csizep->cs_size)
> >
> > that needs a check for csizep != NULL too obviously.
> > Proof of concept, what do you expect? :)
>
> It's a great run-time check, for sure, and definitely something
> that we should add when SLAB_DEBUG is enabled.
>
> A compile-time check would be "really neat" :-)

I guess this is something up for sparse annotations, like what is done
with __user, etc.

- Arnaldo
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ