lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 10 May 2011 20:05:54 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Christoph Lameter <cl@...ux.com>
Cc:	Vegard Nossum <vegardno@....uio.no>,
	Pekka Enberg <penberg@...helsinki.fi>,
	casteyde.christian@...e.fr,
	Andrew Morton <akpm@...ux-foundation.org>,
	netdev@...r.kernel.org, bugzilla-daemon@...zilla.kernel.org,
	bugme-daemon@...zilla.kernel.org
Subject: Re: [Bugme-new] [Bug 33502] New: Caught 64-bit read from
 uninitialized memory in __alloc_skb

Le mardi 10 mai 2011 à 12:43 -0500, Christoph Lameter a écrit :
> Draft for a patch
> 
> 
> Subject: slub: Make CONFIG_PAGE_ALLOC work with new fastpath
> 
> Fastpath can do a speculative access to a page that CONFIG_PAGE_ALLOC may have
> marked as invalid to retrieve the pointer to the next free object.
> 
> Probe that address before dereferencing the pointer to the page.
> All of that needs to occur with interrupts disabled since an interrupt
> could cause the page status to change (as pointed out by Eric).
> 
> Signed-off-by: Christoph Lameter <cl@...ux.com>
> ---
>  mm/slub.c |   23 ++++++++++++++++++++++-
>  1 file changed, 22 insertions(+), 1 deletion(-)
> 
> Index: linux-2.6/mm/slub.c
> ===================================================================
> --- linux-2.6.orig/mm/slub.c	2011-05-10 12:35:30.000000000 -0500
> +++ linux-2.6/mm/slub.c	2011-05-10 12:38:53.000000000 -0500
> @@ -261,6 +261,27 @@ static inline void *get_freepointer(stru
>  	return *(void **)(object + s->offset);
>  }
> 
> +static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
> +{
> +	void *p;
> +
> +#ifdef CONFIG_PAGE_ALLOC
> +	unsigned long flags;
> +
> +	local_irq_save(flags);
> +
> +	if (probe_kernel_address(object))
> +		p = NULL;	/* Invalid */
> +	else
> +		p = get_freepointer(s, object);
> +
> +	local_irq_restore(flags);
> +#else
> +	p = get_freepointer(s, object);
> +#endif
> +	return p;
> +}
> +
>  static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)
>  {
>  	*(void **)(object + s->offset) = fp;
> @@ -1933,7 +1954,7 @@ redo:
>  		if (unlikely(!irqsafe_cpu_cmpxchg_double(
>  				s->cpu_slab->freelist, s->cpu_slab->tid,
>  				object, tid,
> -				get_freepointer(s, object), next_tid(tid)))) {
> +				get_freepointer_safe(s, object), next_tid(tid)))) {
> 
>  			note_cmpxchg_failure("slab_alloc", s, tid);
>  			goto redo;


Really this wont work Stephen

You have to disable IRQ _before_ even fetching 'object'

Or else, you can have an IRQ, allocate this object, pass to another cpu.

This other cpu can free the object and unmap page right after you did
the probe_kernel_address(object) (successfully), and before your cpu :

p = get_freepointer(s, object); << BUG >>

I really dont understand your motivation to keep the buggy commit.



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ