lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAB=+i9RQiDWE6ignfKn2p+UiDF9W=jAuqsmYhHrO9h06+X-pKA@mail.gmail.com>
Date: Sat, 30 Sep 2023 20:04:00 +0900
From: Hyeonggon Yoo <42.hyeyoo@...il.com>
To: Matteo Rizzo <matteorizzo@...gle.com>
Cc: cl@...ux.com, penberg@...nel.org, rientjes@...gle.com, 
	iamjoonsoo.kim@....com, akpm@...ux-foundation.org, vbabka@...e.cz, 
	roman.gushchin@...ux.dev, keescook@...omium.org, linux-kernel@...r.kernel.org, 
	linux-doc@...r.kernel.org, linux-mm@...ck.org, 
	linux-hardening@...r.kernel.org, tglx@...utronix.de, mingo@...hat.com, 
	bp@...en8.de, dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com, 
	corbet@....net, luto@...nel.org, peterz@...radead.org, jannh@...gle.com, 
	evn@...gle.com, poprdi@...gle.com, jordyzomer@...gle.com
Subject: Re: [RFC PATCH 01/14] mm/slub: don't try to dereference invalid freepointers

On Fri, Sep 15, 2023 at 7:59 PM Matteo Rizzo <matteorizzo@...gle.com> wrote:
>
> slab_free_freelist_hook tries to read a freelist pointer from the
> current object even when freeing a single object. This is invalid
> because single objects don't actually contain a freelist pointer when
> they're freed and the memory contains other data. This causes problems
> for checking the integrity of freelist in get_freepointer.
>
> Signed-off-by: Matteo Rizzo <matteorizzo@...gle.com>
> ---
>  mm/slub.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index f7940048138c..a7dae207c2d2 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1820,7 +1820,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s,
>
>         do {
>                 object = next;
> -               next = get_freepointer(s, object);
> +               /* Single objects don't actually contain a freepointer */
> +               if (object != old_tail)
> +                       next = get_freepointer(s, object);
>
>                 /* If object's reuse doesn't have to be delayed */
>                 if (!slab_free_hook(s, object, slab_want_init_on_free(s))) {
> --
> 2.42.0.459.ge4e396fd5e-goog
>

Looks good to me,
Reviewed-by: Hyeonggon Yoo <42.hyeyoo@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ