lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0706011615540.9781@schroedinger.engr.sgi.com>
Date:	Fri, 1 Jun 2007 16:16:55 -0700 (PDT)
From:	Christoph Lameter <clameter@....com>
To:	Andrew Morton <akpm@...ux-foundation.org>
cc:	Jeremy Fitzhardinge <jeremy@...p.org>,
	Srinivasa Ds <srinivasa@...ibm.com>,
	linux-kernel@...r.kernel.org,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Srivatsa Vaddagiri <vatsa@...ibm.com>,
	Dinakar Guniguntala <dino@...ibm.com>, pj@....com,
	simon.derr@...l.net, rientjes@...gle.com
Subject: Re: [RFC] [PATCH] cpuset operations causes Badness at mm/slab.c:777
 warning

> So a kmalloc(62) would get upped to 66, so we allocate from size-128
> and put the number 62 at bytes 124-127 and we poison bytes 62-123?

Hmmm... We are going rapidly here. This is a patch that I am testing right 
now. It right adjust the object and the patch is manageable:



SLUB mm-only: Right align kmalloc objects to trigger overwrite detection

Right align kmalloc objects if they are less than the full kmalloc slab size.
This will move the object to be flush with the end of the object in order
to allow the easy detection of writes / reads after the end of the kmalloc
object.

Without slub_debug overwrites will destroy the free pointer of the next object
or the next object. Read will yield garbage that is likely zero.

With slub_debug redzone checks will be triggered. Reads will read redzone
poison.

This patch is only for checking things out. There are issues:

1. Alignment of kmalloc objects may now be different. In particular
   objects whose size is not a multiple of wordsize may be not word alignmed.

2. __kmalloc and kfree need to touch an additional cacheline in
   struct kmem_cache thereby reducing performance.

3. An object allocated via kmalloc may no longer be freed via kmem_cache_free.

So we need to figure out some may to make this configurable. Preferably
runtime configurable.

Signed-off-by: Christoph Lameter <clameter@....com>

---
 include/linux/slub_def.h |   22 +++++++++++++++++++---
 mm/slub.c                |   11 ++++++++---
 2 files changed, 27 insertions(+), 6 deletions(-)

Index: slub/include/linux/slub_def.h
===================================================================
--- slub.orig/include/linux/slub_def.h	2007-06-01 15:56:42.000000000 -0700
+++ slub/include/linux/slub_def.h	2007-06-01 16:00:03.000000000 -0700
@@ -120,6 +120,19 @@ static inline struct kmem_cache *kmalloc
 	return &kmalloc_caches[index];
 }
 
+static inline unsigned long kmalloc_size(size_t size)
+{
+	int index = kmalloc_index(size);
+
+	if (index >= KMALLOC_SHIFT_LOW)
+		return 1 << index;
+
+	if (index == 2)
+		return 192;
+	return 96;
+}
+
+
 #ifdef CONFIG_ZONE_DMA
 #define SLUB_DMA __GFP_DMA
 #else
@@ -135,7 +148,8 @@ static inline void *kmalloc(size_t size,
 		if (!s)
 			return NULL;
 
-		return kmem_cache_alloc(s, flags);
+		return kmem_cache_alloc(s, flags)
+				+ kmalloc_size(size) - size;
 	} else
 		return __kmalloc(size, flags);
 }
@@ -148,7 +162,8 @@ static inline void *kzalloc(size_t size,
 		if (!s)
 			return NULL;
 
-		return kmem_cache_zalloc(s, flags);
+		return kmem_cache_zalloc(s, flags)
+				+ kmalloc_size(size) - size;
 	} else
 		return __kzalloc(size, flags);
 }
@@ -159,7 +174,8 @@ extern void *__kmalloc_node(size_t size,
 static inline void *kmalloc_node(size_t size, gfp_t flags, int node)
 {
 	if (__builtin_constant_p(size) && !(flags & SLUB_DMA)) {
-		struct kmem_cache *s = kmalloc_slab(size);
+		struct kmem_cache *s = kmalloc_slab(size) +
+					kmalloc_size(size) - size;
 
 		if (!s)
 			return NULL;
Index: slub/mm/slub.c
===================================================================
--- slub.orig/mm/slub.c	2007-06-01 15:51:05.000000000 -0700
+++ slub/mm/slub.c	2007-06-01 16:15:21.000000000 -0700
@@ -2283,9 +2283,10 @@ static struct kmem_cache *get_slab(size_
 void *__kmalloc(size_t size, gfp_t flags)
 {
 	struct kmem_cache *s = get_slab(size, flags);
+	int offset = size - s->size;
 
 	if (s)
-		return slab_alloc(s, flags, -1, __builtin_return_address(0));
+		return slab_alloc(s, flags, -1, __builtin_return_address(0)) + offset;
 	return NULL;
 }
 EXPORT_SYMBOL(__kmalloc);
@@ -2294,9 +2295,10 @@ EXPORT_SYMBOL(__kmalloc);
 void *__kmalloc_node(size_t size, gfp_t flags, int node)
 {
 	struct kmem_cache *s = get_slab(size, flags);
+	int offset = size - s->size;
 
 	if (s)
-		return slab_alloc(s, flags, node, __builtin_return_address(0));
+		return slab_alloc(s, flags, node, __builtin_return_address(0)) + offset;
 	return NULL;
 }
 EXPORT_SYMBOL(__kmalloc_node);
@@ -2337,6 +2339,7 @@ void kfree(const void *x)
 {
 	struct kmem_cache *s;
 	struct page *page;
+	unsigned long addr = (unsigned long) x;
 
 	if (!x)
 		return;
@@ -2344,7 +2347,9 @@ void kfree(const void *x)
 	page = virt_to_head_page(x);
 	s = page->slab;
 
-	slab_free(s, page, (void *)x, __builtin_return_address(0));
+	addr &= ~((unsigned long)s->size - 1);
+
+	slab_free(s, page, (void *)addr, __builtin_return_address(0));
 }
 EXPORT_SYMBOL(kfree);
 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ