| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201304291140.IFJ95894.OFLSFFHQOOMVJt@I-love.SAKURA.ne.jp> Date: Mon, 29 Apr 2013 11:40:28 +0900 From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> To: glommer@...allels.com, cl@...ux.com, penberg@...nel.org Cc: linux-kernel@...r.kernel.org Subject: Re: [linux-next-20130422] Bug in SLAB? Tetsuo Handa wrote: > Also, kmalloc_index() in include/linux/slab.h can return 0 to 26. > > If (MAX_ORDER + PAGE_SHIFT - 1) > 25 is true and > kmalloc_index(64 * 1024 * 1024) is requested (I don't know whether such case > happens), kmalloc_caches[26] is beyond the array, for kmalloc_caches[26] > allows 0 to 25. > > If (MAX_ORDER + PAGE_SHIFT - 1) <= 25 is true and > kmalloc_index(64 * 1024 * 1024) is requested (I don't know whether such case > happens), kmalloc_caches[26] is beyond the array, for > kmalloc_caches[MAX_ORDER + PAGE_SHIFT] allows 0 to MAX_ORDER + PAGE_SHIFT - 1. > > Would you recheck that the array size is correct? > I confirmed (on x86_32) that volatile unsigned int size = 8 * 1024 * 1024; kmalloc(size, GFP_KERNEL); causes no warning at compile time and returns NULL at runtime. But unsigned int size = 8 * 1024 * 1024; kmalloc(size, GFP_KERNEL); causes compile time warning include/linux/slab_def.h:136: warning: array subscript is above array bounds and runtime bug. BUG: unable to handle kernel NULL pointer dereference at 00000058 IP: [<c10b9d76>] kmem_cache_alloc+0x26/0xb0 I confirmed (on x86_32) that kmalloc(64 * 1024 * 1024, GFP_KERNEL); causes compile time warning include/linux/slab_def.h:136: warning: array subscript is above array bounds and runtime bug. Kernel BUG at c10b9c5b [verbose debug info unavailable] invalid opcode: 0000 [#1] SMP Also, volatile unsigned int size = 64 * 1024 * 1024; kmalloc(size, GFP_KERNEL); causes no warning at compile time but runtime bug. Kernel BUG at c10b9c5b [verbose debug info unavailable] invalid opcode: 0000 [#1] SMP There are kernel modules which expect kmalloc() to return NULL rather than oops when the requested size is too large. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists