| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Sep 2014 10:46:03 -0400 (EDT) From: Mikulas Patocka <mpatocka@...hat.com> To: Christoph Lameter <cl@...ux.com> cc: Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>, Joonsoo Kim <iamjoonsoo.kim@....com>, Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org, linux-kernel@...r.kernel.org, "Alasdair G. Kergon" <agk@...hat.com>, Mike Snitzer <msnitzer@...hat.com>, Milan Broz <gmazyland@...il.com>, kkolasa@...soft.pl, dm-devel@...hat.com Subject: Re: [PATCH] slab: implement kmalloc guard On Mon, 8 Sep 2014, Christoph Lameter wrote: > On Fri, 5 Sep 2014, Mikulas Patocka wrote: > > > This patch adds a new option DEBUG_KMALLOC that makes it possible to > > detect writes beyond the end of space allocated with kmalloc. Normally, > > the kmalloc function rounds the size to the next power of two (there is > > exception to this rule - sizes 96 and 192). Slab debugging detects only > > writes beyond the end of the slab object, it is unable to detect writes > > beyond the end of kmallocated size that fit into the slab object. > > > > The motivation for this patch was this: There was 6 year old bug in > > dm-crypt (d49ec52ff6ddcda178fc2476a109cf1bd1fa19ed) where the driver would > > write beyond the end of kmallocated space, but the bug went undetected > > because the write would fit into the power-of-two-sized slab object. Only > > recent changes to dm-crypt made the bug show up. There is similar problem > > in the nx-crypto driver in the function nx_crypto_ctx_init - again, > > because kmalloc rounds the size up to the next power of two, this bug went > > undetected. > > The problem with the kmalloc array for debugging is inded that it is > only for powers of two for efficiency purposes. In the debug > situation we may not have the need for that efficiency. Maybe simply > creating kmalloc arrays for each size will do the trick? I don't know what you mean. If someone allocates 10000 objects with sizes from 1 to 10000, you can't have 10000 slab caches - you can't have a slab cache for each used size. Also - you can't create a slab cache in interrupt context. > > This patch works for slab, slub and slob subsystems. The end of slab block > > can be found out with ksize (this patch renames it to __ksize). At the end > > of the block, we put a structure kmalloc_guard. This structure contains a > > magic number and a real size of the block - the exact size given to > > We already have a redzone structure to check for writes over the end of > the object. Lets use that. So, change all three slab subsystems to use that. Mikulas -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists