| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Jul 2016 12:07:54 -0400
From: Kees Cook <keescook@...omium.org>
To: Christoph Lameter <cl@...ux.com>
Cc: Michael Ellerman <mpe@...erman.id.au>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>, Jan Kara <jack@...e.cz>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will.deacon@....com>,
Linux-MM <linux-mm@...ck.org>,
sparclinux <sparclinux@...r.kernel.org>,
linux-ia64@...r.kernel.org, Andrea Arcangeli <aarcange@...hat.com>,
linux-arch <linux-arch@...r.kernel.org>,
"x86@...nel.org" <x86@...nel.org>,
Russell King <linux@...linux.org.uk>,
PaX Team <pageexec@...email.hu>, Borislav Petkov <bp@...e.de>,
lin <ux-arm-kernel@...ts.infradead.org>,
Mathias Krause <minipli@...glemail.com>,
Fenghua Yu <fenghua.yu@...el.com>,
Rik van Riel <riel@...hat.com>,
David Rientjes <rientjes@...gle.com>,
Tony Luck <tony.luck@...el.com>,
Andy Lutomirski <luto@...nel.org>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Laura Abbott <labbott@...oraproject.org>,
Brad Spengler <spender@...ecurity.net>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
LKML <linux-kernel@...r.kernel.org>,
Pekka Enberg <penberg@...nel.org>,
Case y Schauf ler <casey@...aufler-ca.com>,
Andrew Morton <akpm@...ux-foundation.org>,
"linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support
On Fri, Jul 8, 2016 at 9:45 AM, Christoph Lameter <cl@...ux.com> wrote:
> On Fri, 8 Jul 2016, Michael Ellerman wrote:
>
>> > I wonder if this code should be using size_from_object() instead of s->size?
BTW, I can't reproduce this on x86 yet...
>>
>> Hmm, not sure. Who's SLUB maintainer? :)
>
> Me.
>
> s->size is the size of the whole object including debugging info etc.
> ksize() gives you the actual usable size of an object.
Is check_valid_pointer() making sure the pointer is within the usable
size? It seemed like it was checking that it was within the slub
object (checks against s->size, wants it above base after moving
pointer to include redzone, etc).
I think a potential problem with Michael's fix is that the ptr in
__check_heap_object() may not point at the _start_ of the usable
object, so doing the red zone shift isn't quite right.
This finds the ptr's offset within the slub object (since s->size is
the slub object size):
offset = (ptr - page_address(page)) % s->size;
But this looks at object_size and doesn't take into account actual size:
if (offset <= s->object_size && n <= s->object_size - offset)
return NULL;
I think offset needs to be adjusted by the size of padding, which the
restore_red_left() call had the same effect, but may not cover all
padding conditions? I'm not sure.
Should it be:
/* Find offset within slab object. */
offset = (ptr - page_address(page)) % s->size;
/* Adjust offset for meta data and padding. */
offset -= s->size - s->object_size;
/* Make sure offset and size are within bounds of the
allocation size. */
if (offset <= s->object_size && n <= s->object_size - offset)
return NULL;
?
-Kees
--
Kees Cook
Chrome OS & Brillo Security
Powered by blists - more mailing lists