| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Oct 2016 12:56:18 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Christoph Lameter <cl@...ux.com>
Cc: Al Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
Jens Axboe <axboe@...com>, "Ted Ts'o" <tytso@....edu>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>
Subject: Re: [git pull] vfs pile 1 (splice)
On Mon, Oct 10, 2016 at 7:03 AM, Christoph Lameter <cl@...ux.com> wrote:
>
> Hmm.. Then get_freepointer_safe may not be ok. Should not trigger any
> faults.
So the reason seems to be that SLUB doesn't actually react well to
double-freeing bugs.
I'm not sure how to fix that. I think the optimistic load that SLUB
does is actually important, since it is what allows the whole
lock-free double_cmpxchg() approach.
But the fact that it reacts _so_ badly to double-freeing issues when
the freelist has become corrupted due to an object being free'd and
then modified is clearly very fragile and not great.
Doing a google search for "kmalloc", "oops" and "cmpxchg16b" does show
that it happens: you can tell by how the trapping instruction is a
load just before the cmpxchg16b instruction in the oops disassembly.
Maybe we should just make "get_freepointer()" always handle traps.
Right now it does that "probe_kernel_read()" conditionally, and it's a
fairly costly operation, but we *could* make it cheaper. It's really
just a single instruction with an exception entry (kind of like
load_unaligned_zeropad() that we wrote for the dcache case).
I dunno.
Linus
Powered by blists - more mailing lists