| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Mar 2018 18:42:53 +0100
From: Andrey Konovalov <andreyknvl@...gle.com>
To: Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc: Christoph Lameter <cl@...ux.com>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Linux Memory Management List <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
kasan-dev <kasan-dev@...glegroups.com>,
Kostya Serebryany <kcc@...gle.com>
Subject: Re: [PATCH] kasan, slub: fix handling of kasan_slab_free hook
On Fri, Mar 2, 2018 at 1:10 PM, Andrey Ryabinin <aryabinin@...tuozzo.com> wrote:
> On 02/23/2018 06:53 PM, Andrey Konovalov wrote:
>> The kasan_slab_free hook's return value denotes whether the reuse of a
>> slab object must be delayed (e.g. when the object is put into memory
>> qurantine).
>>
>> The current way SLUB handles this hook is by ignoring its return value
>> and hardcoding checks similar (but not exactly the same) to the ones
>> performed in kasan_slab_free, which is prone to making mistakes.
>>
>
> What are those differences exactly? And what problems do they cause?
> Answers to these questions should be in the changelog.
The difference is that with the old code we end up proceeding with
invalidly freeing an object when an invalid-free (or double-free) is
detected. Will add this in v2.
>
>
>> This patch changes the way SLUB handles this by:
>> 1. taking into account the return value of kasan_slab_free for each of
>> the objects, that are being freed;
>> 2. reconstructing the freelist of objects to exclude the ones, whose
>> reuse must be delayed.
>>
>> Signed-off-by: Andrey Konovalov <andreyknvl@...gle.com>
>> ---
>
>
>
>
>>
>> @@ -2965,14 +2974,13 @@ static __always_inline void slab_free(struct kmem_cache *s, struct page *page,
>> void *head, void *tail, int cnt,
>> unsigned long addr)
>> {
>> - slab_free_freelist_hook(s, head, tail);
>> /*
>> - * slab_free_freelist_hook() could have put the items into quarantine.
>> - * If so, no need to free them.
>> + * With KASAN enabled slab_free_freelist_hook modifies the freelist
>> + * to remove objects, whose reuse must be delayed.
>> */
>> - if (s->flags & SLAB_KASAN && !(s->flags & SLAB_TYPESAFE_BY_RCU))
>> - return;
>> - do_slab_free(s, page, head, tail, cnt, addr);
>> + slab_free_freelist_hook(s, &head, &tail);
>> + if (head != NULL)
>
> That's an additional branch in non-debug fast-path. Find a way to avoid this.
Hm, there supposed to be a branch here. We either have objects that we
need to free, or we don't, and we need to do different things in those
cases. Previously this was done with a hardcoded "if (s->flags &
SLAB_KASAN && ..." statement, not it's a different "if (head !=
NULL)".
I could put this check under #ifdef CONFIG_KASAN if the performance is
critical here, but I'm not sure if that's the best solution. I could
also add an "unlikely()" there.
>
>
>> + do_slab_free(s, page, head, tail, cnt, addr);
>> }
>>
>> #ifdef CONFIG_KASAN
>>
Powered by blists - more mailing lists