| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Mar 2018 18:47:22 +0100
From: Andrey Konovalov <andreyknvl@...gle.com>
To: Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc: Christoph Lameter <cl@...ux.com>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Linux Memory Management List <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
kasan-dev <kasan-dev@...glegroups.com>,
Kostya Serebryany <kcc@...gle.com>
Subject: Re: [PATCH] kasan, slub: fix handling of kasan_slab_free hook
On Tue, Mar 6, 2018 at 6:42 PM, Andrey Konovalov <andreyknvl@...gle.com> wrote:
> On Fri, Mar 2, 2018 at 1:10 PM, Andrey Ryabinin <aryabinin@...tuozzo.com> wrote:
>> On 02/23/2018 06:53 PM, Andrey Konovalov wrote:
>>> The kasan_slab_free hook's return value denotes whether the reuse of a
>>> slab object must be delayed (e.g. when the object is put into memory
>>> qurantine).
>>>
>>> The current way SLUB handles this hook is by ignoring its return value
>>> and hardcoding checks similar (but not exactly the same) to the ones
>>> performed in kasan_slab_free, which is prone to making mistakes.
>>>
>>
>> What are those differences exactly? And what problems do they cause?
>> Answers to these questions should be in the changelog.
>
>
> The difference is that with the old code we end up proceeding with
> invalidly freeing an object when an invalid-free (or double-free) is
> detected. Will add this in v2.
>
>>
>>
>>> This patch changes the way SLUB handles this by:
>>> 1. taking into account the return value of kasan_slab_free for each of
>>> the objects, that are being freed;
>>> 2. reconstructing the freelist of objects to exclude the ones, whose
>>> reuse must be delayed.
>>>
>>> Signed-off-by: Andrey Konovalov <andreyknvl@...gle.com>
>>> ---
>>
>>
>>
>>
>>>
>>> @@ -2965,14 +2974,13 @@ static __always_inline void slab_free(struct kmem_cache *s, struct page *page,
>>> void *head, void *tail, int cnt,
>>> unsigned long addr)
>>> {
>>> - slab_free_freelist_hook(s, head, tail);
>>> /*
>>> - * slab_free_freelist_hook() could have put the items into quarantine.
>>> - * If so, no need to free them.
>>> + * With KASAN enabled slab_free_freelist_hook modifies the freelist
>>> + * to remove objects, whose reuse must be delayed.
>>> */
>>> - if (s->flags & SLAB_KASAN && !(s->flags & SLAB_TYPESAFE_BY_RCU))
>>> - return;
>>> - do_slab_free(s, page, head, tail, cnt, addr);
>>> + slab_free_freelist_hook(s, &head, &tail);
>>> + if (head != NULL)
>>
>> That's an additional branch in non-debug fast-path. Find a way to avoid this.
>
> Hm, there supposed to be a branch here. We either have objects that we
> need to free, or we don't, and we need to do different things in those
> cases. Previously this was done with a hardcoded "if (s->flags &
> SLAB_KASAN && ..." statement, not it's a different "if (head !=
> NULL)".
>
> I could put this check under #ifdef CONFIG_KASAN if the performance is
> critical here, but I'm not sure if that's the best solution. I could
> also add an "unlikely()" there.
OK, I have a solution better for this, stay tuned for v2.
>
>>
>>
>>> + do_slab_free(s, page, head, tail, cnt, addr);
>>> }
>>>
>>> #ifdef CONFIG_KASAN
>>>
Powered by blists - more mailing lists