| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMJBoFPbRcdZ+NnX17OQ-sOcCwe+ZAsxcDJoR0KDkgBY9WXvpg@mail.gmail.com>
Date: Tue, 2 Jul 2019 10:45:46 +0300
From: Vitaly Wool <vitalywool@...il.com>
To: Henry Burns <henryburns@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Matthew Wilcox <mawilcox@...rosoft.com>,
Vitaly Vul <vitaly.vul@...y.com>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Xidong Wang <wangxidong_97@....com>,
Shakeel Butt <shakeelb@...gle.com>,
Jonathan Adams <jwadams@...gle.com>,
Linux-MM <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] mm/z3fold: Fix z3fold_buddy_slots use after free
Hi Henry,
On Mon, Jul 1, 2019 at 8:31 PM Henry Burns <henryburns@...gle.com> wrote:
>
> Running z3fold stress testing with address sanitization
> showed zhdr->slots was being used after it was freed.
>
> z3fold_free(z3fold_pool, handle)
> free_handle(handle)
> kmem_cache_free(pool->c_handle, zhdr->slots)
> release_z3fold_page_locked_list(kref)
> __release_z3fold_page(zhdr, true)
> zhdr_to_pool(zhdr)
> slots_to_pool(zhdr->slots) *BOOM*
Thanks for looking into this. I'm not entirely sure I'm all for
splitting free_handle() but let me think about it.
> Instead we split free_handle into two functions, release_handle()
> and free_slots(). We use release_handle() in place of free_handle(),
> and use free_slots() to call kmem_cache_free() after
> __release_z3fold_page() is done.
A little less intrusive solution would be to move backlink to pool
from slots back to z3fold_header. Looks like it was a bad idea from
the start.
Best regards,
Vitaly
Powered by blists - more mailing lists