[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200324153643.15527-17-will@kernel.org>
Date: Tue, 24 Mar 2020 15:36:38 +0000
From: Will Deacon <will@...nel.org>
To: linux-kernel@...r.kernel.org
Cc: Will Deacon <will@...nel.org>, Eric Dumazet <edumazet@...gle.com>,
Jann Horn <jannh@...gle.com>,
Kees Cook <keescook@...omium.org>,
Maddie Stone <maddiestone@...gle.com>,
Marco Elver <elver@...gle.com>,
"Paul E . McKenney" <paulmck@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>, kernel-team@...roid.com,
kernel-hardening@...ts.openwall.com
Subject: [RFC PATCH 16/21] list_bl: Extend integrity checking in deletion routines
Although deleting an entry from an 'hlist_bl' optionally checks that the
node being removed is unlocked before subsequently removing it and
poisoning its pointers, we don't actually check for the poison values
like we do for other list implementations.
Add poison checks to __hlist_bl_del_valid() so that we can catch list
corruption without relying on a later fault.
Cc: Kees Cook <keescook@...omium.org>
Cc: Paul E. McKenney <paulmck@...nel.org>
Cc: Peter Zijlstra <peterz@...radead.org>
Signed-off-by: Will Deacon <will@...nel.org>
---
include/linux/list_bl.h | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/include/linux/list_bl.h b/include/linux/list_bl.h
index f48d8acb15b4..0839c4f43e6d 100644
--- a/include/linux/list_bl.h
+++ b/include/linux/list_bl.h
@@ -48,7 +48,15 @@ static inline bool __hlist_bl_add_head_valid(struct hlist_bl_head *h,
static inline bool __hlist_bl_del_valid(struct hlist_bl_node *n)
{
unsigned long nlock = (unsigned long)n & LIST_BL_LOCKMASK;
- return !CHECK_DATA_CORRUPTION(nlock, "hlist_bl_del_valid: node locked");
+
+ return !(CHECK_DATA_CORRUPTION(nlock,
+ "hlist_bl_del_valid: node locked") ||
+ CHECK_DATA_CORRUPTION(n->next == LIST_POISON1,
+ "hlist_bl_del corruption, %px->next is LIST_POISON1 (%px)\n",
+ n, LIST_POISON1) ||
+ CHECK_DATA_CORRUPTION(n->pprev == LIST_POISON2,
+ "hlist_bl_del corruption, %px->pprev is LIST_POISON2 (%px)\n",
+ n, LIST_POISON2));
}
#else
static inline bool __hlist_bl_add_head_valid(struct hlist_bl_head *h,
--
2.20.1
Powered by blists - more mailing lists