lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Apr 2020 13:42:12 -0400 From: Waiman Long <longman@...hat.com> To: Christopher Lameter <cl@...ux.com> Cc: Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>, Joonsoo Kim <iamjoonsoo.kim@....com>, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, linux-mm@...ck.org, linux-kernel@...r.kernel.org, Changbin Du <changbin.du@...il.com>, Matthew Wilcox <willy@...radead.org> Subject: Re: [PATCH v2] mm/slub: Fix incorrect interpretation of s->offset On 4/27/20 12:10 PM, Christopher Lameter wrote: > On Mon, 27 Apr 2020, Waiman Long wrote: > >> To fix it, use the check "s->offset == s->inuse" in the new helper >> function freeptr_after_object() instead. Also add another helper function >> get_info_end() to return the end of info block (inuse + free pointer >> if not overlapping with object). >> >> Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object") >> Signed-off-by: Waiman Long <longman@...hat.com> >> --- >> mm/slub.c | 37 ++++++++++++++++++++++--------------- >> 1 file changed, 22 insertions(+), 15 deletions(-) >> >> diff --git a/mm/slub.c b/mm/slub.c >> index 0e736d66bb42..68f1b4b1c309 100644 >> --- a/mm/slub.c >> +++ b/mm/slub.c >> @@ -551,15 +551,29 @@ static void print_section(char *level, char *text, u8 *addr, >> metadata_access_disable(); >> } >> >> +static inline bool freeptr_after_object(struct kmem_cache *s) > bool freeptr_outside_of_object()? > I can change to that name. It doesn't really matter to me. >> +{ >> + return s->offset == s->inuse; > s->offset >= s->inuse? > > There may be a redzone after the object. > Technically inuse is object + red zone. According to calculate_sizes(): s->inuse = size; if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || s->ctor)) { /* * Relocate free pointer after the object if it is not * permitted to overwrite the first word of the object on * kmem_cache_free. * * This is the case if we do RCU, have a constructor or * destructor or are poisoning the objects. */ s->offset = size; size += sizeof(void *); So (s->offset == s->inuse) when the free pointer is outside of the object. >> +static inline unsigned int get_info_end(struct kmem_cache *s) > static inline track_offset()? > The main reason why I don't use that is because there is a track data structure in slub. There are functions name get_track() and set_track(). I don't want to confuse with them. Cheers, Longman
Powered by blists - more mailing lists