lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 1 May 2020 15:01:04 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Waiman Long <longman@...hat.com>
Cc:     Christoph Lameter <cl@...ux.com>,
        Pekka Enberg <penberg@...nel.org>,
        David Rientjes <rientjes@...gle.com>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, Changbin Du <changbin.du@...il.com>,
        Matthew Wilcox <willy@...radead.org>,
        Markus Elfring <Markus.Elfring@....de>
Subject: Re: [PATCH v3] mm/slub: Fix incorrect interpretation of s->offset

On Wed, Apr 29, 2020 at 09:53:28AM -0400, Waiman Long wrote:
> In a couple of places in the slub memory allocator, the code uses
> "s->offset" as a check to see if the free pointer is put right after the
> object. That check is no longer true with commit 3202fa62fb43 ("slub:
> relocate freelist pointer to middle of object").
> 
> As a result, echoing "1" into the validate sysfs file, e.g. of dentry,
> may cause a bunch of "Freepointer corrupt" error reports like the
> following to appear with the system in panic afterwards.
> 
> [   38.579769] =============================================================================
> [   38.580845] BUG dentry(666:pmcd.service) (Tainted: G    B): Freepointer corrupt
> [   38.581948] -----------------------------------------------------------------------------
> 
> To fix it, use the check "s->offset == s->inuse" in the new helper
> function freeptr_outside_object() instead. Also add another helper function
> get_info_end() to return the end of info block (inuse + free pointer
> if not overlapping with object).
> 
> Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object")
> Signed-off-by: Waiman Long <longman@...hat.com>

Thanks! Nice catch. :)

Reviewed-by: Kees Cook <keescook@...omium.org>

-Kees

> ---
>  mm/slub.c | 45 ++++++++++++++++++++++++++++++---------------
>  1 file changed, 30 insertions(+), 15 deletions(-)
> 
>  [v3: Change function name to freeptr_outside_object(), update check & add comment]
> 
> diff --git a/mm/slub.c b/mm/slub.c
> index 9bf44955c4f1..b762450fc9f0 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -551,15 +551,32 @@ static void print_section(char *level, char *text, u8 *addr,
>  	metadata_access_disable();
>  }
>  
> +/*
> + * See comment in calculate_sizes().
> + */
> +static inline bool freeptr_outside_object(struct kmem_cache *s)
> +{
> +	return s->offset >= s->inuse;
> +}
> +
> +/*
> + * Return offset of the end of info block which is inuse + free pointer if
> + * not overlapping with object.
> + */
> +static inline unsigned int get_info_end(struct kmem_cache *s)
> +{
> +	if (freeptr_outside_object(s))
> +		return s->inuse + sizeof(void *);
> +	else
> +		return s->inuse;
> +}
> +
>  static struct track *get_track(struct kmem_cache *s, void *object,
>  	enum track_item alloc)
>  {
>  	struct track *p;
>  
> -	if (s->offset)
> -		p = object + s->offset + sizeof(void *);
> -	else
> -		p = object + s->inuse;
> +	p = object + get_info_end(s);
>  
>  	return p + alloc;
>  }
> @@ -686,10 +703,7 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)
>  		print_section(KERN_ERR, "Redzone ", p + s->object_size,
>  			s->inuse - s->object_size);
>  
> -	if (s->offset)
> -		off = s->offset + sizeof(void *);
> -	else
> -		off = s->inuse;
> +	off = get_info_end(s);
>  
>  	if (s->flags & SLAB_STORE_USER)
>  		off += 2 * sizeof(struct track);
> @@ -782,7 +796,7 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
>   * object address
>   * 	Bytes of the object to be managed.
>   * 	If the freepointer may overlay the object then the free
> - * 	pointer is the first word of the object.
> + *	pointer is at the middle of the object.
>   *
>   * 	Poisoning uses 0x6b (POISON_FREE) and the last byte is
>   * 	0xa5 (POISON_END)
> @@ -816,11 +830,7 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
>  
>  static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p)
>  {
> -	unsigned long off = s->inuse;	/* The end of info */
> -
> -	if (s->offset)
> -		/* Freepointer is placed after the object. */
> -		off += sizeof(void *);
> +	unsigned long off = get_info_end(s);	/* The end of info */
>  
>  	if (s->flags & SLAB_STORE_USER)
>  		/* We also have user information there */
> @@ -907,7 +917,7 @@ static int check_object(struct kmem_cache *s, struct page *page,
>  		check_pad_bytes(s, page, p);
>  	}
>  
> -	if (!s->offset && val == SLUB_RED_ACTIVE)
> +	if (!freeptr_outside_object(s) && val == SLUB_RED_ACTIVE)
>  		/*
>  		 * Object and freepointer overlap. Cannot check
>  		 * freepointer while object is allocated.
> @@ -3587,6 +3597,11 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
>  		 *
>  		 * This is the case if we do RCU, have a constructor or
>  		 * destructor or are poisoning the objects.
> +		 *
> +		 * The assumption that s->offset >= s->inuse means free
> +		 * pointer is outside of the object is used in the
> +		 * freeptr_outside_object() function. If that is no
> +		 * longer true, the function needs to be modified.
>  		 */
>  		s->offset = size;
>  		size += sizeof(void *);
> -- 
> 2.18.1
> 

-- 
Kees Cook

Powered by blists - more mailing lists