| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1589334472.19238.44.camel@mtksdccf07>
Date: Wed, 13 May 2020 09:47:52 +0800
From: Walter Wu <walter-zh.wu@...iatek.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
CC: Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
Matthias Brugger <matthias.bgg@...il.com>,
"Paul E . McKenney" <paulmck@...nel.org>,
Josh Triplett <josh@...htriplett.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Lai Jiangshan <jiangshanlai@...il.com>,
Joel Fernandes <joel@...lfernandes.org>,
"Andrew Morton" <akpm@...ux-foundation.org>,
kasan-dev <kasan-dev@...glegroups.com>,
Linux-MM <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
"Linux ARM" <linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH v2 1/3] rcu/kasan: record and print call_rcu() call stack
On Tue, 2020-05-12 at 16:03 +0200, Dmitry Vyukov wrote:
> On Tue, May 12, 2020 at 5:38 AM Walter Wu <walter-zh.wu@...iatek.com> wrote:
> > > Are you sure it will increase object size?
> > > I think we overlap kasan_free_meta with the object as well. The only
> > > case we don't overlap kasan_free_meta with the object are
> > > SLAB_TYPESAFE_BY_RCU || cache->ctor. But these are rare and it should
> > > only affect small objects with small redzones.
> > > And I think now we simply have a bug for these objects, we check
> > > KASAN_KMALLOC_FREE and then assume object contains free stack, but for
> > > objects with ctor, they still contain live object data, we don't store
> > > free stack in them.
> > > Such objects can be both free and still contain user data.
> > >
> >
> > Overlay kasan_free_meta. I see. but overlay it only when the object was
> > freed. kasan_free_meta will be used until free object.
> > 1). When put object into quarantine, it need kasan_free_meta.
> > 2). When the object exit from quarantine, it need kasan_free_meta
> >
> > If we choose to overlay kasan_free_meta, then the free stack will be
> > stored very late. It may has no free stack in report.
>
> Sorry, I don't understand what you mean.
>
> Why will it be stored too late?
> In __kasan_slab_free() putting into quarantine and recording free
> stack are literally adjacent lines of code:
>
> static bool __kasan_slab_free(struct kmem_cache *cache, void *object,
> unsigned long ip, bool quarantine)
> {
> ...
> kasan_set_free_info(cache, object, tag);
> quarantine_put(get_free_info(cache, object), cache);
>
>
> Just to make sure, what I meant is that we add free_track to kasan_free_meta:
>
> struct kasan_free_meta {
> struct qlist_node quarantine_link;
> + struct kasan_track free_track;
> };
>
When I see above struct kasan_free_meta, I know why you don't understand
my meaning, because I thought you were going to overlay the
quarantine_link by free_track, but it seems like to add free_track to
kasan_free_meta. Does it enlarge meta-data size?
> And I think its life-time and everything should be exactly what we need.
>
> Also it should help to fix the problem with ctors: kasan_free_meta is
> already allocated on the side for such objects, and that's exactly
> what we need for objects with ctor's.
I see.
Powered by blists - more mailing lists