| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Jun 2021 11:13:13 +0200
From: Vlastimil Babka <vbabka@...e.cz>
To: Kees Cook <keescook@...omium.org>,
Andrew Morton <akpm@...ux-foundation.org>
Cc: stable@...r.kernel.org, Marco Elver <elver@...gle.com>,
Christoph Lameter <cl@...ux.com>,
"Lin, Zhenpeng" <zplin@....edu>, Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Roman Gushchin <guro@...com>, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH v4 2/3] mm/slub: Fix redzoning for small allocations
On 6/8/21 8:39 PM, Kees Cook wrote:
> The redzone area for SLUB exists between s->object_size and s->inuse
> (which is at least the word-aligned object_size). If a cache were created
> with an object_size smaller than sizeof(void *), the in-object stored
> freelist pointer would overwrite the redzone (e.g. with boot param
> "slub_debug=ZF"):
>
> BUG test (Tainted: G B ): Right Redzone overwritten
> -----------------------------------------------------------------------------
>
> INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb
> INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200
> INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620
>
> Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........
> Object (____ptrval____): f6 f4 a5 40 1d e8 ...@..
> Redzone (____ptrval____): 1a aa ..
> Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........
>
> Store the freelist pointer out of line when object_size is smaller than
> sizeof(void *) and redzoning is enabled.
>
> Additionally remove the "smaller than sizeof(void *)" check under
> CONFIG_DEBUG_VM in kmem_cache_sanity_check() as it is now redundant:
> SLAB and SLOB both handle small sizes.
>
> (Note that no caches within this size range are known to exist in the
> kernel currently.)
>
> Fixes: 81819f0fc828 ("SLUB core")
> Cc: stable@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
Acked-by: Vlastimil Babka <vbabka@...e.cz>
> ---
> mm/slab_common.c | 3 +--
> mm/slub.c | 8 +++++---
> 2 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index a4a571428c51..7cab77655f11 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -97,8 +97,7 @@ EXPORT_SYMBOL(kmem_cache_size);
> #ifdef CONFIG_DEBUG_VM
> static int kmem_cache_sanity_check(const char *name, unsigned int size)
> {
> - if (!name || in_interrupt() || size < sizeof(void *) ||
> - size > KMALLOC_MAX_SIZE) {
> + if (!name || in_interrupt() || size > KMALLOC_MAX_SIZE) {
> pr_err("kmem_cache_create(%s) integrity check failed\n", name);
> return -EINVAL;
> }
> diff --git a/mm/slub.c b/mm/slub.c
> index f91d9fe7d0d8..f58cfd456548 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -3734,15 +3734,17 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
> */
> s->inuse = size;
>
> - if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
> - s->ctor)) {
> + if ((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
> + ((flags & SLAB_RED_ZONE) && s->object_size < sizeof(void *)) ||
> + s->ctor) {
> /*
> * Relocate free pointer after the object if it is not
> * permitted to overwrite the first word of the object on
> * kmem_cache_free.
> *
> * This is the case if we do RCU, have a constructor or
> - * destructor or are poisoning the objects.
> + * destructor, are poisoning the objects, or are
> + * redzoning an object smaller than sizeof(void *).
> *
> * The assumption that s->offset >= s->inuse means free
> * pointer is outside of the object is used in the
>
Powered by blists - more mailing lists