[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8b844d71-01f1-472b-a63a-4c9cdb26e9ef@suse.cz>
Date: Mon, 10 Jun 2024 22:54:26 +0200
From: Vlastimil Babka <vbabka@...e.cz>
To: "Christoph Lameter (Ampere)" <cl@...two.org>,
Chengming Zhou <chengming.zhou@...ux.dev>
Cc: Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
Roman Gushchin <roman.gushchin@...ux.dev>,
Hyeonggon Yoo <42.hyeyoo@...il.com>, Feng Tang <feng.tang@...el.com>,
linux-mm@...ck.org, linux-kernel@...r.kernel.org,
zhouchengming@...edance.com, Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH v3 1/3] slab: make check_object() more consistent
On 6/10/24 7:07 PM, Christoph Lameter (Ampere) wrote:
> On Fri, 7 Jun 2024, Chengming Zhou wrote:
>
>> There are two inconsistencies in check_object(), which are alignment
>> padding checking and object padding checking. We only print the error
>> messages but don't return 0 to tell callers that something is wrong
>> and needs to be handled. Please see alloc_debug_processing() and
>> free_debug_processing() for details.
>
> If the error is in the padding and the redzones are ok then its likely
> that the objects are ok. So we can actually continue with this slab page
> instead of isolating it.
>
> We isolate it in the case that the redzones have been violated because
> that suggests someone overwrote the end of the object f.e. In that case
> objects may be corrupted. Its best to isolate the slab and hope for the
> best.
>
> If it was just the padding then the assumption is that this may be a
> scribble. So clean it up and continue.
Hm is it really worth such nuance? We enabled debugging and actually hit a
bug. I think it's best to keep things as much as they were and not try to
allow further changes. This e.g. allows more detailed analysis if somebody
later notices the bug report and decides to get a kdump crash dump (or use
drgn on live system). Maybe we should even stop doing the restore_bytes()
stuff, and prevent any further frees in the slab page to happen if possible
without affecting fast paths (now we mark everything as used but don't
prevent further frees of objects that were actually allocated before).
Even if some security people enable parts of slub debugging for security
people it is my impression they would rather panic/reboot or have memory
leaked than trying to salvage the slab page? (CC Kees)
Powered by blists - more mailing lists