lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ef73ea4c-c081-4c64-aab3-a60ec71f03bc@nfschina.com>
Date: Fri, 25 Jul 2025 13:46:59 +0800
From: liqiong <liqiong@...china.com>
To: Harry Yoo <harry.yoo@...cle.com>
Cc: Christoph Lameter <cl@...two.org>, David Rientjes <rientjes@...gle.com>,
 Andrew Morton <akpm@...ux-foundation.org>, Vlastimil Babka <vbabka@...e.cz>,
 Roman Gushchin <roman.gushchin@...ux.dev>, linux-mm@...ck.org,
 linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] mm: slub: fix dereference invalid pointer in
 alloc_consistency_checks



在 2025/7/25 12:01, Harry Yoo 写道:
> On Fri, Jul 25, 2025 at 10:48:54AM +0800, Li Qiong wrote:
>> In object_err(), need dereference the 'object' pointer, it may cause
>> a invalid pointer fault. Use slab_err() instead.
> Hi Li Qiong, this patch makes sense to me.
> But I'd suggest to rephrase it a little bit, like:
>
> mm/slab: avoid deref of free pointer in sanity checks if object is invalid
>
> For debugging purposes, object_err() prints free pointer of the object.
> However, if check_valid_pointer() returns false for object,
> `object + s->offset` is also invalid and dereferncing it can lead to a
> crash. Therefore, avoid dereferencing it and only print the object's
> address in such cases.

Thanks, I will send a v2 patch.


>
>> Signed-off-by: Li Qiong <liqiong@...china.com>
> Which commit introduced this problem?
> A Fixes: tag is needed to determine which -stable versions it should be
> backported to.
>
> And to backport MM patches to -stable, you need to explicitly add
> 'Cc: stable@...r.kernel.org' to the patch.
>
>> ---
>>  mm/slub.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/mm/slub.c b/mm/slub.c
>> index 31e11ef256f9..3a2e57e2e2d7 100644
>> --- a/mm/slub.c
>> +++ b/mm/slub.c
>> @@ -1587,7 +1587,7 @@ static inline int alloc_consistency_checks(struct kmem_cache *s,
>>  		return 0;
>>  
>>  	if (!check_valid_pointer(s, slab, object)) {
>> -		object_err(s, slab, object, "Freelist Pointer check fails");
>> +		slab_err(s, slab, "Freelist Pointer (0x%p) check fails", object);
> Can this be
> slab_err(s, slab, "Invalid object pointer 0x%p", object);
> to align with free_consistency_checks()?




>
>>  		return 0;
>>  	}
>>  
> It might be worth adding a comment in object_err() stating that it should
> only be called when check_valid_pointer() returns true for object, and
> a WARN_ON_ONCE(!check_valid_pointer(s, slab, object)) to catch incorrect
> usages?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ