| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b8ed1a62-79bd-4c86-a951-80b128223f19@nfschina.com>
Date: Wed, 30 Jul 2025 09:46:09 +0800
From: liqiong <liqiong@...china.com>
To: Harry Yoo <harry.yoo@...cle.com>
Cc: David Rientjes <rientjes@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>, Vlastimil Babka <vbabka@...e.cz>,
Roman Gushchin <roman.gushchin@...ux.dev>, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH v3] mm: slub: avoid deref of free pointer in sanity checks
if object is invalid
在 2025/7/29 21:41, Harry Yoo 写道:
> On Tue, Jul 29, 2025 at 04:14:55PM +0800, Li Qiong wrote:
>> For debugging, object_err() prints free pointer of the object.
>> However, if check_valid_pointer() returns false for a object,
>> dereferncing `object + s->offset` can lead to a crash. Therefore,
>> print the object's address in such cases.
> As the code changed a bit, I think the commit message could better reflect
> what this patch actually does.
Yes.
>
>> Fixes: bb192ed9aa71 ("mm/slub: Convert most struct page to struct slab by spatch")
> As Vlastimil mentioned in previous version, this is not the first commit
> that introduced this problem.
>
>> Cc: <stable@...r.kernel.org>
>> Signed-off-by: Li Qiong <liqiong@...china.com>
>> ---
>> v2:
>> - rephrase the commit message, add comment for object_err().
>> v3:
>> - check object pointer in object_err().
>> ---
>> mm/slub.c | 8 ++++++--
>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/mm/slub.c b/mm/slub.c
>> index 31e11ef256f9..d3abae5a2193 100644
>> --- a/mm/slub.c
>> +++ b/mm/slub.c
>> @@ -1104,7 +1104,11 @@ static void object_err(struct kmem_cache *s, struct slab *slab,
>> return;
>>
>> slab_bug(s, reason);
>> - print_trailer(s, slab, object);
>> + if (!check_valid_pointer(s, slab, object)) {
>> + print_slab_info(slab);
>> + pr_err("invalid object 0x%p\n", object);
> Can we just handle this inside print_trailer() because that's the function
> that prints the object's free pointer, metadata, etc.?
Maybe it's clearer , if object pointer being invalid, don't enter print_trailer(),
print_trailer() prints valid object.
>
> Also, the message should start with a capital letter.
>
> and "invalid object" sounds misleading because it's the pointer
> that is invalid. Perhaps simply "Invalid pointer 0x%p\n"?
> (What would be the most comprehensive message here? :P)
Make sense, will change it.
>
>> + } else
>> + print_trailer(s, slab, object);
>> add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
>>
>> WARN_ON(1);
>> @@ -1587,7 +1591,7 @@ static inline int alloc_consistency_checks(struct kmem_cache *s,
>> return 0;
>>
>> if (!check_valid_pointer(s, slab, object)) {
>> - object_err(s, slab, object, "Freelist Pointer check fails");
>> + slab_err(s, slab, "Freelist Pointer(0x%p) check fails", object);
>> return 0;
> Do we really need this hunk after making object_err() resiliant
> against wild pointers?
That's the origin issue, it may be inappropriate to use object_err(), if check_valid_pointer being false.
>
>> }
Powered by blists - more mailing lists