lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20250801061036.528069-1-liqiong@nfschina.com>
Date: Fri,  1 Aug 2025 14:10:36 +0800
From: Li Qiong <liqiong@...china.com>
To: Christoph Lameter <cl@...two.org>,
	David Rientjes <rientjes@...gle.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Vlastimil Babka <vbabka@...e.cz>
Cc: Roman Gushchin <roman.gushchin@...ux.dev>,
	Harry Yoo <harry.yoo@...cle.com>,
	linux-mm@...ck.org,
	linux-kernel@...r.kernel.org,
	stable@...r.kernel.org,
	Li Qiong <liqiong@...china.com>
Subject: [PATCH v4] mm: slub: avoid deref of invalid free pointer in object_err()

For debugging, object_err() prints free pointer of the object.
However, if object is a invalid pointer, dereferncing `object + s->offset`
can lead to a crash. Therefore, add check_valid_pointer() for
the object.

Fixes: 81819f0fc828 ("SLUB core")
Cc: <stable@...r.kernel.org>
Signed-off-by: Li Qiong <liqiong@...china.com>
---
v2:
- rephrase the commit message, add comment for object_err().
v3:
- check object pointer in object_err().
v4:
- restore changes in alloc_consistency_checks().
---
 mm/slub.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/mm/slub.c b/mm/slub.c
index 31e11ef256f9..17b91e74f7d9 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1104,7 +1104,11 @@ static void object_err(struct kmem_cache *s, struct slab *slab,
 		return;
 
 	slab_bug(s, reason);
-	print_trailer(s, slab, object);
+	if (!check_valid_pointer(s, slab, object)) {
+		print_slab_info(slab);
+		pr_err("invalid object 0x%p\n", object);
+	} else
+		print_trailer(s, slab, object);
 	add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
 
 	WARN_ON(1);
-- 
2.30.2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ