| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250801061036.528069-1-liqiong@nfschina.com>
Date: Fri, 1 Aug 2025 14:10:36 +0800
From: Li Qiong <liqiong@...china.com>
To: Christoph Lameter <cl@...two.org>,
David Rientjes <rientjes@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Vlastimil Babka <vbabka@...e.cz>
Cc: Roman Gushchin <roman.gushchin@...ux.dev>,
Harry Yoo <harry.yoo@...cle.com>,
linux-mm@...ck.org,
linux-kernel@...r.kernel.org,
stable@...r.kernel.org,
Li Qiong <liqiong@...china.com>
Subject: [PATCH v4] mm: slub: avoid deref of invalid free pointer in object_err()
For debugging, object_err() prints free pointer of the object.
However, if object is a invalid pointer, dereferncing `object + s->offset`
can lead to a crash. Therefore, add check_valid_pointer() for
the object.
Fixes: 81819f0fc828 ("SLUB core")
Cc: <stable@...r.kernel.org>
Signed-off-by: Li Qiong <liqiong@...china.com>
---
v2:
- rephrase the commit message, add comment for object_err().
v3:
- check object pointer in object_err().
v4:
- restore changes in alloc_consistency_checks().
---
mm/slub.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/mm/slub.c b/mm/slub.c
index 31e11ef256f9..17b91e74f7d9 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1104,7 +1104,11 @@ static void object_err(struct kmem_cache *s, struct slab *slab,
return;
slab_bug(s, reason);
- print_trailer(s, slab, object);
+ if (!check_valid_pointer(s, slab, object)) {
+ print_slab_info(slab);
+ pr_err("invalid object 0x%p\n", object);
+ } else
+ print_trailer(s, slab, object);
add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
WARN_ON(1);
--
2.30.2
Powered by blists - more mailing lists