lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aJAAVIoytyZroB6p@hyeyoo>
Date: Mon, 4 Aug 2025 09:35:40 +0900
From: Harry Yoo <harry.yoo@...cle.com>
To: Li Qiong <liqiong@...china.com>
Cc: Christoph Lameter <cl@...two.org>, David Rientjes <rientjes@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Vlastimil Babka <vbabka@...e.cz>,
        Roman Gushchin <roman.gushchin@...ux.dev>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH v4] mm: slub: avoid deref of invalid free pointer in
 object_err()

On Fri, Aug 01, 2025 at 02:10:36PM +0800, Li Qiong wrote:
> For debugging, object_err() prints free pointer of the object.
> However, if object is a invalid pointer, dereferncing `object + s->offset`
> can lead to a crash. Therefore, add check_valid_pointer() for
> the object.

Because this is not only about freelist pointer but also include other
metadata, this can be improved a little bit (+ with a slightly more
detailed description):

mm/slub: avoid accessing metadata when pointer is invalid in object_err()

object_err() reports details of an object for further debugging, such as
the freelist pointer, redzone, etc. However, if the pointer is invalid,
attempting to access object metadata can lead to a crash since it does
not point to a valid object.

In case check_valid_pointer() returns false for the pointer, only print
the pointer value and skip accessing metadata.

> Fixes: 81819f0fc828 ("SLUB core")

The tag looks correct.

> Cc: <stable@...r.kernel.org>
> Signed-off-by: Li Qiong <liqiong@...china.com>
> ---
> v2:
> - rephrase the commit message, add comment for object_err().
> v3:
> - check object pointer in object_err().
> v4:
> - restore changes in alloc_consistency_checks().
> ---
>  mm/slub.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/mm/slub.c b/mm/slub.c
> index 31e11ef256f9..17b91e74f7d9 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1104,7 +1104,11 @@ static void object_err(struct kmem_cache *s, struct slab *slab,
>  		return;
>  
>  	slab_bug(s, reason);
> -	print_trailer(s, slab, object);
> +	if (!check_valid_pointer(s, slab, object)) {
> +		print_slab_info(slab);
> +		pr_err("invalid object 0x%p\n", object);

I thought you were going to update the message above based on previous
conversation, "Invalid pointer 0x%p\n"?

> +	} else
> +		print_trailer(s, slab, object);

Per the coding style guideline [1], an else clause should also use
braces { } when the corresponding if clause does.

[1] https://www.kernel.org/doc/html/latest/process/coding-style.html#placing-braces-and-spaces

>  	add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
>  
>  	WARN_ON(1);

-- 
Cheers,
Harry / Hyeonggon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ