lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAG_fn=XtONeeJzBFFyxqWa1=Zo8bCGcUPO11Kaa4093vJOPgrA@mail.gmail.com>
Date: Mon, 12 Jan 2026 15:38:09 +0100
From: Alexander Potapenko <glider@...gle.com>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: Ryan Roberts <ryan.roberts@....com>, Marco Elver <elver@...gle.com>, 
	Dmitry Vyukov <dvyukov@...gle.com>, kasan-dev@...glegroups.com, linux-mm@...ck.org, 
	linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH v1] mm: kmsan: Fix poisoning of high-order non-compound pages

On Sun, Jan 4, 2026 at 7:02 PM Andrew Morton <akpm@...ux-foundation.org> wrote:
>
> On Sun,  4 Jan 2026 13:43:47 +0000 Ryan Roberts <ryan.roberts@....com> wrote:
>
> > kmsan_free_page() is called by the page allocator's free_pages_prepare()
> > during page freeing. It's job is to poison all the memory covered by the
> > page. It can be called with an order-0 page, a compound high-order page
> > or a non-compound high-order page. But page_size() only works for
> > order-0 and compound pages. For a non-compound high-order page it will
> > incorrectly return PAGE_SIZE.
> >
> > The implication is that the tail pages of a high-order non-compound page
> > do not get poisoned at free, so any invalid access while they are free
> > could go unnoticed. It looks like the pages will be poisoned again at
> > allocaiton time, so that would bookend the window.
> >
> > Fix this by using the order parameter to calculate the size.
> >
> > Fixes: b073d7f8aee4 ("mm: kmsan: maintain KMSAN metadata for page operations")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Ryan Roberts <ryan.roberts@....com>
Reviewed-by: Alexander Potapenko <glider@...gle.com>
Tested-by: Alexander Potapenko <glider@...gle.com>

Thanks!
I'll send out a follow-up patch with a test for this behavior.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ