lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 27 Feb 2007 10:24:52 -0800 (PST)
From:	David Miller <davem@...emloft.net>
To:	johnpol@....mipt.ru
Cc:	paul.moore@...com, kaber@...sh.net, netdev@...r.kernel.org,
	acme@...stprotocols.net
Subject: Re: [NET]: Fix kfree(skb)

From: Evgeniy Polyakov <johnpol@....mipt.ru>
Date: Tue, 27 Feb 2007 21:20:01 +0300

> On Tue, Feb 27, 2007 at 09:14:25PM +0300, Evgeniy Polyakov (johnpol@....mipt.ru) wrote:
> > On Tue, Feb 27, 2007 at 10:00:52AM -0800, David Miller (davem@...emloft.net) wrote:
> > > It's unfortunately an easy mistake to make since kfree() accepts any
> > > pointer type without warning.
> > > 
> > > What would be really nice is if someone could come up with a way for
> > > kfree() to disallow being passed objects that are meant to be released
> > > via some other mechanism.  So that, for example:
> > > 
> > > 	kfree(skb);
> > > 
> > > would warn or fail to compile, but the kfree_skb() code could go:
> > > 
> > > 	kmem_cache_free_I_KNOW_WHAT_I_AM_DOING(skbuff_head_cache, skb);
> > > 
> > > :-)
> > 
> > Something like that? (not tested, will do if starting point looks
> > correct - it checks if requested to be freed size is equal to one of the 
> > kmalloc() size, and warns if kmalloc cache is not that one where 
> > we are going to free an object):
> > 
> > diff --git a/mm/slab.c b/mm/slab.c
> > index c610062..bcb29df 100644
> > --- a/mm/slab.c
> > +++ b/mm/slab.c
> > @@ -3757,6 +3757,15 @@ void kfree(const void *objp)
> >  	local_irq_save(flags);
> >  	kfree_debugcheck(objp);
> >  	c = virt_to_cache(objp);
> > +
> > +	{
> > +		int size = kmem_cache_size(c);
> > +		struct cache_sizes *csizep = malloc_sizes;
> > +		while (size != csizep->cs_size)
> 
> that needs a check for csizep != NULL too obviously.
> Proof of concept, what do you expect? :)

It's a great run-time check, for sure, and definitely something
that we should add when SLAB_DEBUG is enabled.

A compile-time check would be "really neat" :-)
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ