lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20070227182001.GA4278@2ka.mipt.ru>
Date:	Tue, 27 Feb 2007 21:20:01 +0300
From:	Evgeniy Polyakov <johnpol@....mipt.ru>
To:	David Miller <davem@...emloft.net>
Cc:	paul.moore@...com, kaber@...sh.net, netdev@...r.kernel.org,
	acme@...stprotocols.net
Subject: Re: [NET]: Fix kfree(skb)

On Tue, Feb 27, 2007 at 09:14:25PM +0300, Evgeniy Polyakov (johnpol@....mipt.ru) wrote:
> On Tue, Feb 27, 2007 at 10:00:52AM -0800, David Miller (davem@...emloft.net) wrote:
> > It's unfortunately an easy mistake to make since kfree() accepts any
> > pointer type without warning.
> > 
> > What would be really nice is if someone could come up with a way for
> > kfree() to disallow being passed objects that are meant to be released
> > via some other mechanism.  So that, for example:
> > 
> > 	kfree(skb);
> > 
> > would warn or fail to compile, but the kfree_skb() code could go:
> > 
> > 	kmem_cache_free_I_KNOW_WHAT_I_AM_DOING(skbuff_head_cache, skb);
> > 
> > :-)
> 
> Something like that? (not tested, will do if starting point looks
> correct - it checks if requested to be freed size is equal to one of the 
> kmalloc() size, and warns if kmalloc cache is not that one where 
> we are going to free an object):
> 
> diff --git a/mm/slab.c b/mm/slab.c
> index c610062..bcb29df 100644
> --- a/mm/slab.c
> +++ b/mm/slab.c
> @@ -3757,6 +3757,15 @@ void kfree(const void *objp)
>  	local_irq_save(flags);
>  	kfree_debugcheck(objp);
>  	c = virt_to_cache(objp);
> +
> +	{
> +		int size = kmem_cache_size(c);
> +		struct cache_sizes *csizep = malloc_sizes;
> +		while (size != csizep->cs_size)

that needs a check for csizep != NULL too obviously.
Proof of concept, what do you expect? :)

> +			csizep++;
> +		WARN_ON(csizep != c);
> +	}
> +
>  	debug_check_no_locks_freed(objp, obj_size(c));
>  	__cache_free(c, (void *)objp);
>  	local_irq_restore(flags);
> 
> -- 
> 	Evgeniy Polyakov
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
	Evgeniy Polyakov
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ