lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 28 Feb 2007 12:02:58 +0300
From:	Evgeniy Polyakov <johnpol@....mipt.ru>
To:	David Miller <davem@...emloft.net>
Cc:	paul.moore@...com, kaber@...sh.net, netdev@...r.kernel.org,
	acme@...stprotocols.net
Subject: Run-time kfree check for correct cache [was Re: [NET]: Fix kfree(skb)]

Attached patch detects in run-time things like:
skb = alloc_skb();
kfree(skb);

where provided to kfree pointer does not belong to kmalloc caches.
It is turned on when slab debug config option is enabled.

When problem is detected, following warning is printed with hint to
what cache/function should be used instead:

[  168.085641] bhtest_init: skb: ffff81003e791478.
[  168.085698] kfree debug: i: 4, size: 15, caches: malloc:
ffff81000119d8c0, dma: ffff81000119e100, free: ffff81003f19c940.
[  168.085776] kfree debug: likely you want to use something with
'skbuff_head_cache' in name instead of kfree().
[  168.085853] BUG: at mm/slab.c:2847 kfree_debug_cahce_pointer()
[  168.085907]
[  168.085907] Call Trace:
[  168.086008]  [<ffffffff8020b28b>] kfree+0xfd/0x274
[  168.086064]  [<ffffffff88025039>] :bhtest:bhtest_init+0x38/0x3f
[  168.086122]  [<ffffffff8029385a>] sys_init_module+0x163d/0x179d
[  168.086183]  [<ffffffff80222183>] filp_close+0x5d/0x65
[  168.086240]  [<ffffffff80254c9e>] system_call+0x7e/0x83
[  168.086295]

Signed-off-by: Evgeniy Polyakov <johnpol@....mipt.ru>

diff --git a/mm/slab.c b/mm/slab.c
index c610062..acd3871 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -2829,6 +2829,27 @@ static void kfree_debugcheck(const void *objp)
 	}
 }
 
+static void kfree_debug_cahce_pointer(struct kmem_cache *cachep, void *objp)
+{
+	int size = obj_size(cachep), i;
+	struct cache_sizes *cs;
+
+	for (i=0; i<ARRAY_SIZE(malloc_sizes); ++i) {
+		cs = &malloc_sizes[i];
+		if (size <= cs->cs_size)
+			break;
+	}
+	if ((i == ARRAY_SIZE(malloc_sizes)) || 
+			(cs->cs_cachep != cachep && cs->cs_dmacachep != cachep)) {
+		printk("kfree debug: i: %d, size: %u, caches: malloc: %p, dma: %p, free: %p.\n",
+				i, ARRAY_SIZE(malloc_sizes), cs->cs_cachep, cs->cs_dmacachep,
+				cachep);
+		printk("kfree debug: likely you want to use something with '%s' in name instead of kfree().\n",
+				cachep->name);
+		WARN_ON(1);
+	}
+}
+
 static inline void verify_redzone_free(struct kmem_cache *cache, void *obj)
 {
 	unsigned long redzone1, redzone2;
@@ -2940,6 +2961,7 @@ bad:
 }
 #else
 #define kfree_debugcheck(x) do { } while(0)
+#define kfree_debug_cahce_pointer(x, y) do { } while(0)
 #define cache_free_debugcheck(x,objp,z) (objp)
 #define check_slabp(x,y) do { } while(0)
 #endif
@@ -3757,6 +3779,7 @@ void kfree(const void *objp)
 	local_irq_save(flags);
 	kfree_debugcheck(objp);
 	c = virt_to_cache(objp);
+	kfree_debug_cahce_pointer(c, objp);
 	debug_check_no_locks_freed(objp, obj_size(c));
 	__cache_free(c, (void *)objp);
 	local_irq_restore(flags);

-- 
	Evgeniy Polyakov
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists