From: Changbin Du <changbin.du@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: Changbin Du <changbin.du@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm/slub: do not place freelist pointer to middle of object if redzone is on
Date: Sun, 26 Apr 2020 08:07:27 +0800 [thread overview]
Message-ID: <20200426000727.u2gfxwfsrvme3a6b@mail.google.com> (raw)
In-Reply-To: <202004251547.0F8E6856B@keescook>
Hi Kees,
On Sat, Apr 25, 2020 at 03:48:31PM -0700, Kees Cook wrote:
> On Sat, Apr 25, 2020 at 05:13:38PM +0800, Changbin Du wrote:
> > The recent kernel fails to boot when slub redzone is turned on. This is
> > caused by commit 3202fa62fb ("slub: relocate freelist pointer to middle of
> > object") which relocates freelist pointer to middle of object. In this
> > case, get_track() gets a wrong address and then the redzone is overwritten.
>
> Hi! A fix for this is already in -next:
>
> https://www.ozlabs.org/~akpm/mmotm/broken-out/slub-avoid-redzone-when-choosing-freepointer-location.patch
>
> the above doesn't disable the mitigation when using redzones, so I
> prefer that to this suggested solution.
>
Glade to see it's been reported. But I am sorry that your patch cannot fix it.
With your fix, I suppose the layout of slub is:
|obj-fp-obj|redzone|track|...
While get_track():
p = object + s->offset + sizeof(void *);
Then we still get a wrong location. I just tested linux-next and the problem is
still there.
Is the right and left redzone good enough to protect the freepointer? If not,
I will send a patch to fix get_track() along with your patch.
> --
> Kees Cook
--
Cheers,
Changbin Du
next prev parent reply other threads:[~2020-04-26 0:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-25 9:13 [PATCH] mm/slub: do not place freelist pointer to middle of object if redzone is on Changbin Du
2020-04-25 22:48 ` Kees Cook
2020-04-26 0:07 ` Changbin Du [this message]
2020-04-25 20:24 Markus Elfring
2020-04-25 23:51 ` Changbin Du
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200426000727.u2gfxwfsrvme3a6b@mail.google.com \
--to=changbin.du@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.