From: Kees Cook <keescook@chromium.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kees Cook <keescook@chromium.org>,
stable@vger.kernel.org, Prasad Sodagudi <psodagud@codeaurora.org>,
Sami Tolvanen <samitolvanen@google.com>,
Amit Daniel Kachhap <amit.kachhap@arm.com>,
Randy Dunlap <rdunlap@infradead.org>,
Richard Weinberger <richard@nod.at>,
linux-kselftest@vger.kernel.org,
clang-built-linux@googlegroups.com, linux-kernel@vger.kernel.org
Subject: [PATCH drivers/misc v2 2/4] lkdtm/heap: Avoid edge and middle of slabs
Date: Thu, 25 Jun 2020 13:37:02 -0700 [thread overview]
Message-ID: <20200625203704.317097-3-keescook@chromium.org> (raw)
In-Reply-To: <20200625203704.317097-1-keescook@chromium.org>
Har har, after I moved the slab freelist pointer into the middle of the
slab, now it looks like the contents are getting poisoned. Adjust the
test to avoid the freelist pointer again.
Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/misc/lkdtm/heap.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
index 3c5cec85edce..1323bc16f113 100644
--- a/drivers/misc/lkdtm/heap.c
+++ b/drivers/misc/lkdtm/heap.c
@@ -58,11 +58,12 @@ void lkdtm_READ_AFTER_FREE(void)
int *base, *val, saw;
size_t len = 1024;
/*
- * The slub allocator uses the first word to store the free
- * pointer in some configurations. Use the middle of the
- * allocation to avoid running into the freelist
+ * The slub allocator will use the either the first word or
+ * the middle of the allocation to store the free pointer,
+ * depending on configurations. Store in the second word to
+ * avoid running into the freelist.
*/
- size_t offset = (len / sizeof(*base)) / 2;
+ size_t offset = sizeof(*base);
base = kmalloc(len, GFP_KERNEL);
if (!base) {
--
2.25.1
next prev parent reply other threads:[~2020-06-25 20:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-25 20:37 [PATCH drivers/misc v2 0/4] lkdtm: Various clean ups Kees Cook
2020-06-25 20:37 ` [PATCH drivers/misc v2 1/4] lkdtm: Avoid more compiler optimizations for bad writes Kees Cook
2020-06-25 20:37 ` Kees Cook [this message]
2020-06-25 20:37 ` [PATCH drivers/misc v2 3/4] selftests/lkdtm: Reset WARN_ONCE to avoid false negatives Kees Cook
2020-06-25 20:37 ` [PATCH drivers/misc v2 4/4] lkdtm: Make arch-specific tests always available Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200625203704.317097-3-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=amit.kachhap@arm.com \
--cc=clang-built-linux@googlegroups.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=psodagud@codeaurora.org \
--cc=rdunlap@infradead.org \
--cc=richard@nod.at \
--cc=samitolvanen@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.