All of lore.kernel.org
 help / color / mirror / Atom feed
From: Feng Tang <feng.tang@intel.com>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Hyeonggon Yoo <42.hyeyoo@gmail.com>,
	"Dmitry Vyukov" <dvyukov@google.com>,
	Andrey Konovalov <andreyknvl@gmail.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Hansen, Dave" <dave.hansen@intel.com>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"kasan-dev@googlegroups.com" <kasan-dev@googlegroups.com>
Subject: Re: [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects
Date: Fri, 11 Nov 2022 16:29:43 +0800	[thread overview]
Message-ID: <Y24H998aujvYXjkV@feng-clx> (raw)
In-Reply-To: <f9da0749-c109-1251-8489-de3cfb50ab24@suse.cz>

On Fri, Nov 11, 2022 at 04:16:32PM +0800, Vlastimil Babka wrote:
> On 10/21/22 05:24, Feng Tang wrote:
> > kmalloc's API family is critical for mm, and one of its nature is that
> > it will round up the request size to a fixed one (mostly power of 2).
> > When user requests memory for '2^n + 1' bytes, actually 2^(n+1) bytes
> > could be allocated, so there is an extra space than what is originally
> > requested.
> > 
> > This patchset tries to extend the redzone sanity check to the extra
> > kmalloced buffer than requested, to better detect un-legitimate access
> > to it. (dependson SLAB_STORE_USER & SLAB_RED_ZONE)
> > 
> > The redzone part has been tested with code below:
> > 
> > 	for (shift = 3; shift <= 12; shift++) {
> > 		size = 1 << shift;
> > 		buf = kmalloc(size + 4, GFP_KERNEL);
> > 		/* We have 96, 196 kmalloc size, which is not power of 2 */
> > 		if (size == 64 || size == 128)
> > 			oob_size = 16;
> > 		else
> > 			oob_size = size - 4;
> > 		memset(buf + size + 4, 0xee, oob_size);
> > 		kfree(buf);
> > 	}
> 
> Sounds like a new slub_kunit test would be useful? :) doesn't need to be
> that exhaustive wrt all sizes, we could just pick one and check that a write
> beyond requested kmalloc size is detected?

Just git-grepped out slub_kunit.c :), will try to add a case to it.
I'll also check if the case will also be caught by other sanitizer
tools like kasan/kfence etc.

Thanks,
Feng


> Thanks!
> 

  reply	other threads:[~2022-11-11  8:33 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-21  3:24 [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects Feng Tang
2022-10-21  3:24 ` [PATCH v7 1/3] mm/slub: only zero requested size of buffer for kzalloc when debug enabled Feng Tang
2022-10-24 14:00   ` Hyeonggon Yoo
2022-10-27 19:27   ` Andrey Konovalov
2022-11-09 14:28   ` Vlastimil Babka
2022-11-10  3:20     ` Feng Tang
2022-11-10 12:57       ` Feng Tang
2022-11-10 15:44         ` Vlastimil Babka
2022-11-11  6:19           ` Feng Tang
2022-10-21  3:24 ` [PATCH v7 2/3] mm: kasan: Extend kasan_metadata_size() to also cover in-object size Feng Tang
2022-10-27 19:27   ` Andrey Konovalov
2022-10-21  3:24 ` [PATCH v7 3/3] mm/slub: extend redzone check to extra allocated kmalloc space than requested Feng Tang
2022-11-10 15:48   ` Vlastimil Babka
2022-11-11  6:46     ` Feng Tang
2022-11-11  8:12       ` Vlastimil Babka
2022-11-11  8:16 ` [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects Vlastimil Babka
2022-11-11  8:29   ` Feng Tang [this message]
2022-11-21  6:38     ` Feng Tang
2022-11-23  9:48       ` Vlastimil Babka
2022-11-28  5:43         ` Feng Tang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y24H998aujvYXjkV@feng-clx \
    --to=feng.tang@intel.com \
    --cc=42.hyeyoo@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@gmail.com \
    --cc=cl@linux.com \
    --cc=dave.hansen@intel.com \
    --cc=dvyukov@google.com \
    --cc=iamjoonsoo.kim@lge.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=penberg@kernel.org \
    --cc=rientjes@google.com \
    --cc=roman.gushchin@linux.dev \
    --cc=vbabka@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.