Re: [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects

From: Vlastimil Babka <vbabka@suse.cz>
To: Feng Tang <feng.tang@intel.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Hyeonggon Yoo <42.hyeyoo@gmail.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Andrey Konovalov <andreyknvl@gmail.com>,
	Kees Cook <keescook@chromium.org>
Cc: Dave Hansen <dave.hansen@intel.com>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	kasan-dev@googlegroups.com
Subject: Re: [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects
Date: Fri, 11 Nov 2022 09:16:32 +0100	[thread overview]
Message-ID: <f9da0749-c109-1251-8489-de3cfb50ab24@suse.cz> (raw)
In-Reply-To: <20221021032405.1825078-1-feng.tang@intel.com>

On 10/21/22 05:24, Feng Tang wrote:
> kmalloc's API family is critical for mm, and one of its nature is that
> it will round up the request size to a fixed one (mostly power of 2).
> When user requests memory for '2^n + 1' bytes, actually 2^(n+1) bytes
> could be allocated, so there is an extra space than what is originally
> requested.
> 
> This patchset tries to extend the redzone sanity check to the extra
> kmalloced buffer than requested, to better detect un-legitimate access
> to it. (dependson SLAB_STORE_USER & SLAB_RED_ZONE)
> 
> The redzone part has been tested with code below:
> 
> 	for (shift = 3; shift <= 12; shift++) {
> 		size = 1 << shift;
> 		buf = kmalloc(size + 4, GFP_KERNEL);
> 		/* We have 96, 196 kmalloc size, which is not power of 2 */
> 		if (size == 64 || size == 128)
> 			oob_size = 16;
> 		else
> 			oob_size = size - 4;
> 		memset(buf + size + 4, 0xee, oob_size);
> 		kfree(buf);
> 	}

Sounds like a new slub_kunit test would be useful? :) doesn't need to be
that exhaustive wrt all sizes, we could just pick one and check that a write
beyond requested kmalloc size is detected?

Thanks!