* [PATCH v4 0/3] Actually fix freelist pointer vs redzoning @ 2021-06-08 18:39 Kees Cook 2021-06-08 18:39 ` [PATCH v4 1/3] mm/slub: Clarify verification reporting Kees Cook ` (3 more replies) 0 siblings, 4 replies; 9+ messages in thread From: Kees Cook @ 2021-06-08 18:39 UTC (permalink / raw) To: Andrew Morton Cc: Kees Cook, Vlastimil Babka, Marco Elver, Christoph Lameter, Lin, Zhenpeng, Pekka Enberg, David Rientjes, Joonsoo Kim, Roman Gushchin, linux-kernel, linux-doc, linux-mm v4: - remove redundant size check v3: https://lore.kernel.org/lkml/20201015033712.1491731-1-keescook@chromium.org v2: https://lore.kernel.org/lkml/20201009195411.4018141-1-keescook@chromium.org v1: https://lore.kernel.org/lkml/20201008233443.3335464-1-keescook@chromium.org This fixes redzoning vs the freelist pointer (both for middle-position and very small caches). Both are "theoretical" fixes, in that I see no evidence of such small-sized caches actually be used in the kernel, but that's no reason to let the bugs continue to exist, especially since people doing local development keep tripping over it. :) Thanks! -Kees Kees Cook (3): mm/slub: Clarify verification reporting mm/slub: Fix redzoning for small allocations mm/slub: Actually fix freelist pointer vs redzoning Documentation/vm/slub.rst | 10 +++++----- mm/slab_common.c | 3 +-- mm/slub.c | 36 +++++++++++++++--------------------- 3 files changed, 21 insertions(+), 28 deletions(-) -- 2.25.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v4 1/3] mm/slub: Clarify verification reporting 2021-06-08 18:39 [PATCH v4 0/3] Actually fix freelist pointer vs redzoning Kees Cook @ 2021-06-08 18:39 ` Kees Cook 2021-06-08 18:39 ` [PATCH v4 2/3] mm/slub: Fix redzoning for small allocations Kees Cook ` (2 subsequent siblings) 3 siblings, 0 replies; 9+ messages in thread From: Kees Cook @ 2021-06-08 18:39 UTC (permalink / raw) To: Andrew Morton Cc: Kees Cook, Vlastimil Babka, Marco Elver, Christoph Lameter, Lin, Zhenpeng, Pekka Enberg, David Rientjes, Joonsoo Kim, Roman Gushchin, linux-kernel, linux-doc, linux-mm Instead of repeating "Redzone" and "Poison", clarify which sides of those zones got tripped. Additionally fix column alignment in the trailer. Before: BUG test (Tainted: G B ): Redzone overwritten ... Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........ Object (____ptrval____): f6 f4 a5 40 1d e8 ...@.. Redzone (____ptrval____): 1a aa .. Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........ After: BUG test (Tainted: G B ): Right Redzone overwritten ... Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........ Object (____ptrval____): f6 f4 a5 40 1d e8 ...@.. Redzone (____ptrval____): 1a aa .. Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........ The earlier commits that slowly resulted in the "Before" reporting were: d86bd1bece6f ("mm/slub: support left redzone") ffc79d288000 ("slub: use print_hex_dump") 2492268472e7 ("SLUB: change error reporting format to follow lockdep loosely") Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Vlastimil Babka <vbabka@suse.cz> Link: https://lore.kernel.org/lkml/cfdb11d7-fb8e-e578-c939-f7f5fb69a6bd@suse.cz/ --- Documentation/vm/slub.rst | 10 +++++----- mm/slub.c | 14 +++++++------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Documentation/vm/slub.rst b/Documentation/vm/slub.rst index 03f294a638bd..d3028554b1e9 100644 --- a/Documentation/vm/slub.rst +++ b/Documentation/vm/slub.rst @@ -181,7 +181,7 @@ SLUB Debug output Here is a sample of slub debug output:: ==================================================================== - BUG kmalloc-8: Redzone overwritten + BUG kmalloc-8: Right Redzone overwritten -------------------------------------------------------------------- INFO: 0xc90f6d28-0xc90f6d2b. First byte 0x00 instead of 0xcc @@ -189,10 +189,10 @@ Here is a sample of slub debug output:: INFO: Object 0xc90f6d20 @offset=3360 fp=0xc90f6d58 INFO: Allocated in get_modalias+0x61/0xf5 age=53 cpu=1 pid=554 - Bytes b4 0xc90f6d10: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ - Object 0xc90f6d20: 31 30 31 39 2e 30 30 35 1019.005 - Redzone 0xc90f6d28: 00 cc cc cc . - Padding 0xc90f6d50: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ + Bytes b4 (0xc90f6d10): 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ + Object (0xc90f6d20): 31 30 31 39 2e 30 30 35 1019.005 + Redzone (0xc90f6d28): 00 cc cc cc . + Padding (0xc90f6d50): 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ [<c010523d>] dump_trace+0x63/0x1eb [<c01053df>] show_trace_log_lvl+0x1a/0x2f diff --git a/mm/slub.c b/mm/slub.c index 3f96e099817a..f91d9fe7d0d8 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -712,15 +712,15 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) p, p - addr, get_freepointer(s, p)); if (s->flags & SLAB_RED_ZONE) - print_section(KERN_ERR, "Redzone ", p - s->red_left_pad, + print_section(KERN_ERR, "Redzone ", p - s->red_left_pad, s->red_left_pad); else if (p > addr + 16) print_section(KERN_ERR, "Bytes b4 ", p - 16, 16); - print_section(KERN_ERR, "Object ", p, + print_section(KERN_ERR, "Object ", p, min_t(unsigned int, s->object_size, PAGE_SIZE)); if (s->flags & SLAB_RED_ZONE) - print_section(KERN_ERR, "Redzone ", p + s->object_size, + print_section(KERN_ERR, "Redzone ", p + s->object_size, s->inuse - s->object_size); off = get_info_end(s); @@ -732,7 +732,7 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) if (off != size_from_object(s)) /* Beginning of the filler is the free pointer */ - print_section(KERN_ERR, "Padding ", p + off, + print_section(KERN_ERR, "Padding ", p + off, size_from_object(s) - off); dump_stack(); @@ -909,11 +909,11 @@ static int check_object(struct kmem_cache *s, struct page *page, u8 *endobject = object + s->object_size; if (s->flags & SLAB_RED_ZONE) { - if (!check_bytes_and_report(s, page, object, "Redzone", + if (!check_bytes_and_report(s, page, object, "Left Redzone", object - s->red_left_pad, val, s->red_left_pad)) return 0; - if (!check_bytes_and_report(s, page, object, "Redzone", + if (!check_bytes_and_report(s, page, object, "Right Redzone", endobject, val, s->inuse - s->object_size)) return 0; } else { @@ -928,7 +928,7 @@ static int check_object(struct kmem_cache *s, struct page *page, if (val != SLUB_RED_ACTIVE && (s->flags & __OBJECT_POISON) && (!check_bytes_and_report(s, page, p, "Poison", p, POISON_FREE, s->object_size - 1) || - !check_bytes_and_report(s, page, p, "Poison", + !check_bytes_and_report(s, page, p, "End Poison", p + s->object_size - 1, POISON_END, 1))) return 0; /* -- 2.25.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v4 2/3] mm/slub: Fix redzoning for small allocations 2021-06-08 18:39 [PATCH v4 0/3] Actually fix freelist pointer vs redzoning Kees Cook 2021-06-08 18:39 ` [PATCH v4 1/3] mm/slub: Clarify verification reporting Kees Cook @ 2021-06-08 18:39 ` Kees Cook 2021-06-11 9:13 ` Vlastimil Babka 2021-06-08 18:39 ` [PATCH v4 3/3] mm/slub: Actually fix freelist pointer vs redzoning Kees Cook 2021-06-08 20:53 ` [PATCH v4 0/3] " Andrew Morton 3 siblings, 1 reply; 9+ messages in thread From: Kees Cook @ 2021-06-08 18:39 UTC (permalink / raw) To: Andrew Morton Cc: Kees Cook, stable, Vlastimil Babka, Marco Elver, Christoph Lameter, Lin, Zhenpeng, Pekka Enberg, David Rientjes, Joonsoo Kim, Roman Gushchin, linux-kernel, linux-doc, linux-mm The redzone area for SLUB exists between s->object_size and s->inuse (which is at least the word-aligned object_size). If a cache were created with an object_size smaller than sizeof(void *), the in-object stored freelist pointer would overwrite the redzone (e.g. with boot param "slub_debug=ZF"): BUG test (Tainted: G B ): Right Redzone overwritten ----------------------------------------------------------------------------- INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200 INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620 Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........ Object (____ptrval____): f6 f4 a5 40 1d e8 ...@.. Redzone (____ptrval____): 1a aa .. Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........ Store the freelist pointer out of line when object_size is smaller than sizeof(void *) and redzoning is enabled. Additionally remove the "smaller than sizeof(void *)" check under CONFIG_DEBUG_VM in kmem_cache_sanity_check() as it is now redundant: SLAB and SLOB both handle small sizes. (Note that no caches within this size range are known to exist in the kernel currently.) Fixes: 81819f0fc828 ("SLUB core") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- mm/slab_common.c | 3 +-- mm/slub.c | 8 +++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index a4a571428c51..7cab77655f11 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -97,8 +97,7 @@ EXPORT_SYMBOL(kmem_cache_size); #ifdef CONFIG_DEBUG_VM static int kmem_cache_sanity_check(const char *name, unsigned int size) { - if (!name || in_interrupt() || size < sizeof(void *) || - size > KMALLOC_MAX_SIZE) { + if (!name || in_interrupt() || size > KMALLOC_MAX_SIZE) { pr_err("kmem_cache_create(%s) integrity check failed\n", name); return -EINVAL; } diff --git a/mm/slub.c b/mm/slub.c index f91d9fe7d0d8..f58cfd456548 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -3734,15 +3734,17 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) */ s->inuse = size; - if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || - s->ctor)) { + if ((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || + ((flags & SLAB_RED_ZONE) && s->object_size < sizeof(void *)) || + s->ctor) { /* * Relocate free pointer after the object if it is not * permitted to overwrite the first word of the object on * kmem_cache_free. * * This is the case if we do RCU, have a constructor or - * destructor or are poisoning the objects. + * destructor, are poisoning the objects, or are + * redzoning an object smaller than sizeof(void *). * * The assumption that s->offset >= s->inuse means free * pointer is outside of the object is used in the -- 2.25.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v4 2/3] mm/slub: Fix redzoning for small allocations 2021-06-08 18:39 ` [PATCH v4 2/3] mm/slub: Fix redzoning for small allocations Kees Cook @ 2021-06-11 9:13 ` Vlastimil Babka 0 siblings, 0 replies; 9+ messages in thread From: Vlastimil Babka @ 2021-06-11 9:13 UTC (permalink / raw) To: Kees Cook, Andrew Morton Cc: stable, Marco Elver, Christoph Lameter, Lin, Zhenpeng, Pekka Enberg, David Rientjes, Joonsoo Kim, Roman Gushchin, linux-kernel, linux-doc, linux-mm On 6/8/21 8:39 PM, Kees Cook wrote: > The redzone area for SLUB exists between s->object_size and s->inuse > (which is at least the word-aligned object_size). If a cache were created > with an object_size smaller than sizeof(void *), the in-object stored > freelist pointer would overwrite the redzone (e.g. with boot param > "slub_debug=ZF"): > > BUG test (Tainted: G B ): Right Redzone overwritten > ----------------------------------------------------------------------------- > > INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb > INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200 > INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620 > > Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........ > Object (____ptrval____): f6 f4 a5 40 1d e8 ...@.. > Redzone (____ptrval____): 1a aa .. > Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........ > > Store the freelist pointer out of line when object_size is smaller than > sizeof(void *) and redzoning is enabled. > > Additionally remove the "smaller than sizeof(void *)" check under > CONFIG_DEBUG_VM in kmem_cache_sanity_check() as it is now redundant: > SLAB and SLOB both handle small sizes. > > (Note that no caches within this size range are known to exist in the > kernel currently.) > > Fixes: 81819f0fc828 ("SLUB core") > Cc: stable@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Vlastimil Babka <vbabka@suse.cz> > --- > mm/slab_common.c | 3 +-- > mm/slub.c | 8 +++++--- > 2 files changed, 6 insertions(+), 5 deletions(-) > > diff --git a/mm/slab_common.c b/mm/slab_common.c > index a4a571428c51..7cab77655f11 100644 > --- a/mm/slab_common.c > +++ b/mm/slab_common.c > @@ -97,8 +97,7 @@ EXPORT_SYMBOL(kmem_cache_size); > #ifdef CONFIG_DEBUG_VM > static int kmem_cache_sanity_check(const char *name, unsigned int size) > { > - if (!name || in_interrupt() || size < sizeof(void *) || > - size > KMALLOC_MAX_SIZE) { > + if (!name || in_interrupt() || size > KMALLOC_MAX_SIZE) { > pr_err("kmem_cache_create(%s) integrity check failed\n", name); > return -EINVAL; > } > diff --git a/mm/slub.c b/mm/slub.c > index f91d9fe7d0d8..f58cfd456548 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -3734,15 +3734,17 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > */ > s->inuse = size; > > - if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || > - s->ctor)) { > + if ((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || > + ((flags & SLAB_RED_ZONE) && s->object_size < sizeof(void *)) || > + s->ctor) { > /* > * Relocate free pointer after the object if it is not > * permitted to overwrite the first word of the object on > * kmem_cache_free. > * > * This is the case if we do RCU, have a constructor or > - * destructor or are poisoning the objects. > + * destructor, are poisoning the objects, or are > + * redzoning an object smaller than sizeof(void *). > * > * The assumption that s->offset >= s->inuse means free > * pointer is outside of the object is used in the > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v4 3/3] mm/slub: Actually fix freelist pointer vs redzoning 2021-06-08 18:39 [PATCH v4 0/3] Actually fix freelist pointer vs redzoning Kees Cook 2021-06-08 18:39 ` [PATCH v4 1/3] mm/slub: Clarify verification reporting Kees Cook 2021-06-08 18:39 ` [PATCH v4 2/3] mm/slub: Fix redzoning for small allocations Kees Cook @ 2021-06-08 18:39 ` Kees Cook 2021-06-08 20:56 ` Andrew Morton 2021-06-08 20:53 ` [PATCH v4 0/3] " Andrew Morton 3 siblings, 1 reply; 9+ messages in thread From: Kees Cook @ 2021-06-08 18:39 UTC (permalink / raw) To: Andrew Morton Cc: Kees Cook, Marco Elver, Lin, Zhenpeng, stable, Vlastimil Babka, Christoph Lameter, Pekka Enberg, David Rientjes, Joonsoo Kim, Roman Gushchin, linux-kernel, linux-doc, linux-mm It turns out that SLUB redzoning ("slub_debug=Z") checks from s->object_size rather than from s->inuse (which is normally bumped to make room for the freelist pointer), so a cache created with an object size less than 24 would have the freelist pointer written beyond s->object_size, causing the redzone to be corrupted by the freelist pointer. This was very visible with "slub_debug=ZF": BUG test (Tainted: G B ): Right Redzone overwritten ----------------------------------------------------------------------------- INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200 INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620 Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........ Object (____ptrval____): 00 00 00 00 00 f6 f4 a5 ........ Redzone (____ptrval____): 40 1d e8 1a aa @.... Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........ Adjust the offset to stay within s->object_size. (Note that no caches of in this size range are known to exist in the kernel currently.) Reported-by: Marco Elver <elver@google.com> Reported-by: "Lin, Zhenpeng" <zplin@psu.edu> Link: https://lore.kernel.org/linux-mm/20200807160627.GA1420741@elver.google.com/ Fixes: 89b83f282d8b (slub: avoid redzone when choosing freepointer location) Cc: stable@vger.kernel.org Tested-by: Marco Elver <elver@google.com> Link: https://lore.kernel.org/lkml/CANpmjNOwZ5VpKQn+SYWovTkFB4VsT-RPwyENBmaK0dLcpqStkA@mail.gmail.com Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Vlastimil Babka <vbabka@suse.cz> Link: https://lore.kernel.org/lkml/0f7dd7b2-7496-5e2d-9488-2ec9f8e90441@suse.cz/ --- mm/slub.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/mm/slub.c b/mm/slub.c index f58cfd456548..fe30df460fad 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -3689,7 +3689,6 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) { slab_flags_t flags = s->flags; unsigned int size = s->object_size; - unsigned int freepointer_area; unsigned int order; /* @@ -3698,13 +3697,6 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) * the possible location of the free pointer. */ size = ALIGN(size, sizeof(void *)); - /* - * This is the area of the object where a freepointer can be - * safely written. If redzoning adds more to the inuse size, we - * can't use that portion for writing the freepointer, so - * s->offset must be limited within this for the general case. - */ - freepointer_area = size; #ifdef CONFIG_SLUB_DEBUG /* @@ -3730,7 +3722,7 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) /* * With that we have determined the number of bytes in actual use - * by the object. This is the potential offset to the free pointer. + * by the object and redzoning. */ s->inuse = size; @@ -3753,13 +3745,13 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) */ s->offset = size; size += sizeof(void *); - } else if (freepointer_area > sizeof(void *)) { + } else { /* * Store freelist pointer near middle of object to keep * it away from the edges of the object to avoid small * sized over/underflows from neighboring allocations. */ - s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); + s->offset = ALIGN_DOWN(s->object_size / 2, sizeof(void *)); } #ifdef CONFIG_SLUB_DEBUG -- 2.25.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v4 3/3] mm/slub: Actually fix freelist pointer vs redzoning 2021-06-08 18:39 ` [PATCH v4 3/3] mm/slub: Actually fix freelist pointer vs redzoning Kees Cook @ 2021-06-08 20:56 ` Andrew Morton 2021-06-08 23:11 ` Kees Cook 0 siblings, 1 reply; 9+ messages in thread From: Andrew Morton @ 2021-06-08 20:56 UTC (permalink / raw) To: Kees Cook Cc: Marco Elver, Lin, Zhenpeng, stable, Vlastimil Babka, Christoph Lameter, Pekka Enberg, David Rientjes, Joonsoo Kim, Roman Gushchin, linux-kernel, linux-doc, linux-mm, Lin, Zhenpeng On Tue, 8 Jun 2021 11:39:55 -0700 Kees Cook <keescook@chromium.org> wrote: > It turns out that SLUB redzoning ("slub_debug=Z") checks from > s->object_size rather than from s->inuse (which is normally bumped > to make room for the freelist pointer), so a cache created with an > object size less than 24 would have the freelist pointer written beyond > s->object_size, causing the redzone to be corrupted by the freelist > pointer. This was very visible with "slub_debug=ZF": > > BUG test (Tainted: G B ): Right Redzone overwritten > ----------------------------------------------------------------------------- > > INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb > INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200 > INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620 > > Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........ > Object (____ptrval____): 00 00 00 00 00 f6 f4 a5 ........ > Redzone (____ptrval____): 40 1d e8 1a aa @.... > Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........ > > Adjust the offset to stay within s->object_size. > > (Note that no caches of in this size range are known to exist in the > kernel currently.) We already have https://lkml.kernel.org/r/6746FEEA-FD69-4792-8DDA-C78F5FE7DA02@psu.edu. Is this patch better? > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -3689,7 +3689,6 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > { > slab_flags_t flags = s->flags; > unsigned int size = s->object_size; > - unsigned int freepointer_area; > unsigned int order; > > /* > @@ -3698,13 +3697,6 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > * the possible location of the free pointer. > */ > size = ALIGN(size, sizeof(void *)); > - /* > - * This is the area of the object where a freepointer can be > - * safely written. If redzoning adds more to the inuse size, we > - * can't use that portion for writing the freepointer, so > - * s->offset must be limited within this for the general case. > - */ > - freepointer_area = size; > > #ifdef CONFIG_SLUB_DEBUG > /* > @@ -3730,7 +3722,7 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > > /* > * With that we have determined the number of bytes in actual use > - * by the object. This is the potential offset to the free pointer. > + * by the object and redzoning. > */ > s->inuse = size; > > @@ -3753,13 +3745,13 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > */ > s->offset = size; > size += sizeof(void *); > - } else if (freepointer_area > sizeof(void *)) { > + } else { > /* > * Store freelist pointer near middle of object to keep > * it away from the edges of the object to avoid small > * sized over/underflows from neighboring allocations. > */ > - s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); > + s->offset = ALIGN_DOWN(s->object_size / 2, sizeof(void *)); > } > > #ifdef CONFIG_SLUB_DEBUG > -- > 2.25.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v4 3/3] mm/slub: Actually fix freelist pointer vs redzoning 2021-06-08 20:56 ` Andrew Morton @ 2021-06-08 23:11 ` Kees Cook 0 siblings, 0 replies; 9+ messages in thread From: Kees Cook @ 2021-06-08 23:11 UTC (permalink / raw) To: Andrew Morton Cc: Marco Elver, Lin, Zhenpeng, stable, Vlastimil Babka, Christoph Lameter, Pekka Enberg, David Rientjes, Joonsoo Kim, Roman Gushchin, linux-kernel, linux-doc, linux-mm On Tue, Jun 08, 2021 at 01:56:33PM -0700, Andrew Morton wrote: > On Tue, 8 Jun 2021 11:39:55 -0700 Kees Cook <keescook@chromium.org> wrote: > > > It turns out that SLUB redzoning ("slub_debug=Z") checks from > > s->object_size rather than from s->inuse (which is normally bumped > > to make room for the freelist pointer), so a cache created with an > > object size less than 24 would have the freelist pointer written beyond > > s->object_size, causing the redzone to be corrupted by the freelist > > pointer. This was very visible with "slub_debug=ZF": > > > > BUG test (Tainted: G B ): Right Redzone overwritten > > ----------------------------------------------------------------------------- > > > > INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb > > INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200 > > INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620 > > > > Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........ > > Object (____ptrval____): 00 00 00 00 00 f6 f4 a5 ........ > > Redzone (____ptrval____): 40 1d e8 1a aa @.... > > Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........ > > > > Adjust the offset to stay within s->object_size. > > > > (Note that no caches of in this size range are known to exist in the > > kernel currently.) > > We already have > https://lkml.kernel.org/r/6746FEEA-FD69-4792-8DDA-C78F5FE7DA02@psu.edu. > Is this patch better? Yes, I believe so, since it reduces code and corrects the size checking more directly (and more clearly demonstrates the redzone calculation problem in the commit log). -Kees > > > --- a/mm/slub.c > > +++ b/mm/slub.c > > @@ -3689,7 +3689,6 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > > { > > slab_flags_t flags = s->flags; > > unsigned int size = s->object_size; > > - unsigned int freepointer_area; > > unsigned int order; > > > > /* > > @@ -3698,13 +3697,6 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > > * the possible location of the free pointer. > > */ > > size = ALIGN(size, sizeof(void *)); > > - /* > > - * This is the area of the object where a freepointer can be > > - * safely written. If redzoning adds more to the inuse size, we > > - * can't use that portion for writing the freepointer, so > > - * s->offset must be limited within this for the general case. > > - */ > > - freepointer_area = size; > > > > #ifdef CONFIG_SLUB_DEBUG > > /* > > @@ -3730,7 +3722,7 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > > > > /* > > * With that we have determined the number of bytes in actual use > > - * by the object. This is the potential offset to the free pointer. > > + * by the object and redzoning. > > */ > > s->inuse = size; > > > > @@ -3753,13 +3745,13 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > > */ > > s->offset = size; > > size += sizeof(void *); > > - } else if (freepointer_area > sizeof(void *)) { > > + } else { > > /* > > * Store freelist pointer near middle of object to keep > > * it away from the edges of the object to avoid small > > * sized over/underflows from neighboring allocations. > > */ > > - s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); > > + s->offset = ALIGN_DOWN(s->object_size / 2, sizeof(void *)); > > } > > > > #ifdef CONFIG_SLUB_DEBUG > > -- > > 2.25.1 -- Kees Cook ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v4 0/3] Actually fix freelist pointer vs redzoning 2021-06-08 18:39 [PATCH v4 0/3] Actually fix freelist pointer vs redzoning Kees Cook ` (2 preceding siblings ...) 2021-06-08 18:39 ` [PATCH v4 3/3] mm/slub: Actually fix freelist pointer vs redzoning Kees Cook @ 2021-06-08 20:53 ` Andrew Morton 2021-06-08 23:08 ` Kees Cook 3 siblings, 1 reply; 9+ messages in thread From: Andrew Morton @ 2021-06-08 20:53 UTC (permalink / raw) To: Kees Cook Cc: Vlastimil Babka, Marco Elver, Christoph Lameter, Lin, Zhenpeng, Pekka Enberg, David Rientjes, Joonsoo Kim, Roman Gushchin, linux-kernel, linux-doc, linux-mm On Tue, 8 Jun 2021 11:39:52 -0700 Kees Cook <keescook@chromium.org> wrote: > This fixes redzoning vs the freelist pointer (both for middle-position > and very small caches). Both are "theoretical" fixes, in that I see no > evidence of such small-sized caches actually be used in the kernel, but > that's no reason to let the bugs continue to exist, especially since > people doing local development keep tripping over it. :) So I don't think this is suitable -stable material? It's a bit odd that patches 2&3 were cc:stable but #1 was not. Makes one afraid that 2&3 might have had a dependency anyway. So I'm thinking that the whole series can just be for 5.14-rc1, in the sent order. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v4 0/3] Actually fix freelist pointer vs redzoning 2021-06-08 20:53 ` [PATCH v4 0/3] " Andrew Morton @ 2021-06-08 23:08 ` Kees Cook 0 siblings, 0 replies; 9+ messages in thread From: Kees Cook @ 2021-06-08 23:08 UTC (permalink / raw) To: Andrew Morton Cc: Vlastimil Babka, Marco Elver, Christoph Lameter, Lin, Zhenpeng, Pekka Enberg, David Rientjes, Joonsoo Kim, Roman Gushchin, linux-kernel, linux-doc, linux-mm On Tue, Jun 08, 2021 at 01:53:27PM -0700, Andrew Morton wrote: > On Tue, 8 Jun 2021 11:39:52 -0700 Kees Cook <keescook@chromium.org> wrote: > > > This fixes redzoning vs the freelist pointer (both for middle-position > > and very small caches). Both are "theoretical" fixes, in that I see no > > evidence of such small-sized caches actually be used in the kernel, but > > that's no reason to let the bugs continue to exist, especially since > > people doing local development keep tripping over it. :) > > So I don't think this is suitable -stable material? Yeah, I think it's -stable material, but I'd like some bake time in -next just in case. zplin saw that there was a 2 * sizeof(void *) case that existed in the kernel that would trip over the issue. > It's a bit odd that patches 2&3 were cc:stable but #1 was not. Makes > one afraid that 2&3 might have had a dependency anyway. #1 is entirely cosmetic. It should also be fine to put into -stable, but since it had no operational impact, I figured it didn't need to be. > So I'm thinking that the whole series can just be for 5.14-rc1, in the > sent order. Unless I'm missing something big, yeah, that would be my preference too. (And -stable can pick it up then.) -- Kees Cook ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-06-11 9:13 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-08 18:39 [PATCH v4 0/3] Actually fix freelist pointer vs redzoning Kees Cook 2021-06-08 18:39 ` [PATCH v4 1/3] mm/slub: Clarify verification reporting Kees Cook 2021-06-08 18:39 ` [PATCH v4 2/3] mm/slub: Fix redzoning for small allocations Kees Cook 2021-06-11 9:13 ` Vlastimil Babka 2021-06-08 18:39 ` [PATCH v4 3/3] mm/slub: Actually fix freelist pointer vs redzoning Kees Cook 2021-06-08 20:56 ` Andrew Morton 2021-06-08 23:11 ` Kees Cook 2021-06-08 20:53 ` [PATCH v4 0/3] " Andrew Morton 2021-06-08 23:08 ` Kees Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).