* [PATCH] kasan: slab: always reset the tag in get_freepointer_safe()
@ 2021-05-14 7:22 Alexander Potapenko
2021-05-14 16:29 ` Alexander Potapenko
0 siblings, 1 reply; 2+ messages in thread
From: Alexander Potapenko @ 2021-05-14 7:22 UTC (permalink / raw)
To: akpm
Cc: Alexander Potapenko, Marco Elver, Vincenzo Frascino,
Andrey Ryabinin, Andrey Konovalov, Elliot Berman, linux-kernel
With CONFIG_DEBUG_PAGEALLOC enabled, the kernel should also untag the
object pointer, as done in get_freepointer().
Failing to do so reportedly leads to SLUB freelist corruptions that
manifest as boot-time crashes.
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Marco Elver <elver@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Elliot Berman <eberman@codeaurora.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Alexander Potapenko <glider@google.com>
---
mm/slub.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/slub.c b/mm/slub.c
index feda53ae62ba..9a4f59e5b0c2 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -301,6 +301,7 @@ static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
if (!debug_pagealloc_enabled_static())
return get_freepointer(s, object);
+ object = kasan_reset_tag(object);
freepointer_addr = (unsigned long)object + s->offset;
copy_from_kernel_nofault(&p, (void **)freepointer_addr, sizeof(p));
return freelist_ptr(s, p, freepointer_addr);
--
2.31.1.751.gd2f1c929bd-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] kasan: slab: always reset the tag in get_freepointer_safe()
2021-05-14 7:22 [PATCH] kasan: slab: always reset the tag in get_freepointer_safe() Alexander Potapenko
@ 2021-05-14 16:29 ` Alexander Potapenko
0 siblings, 0 replies; 2+ messages in thread
From: Alexander Potapenko @ 2021-05-14 16:29 UTC (permalink / raw)
To: akpm, Vincenzo Frascino, Catalin Marinas
Cc: Marco Elver, Andrey Ryabinin, Andrey Konovalov, Elliot Berman,
linux-kernel
On Fri, May 14, 2021 at 9:22 AM Alexander Potapenko <glider@google.com> wrote:
>
> With CONFIG_DEBUG_PAGEALLOC enabled, the kernel should also untag the
> object pointer, as done in get_freepointer().
>
> Failing to do so reportedly leads to SLUB freelist corruptions that
> manifest as boot-time crashes.
>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Marco Elver <elver@google.com>
> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Cc: Elliot Berman <eberman@codeaurora.org>
> Cc: linux-kernel@vger.kernel.org
> Signed-off-by: Alexander Potapenko <glider@google.com>
> ---
> mm/slub.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index feda53ae62ba..9a4f59e5b0c2 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -301,6 +301,7 @@ static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
> if (!debug_pagealloc_enabled_static())
> return get_freepointer(s, object);
>
> + object = kasan_reset_tag(object);
> freepointer_addr = (unsigned long)object + s->offset;
> copy_from_kernel_nofault(&p, (void **)freepointer_addr, sizeof(p));
> return freelist_ptr(s, p, freepointer_addr);
> --
> 2.31.1.751.gd2f1c929bd-goog
>
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-14 16:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-14 7:22 [PATCH] kasan: slab: always reset the tag in get_freepointer_safe() Alexander Potapenko
2021-05-14 16:29 ` Alexander Potapenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).