Patchwork [linux-next,v2] mm/slub.c: add a naive detection of double free or corruption

login
register
mail settings
Submitter Alexander Popov
Date Aug. 11, 2017, 4:17 p.m.
Message ID <1502468246-1262-1-git-send-email-alex.popov@linux.com>
Download mbox | patch
Permalink /patch/9896273/
State New
Headers show

Comments

Alexander Popov - Aug. 11, 2017, 4:17 p.m.
Add an assertion similar to "fasttop" check in GNU C Library allocator
as a part of SLAB_FREELIST_HARDENED feature. An object added to a singly
linked freelist should not point to itself. That helps to detect some
double free errors (e.g. CVE-2017-2636) without slub_debug and KASAN.

Signed-off-by: Alexander Popov <alex.popov@linux.com>
---
 mm/slub.c | 4 ++++
 1 file changed, 4 insertions(+)
Christoph Lameter - Aug. 11, 2017, 5:26 p.m.
On Fri, 11 Aug 2017, Alexander Popov wrote:

> Add an assertion similar to "fasttop" check in GNU C Library allocator
> as a part of SLAB_FREELIST_HARDENED feature. An object added to a singly
> linked freelist should not point to itself. That helps to detect some
> double free errors (e.g. CVE-2017-2636) without slub_debug and KASAN.

Acked-by: Christoph Lameter <cl@linux.com>

Patch

diff --git a/mm/slub.c b/mm/slub.c
index b9c7f1a..77b2781 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -290,6 +290,10 @@  static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)
 {
 	unsigned long freeptr_addr = (unsigned long)object + s->offset;
 
+#ifdef CONFIG_SLAB_FREELIST_HARDENED
+	BUG_ON(object == fp); /* naive detection of double free or corruption */
+#endif
+
 	*(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr);
 }