| Message ID | 20230915105933.495735-2-matteorizzo@google.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Prevent cross-cache attacks in the SLUB allocator | expand |
On Fri, Sep 15, 2023 at 10:59:20AM +0000, Matteo Rizzo wrote: > slab_free_freelist_hook tries to read a freelist pointer from the > current object even when freeing a single object. This is invalid > because single objects don't actually contain a freelist pointer when > they're freed and the memory contains other data. This causes problems > for checking the integrity of freelist in get_freepointer. > > Signed-off-by: Matteo Rizzo <matteorizzo@google.com> > --- > mm/slub.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/mm/slub.c b/mm/slub.c > index f7940048138c..a7dae207c2d2 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -1820,7 +1820,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, > > do { > object = next; > - next = get_freepointer(s, object); > + /* Single objects don't actually contain a freepointer */ > + if (object != old_tail) > + next = get_freepointer(s, object); > > /* If object's reuse doesn't have to be delayed */ > if (!slab_free_hook(s, object, slab_want_init_on_free(s))) { I find this loop's logic a bit weird, but, yes, this ends up being correct and avoids needless work. Reviewed-by: Kees Cook <keescook@chromium.org>
On Fri, Sep 15, 2023 at 7:59 PM Matteo Rizzo <matteorizzo@google.com> wrote: > > slab_free_freelist_hook tries to read a freelist pointer from the > current object even when freeing a single object. This is invalid > because single objects don't actually contain a freelist pointer when > they're freed and the memory contains other data. This causes problems > for checking the integrity of freelist in get_freepointer. > > Signed-off-by: Matteo Rizzo <matteorizzo@google.com> > --- > mm/slub.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/mm/slub.c b/mm/slub.c > index f7940048138c..a7dae207c2d2 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -1820,7 +1820,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, > > do { > object = next; > - next = get_freepointer(s, object); > + /* Single objects don't actually contain a freepointer */ > + if (object != old_tail) > + next = get_freepointer(s, object); > > /* If object's reuse doesn't have to be delayed */ > if (!slab_free_hook(s, object, slab_want_init_on_free(s))) { > -- > 2.42.0.459.ge4e396fd5e-goog > Looks good to me, Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>
diff --git a/mm/slub.c b/mm/slub.c index f7940048138c..a7dae207c2d2 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1820,7 +1820,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, do { object = next; - next = get_freepointer(s, object); + /* Single objects don't actually contain a freepointer */ + if (object != old_tail) + next = get_freepointer(s, object); /* If object's reuse doesn't have to be delayed */ if (!slab_free_hook(s, object, slab_want_init_on_free(s))) {
slab_free_freelist_hook tries to read a freelist pointer from the current object even when freeing a single object. This is invalid because single objects don't actually contain a freelist pointer when they're freed and the memory contains other data. This causes problems for checking the integrity of freelist in get_freepointer. Signed-off-by: Matteo Rizzo <matteorizzo@google.com> --- mm/slub.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)