[PATCH] cachefilesd: Remove pointer poisoning code as it is likely to fail under ASLR
David Howells
dhowells at redhat.com
Sat May 20 03:36:39 AEST 2023
The pointer checking code assumes that addresses in the range 0x60000000 to
0x6fffffff are not going to be encountered and can thus be used to poison
dead pointers. Unfortunately, this assumption breaks occasionally on
systems with address space layout randomisation.
Remove the poisoning and, in particular, the poison checking which will cause
the process to abort with no message as to why.
Signed-off-by: David Howells <dhowells at redhat.com>
---
cachefilesd.c | 25 +++++++++----------------
1 file changed, 9 insertions(+), 16 deletions(-)
diff --git a/cachefilesd.c b/cachefilesd.c
index d4d236f..6c435f6 100644
--- a/cachefilesd.c
+++ b/cachefilesd.c
@@ -1092,7 +1092,6 @@ static void put_object(struct object *object)
parent = object->parent;
- memset(object, 0x6d, sizeof(struct object));
free(object);
if (parent)
@@ -1213,7 +1212,6 @@ static void insert_into_cull_table(struct object *object)
/* newest object in table will be displaced by this one */
put_object(cullbuild[0]);
- cullbuild[0] = (void *)(0x6b000000 | __LINE__);
object->usage++;
/* place directly in first slot if second is older */
@@ -1391,7 +1389,7 @@ next:
if (loop == nr_in_ready_table - 1) {
/* child was oldest object */
- cullready[--nr_in_ready_table] = (void *)(0x6b000000 | __LINE__);
+ cullready[--nr_in_ready_table] = NULL;
put_object(child);
goto removed;
}
@@ -1400,7 +1398,7 @@ next:
memmove(&cullready[loop],
&cullready[loop + 1],
(nr_in_ready_table - (loop + 1)) * sizeof(cullready[0]));
- cullready[--nr_in_ready_table] = (void *)(0x6b000000 | __LINE__);
+ cullready[--nr_in_ready_table] = NULL;
put_object(child);
goto removed;
}
@@ -1411,7 +1409,7 @@ next:
if (loop == nr_in_build_table - 1) {
/* child was oldest object */
- cullbuild[--nr_in_build_table] = (void *)(0x6b000000 | __LINE__);
+ cullbuild[--nr_in_build_table] = NULL;
put_object(child);
}
else if (loop < nr_in_build_table - 1) {
@@ -1419,7 +1417,7 @@ next:
memmove(&cullbuild[loop],
&cullbuild[loop + 1],
(nr_in_build_table - (loop + 1)) * sizeof(cullbuild[0]));
- cullbuild[--nr_in_build_table] = (void *)(0x6b000000 | __LINE__);
+ cullbuild[--nr_in_build_table] = NULL;
put_object(child);
}
@@ -1531,10 +1529,10 @@ static void decant_cull_table(void)
n = copy * sizeof(cullready[0]);
memcpy(cullready, cullbuild, n);
- memset(cullbuild, 0x6e, n);
+ memset(cullbuild, 0, n);
nr_in_ready_table = nr_in_build_table;
nr_in_build_table = 0;
- goto check;
+ return;
}
/* decant some of the build table if there's space */
@@ -1542,7 +1540,7 @@ static void decant_cull_table(void)
error("Less than zero space in ready table");
space = culltable_size - nr_in_ready_table;
if (space == 0)
- goto check;
+ return;
/* work out how much of the build table we can copy */
copy = avail = nr_in_build_table;
@@ -1559,16 +1557,11 @@ static void decant_cull_table(void)
nr_in_ready_table += copy;
memcpy(&cullready[0], &cullbuild[leave], copy * sizeof(cullready[0]));
- memset(&cullbuild[leave], 0x6b, copy * sizeof(cullbuild[0]));
+ memset(&cullbuild[leave], 0, copy * sizeof(cullbuild[0]));
nr_in_build_table = leave;
if (copy + leave > culltable_size)
error("Scan table exceeded (%d+%d)", copy, leave);
-
-check:
- for (loop = 0; loop < nr_in_ready_table; loop++)
- if (((long)cullready[loop] & 0xf0000000) == 0x60000000)
- abort();
}
/*****************************************************************************/
@@ -1645,6 +1638,6 @@ static void cull_objects(void)
if (cullready[nr_in_ready_table - 1]->cullable) {
cull_object(cullready[nr_in_ready_table - 1]);
- cullready[--nr_in_ready_table] = (void *)(0x6b000000 | __LINE__);
+ cullready[--nr_in_ready_table] = NULL;
}
}
More information about the Linux-erofs
mailing list