[kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support
Michael Ellerman
mpe at ellerman.id.au
Fri Jul 8 20:19:58 AEST 2016
Kees Cook <keescook at chromium.org> writes:
> On Thu, Jul 7, 2016 at 12:35 AM, Michael Ellerman <mpe at ellerman.id.au> wrote:
>> I gave this a quick spin on powerpc, it blew up immediately :)
>
> Wheee :) This series is rather easy to test: blows up REALLY quickly
> if it's wrong. ;)
Better than subtle race conditions which is the usual :)
>> diff --git a/mm/slub.c b/mm/slub.c
>> index 0c8ace04f075..66191ea4545a 100644
>> --- a/mm/slub.c
>> +++ b/mm/slub.c
>> @@ -3630,6 +3630,9 @@ const char *__check_heap_object(const void *ptr, unsigned long n,
>> /* Find object. */
>> s = page->slab_cache;
>>
>> + /* Subtract red zone if enabled */
>> + ptr = restore_red_left(s, ptr);
>> +
>
> Ah, interesting. Just to make sure: you've built with
> CONFIG_SLUB_DEBUG and either CONFIG_SLUB_DEBUG_ON or booted with
> either slub_debug or slub_debug=z ?
Yeah built with CONFIG_SLUB_DEBUG_ON, and booted with and without slub_debug
options.
> Thanks for the slub fix!
>
> I wonder if this code should be using size_from_object() instead of s->size?
Hmm, not sure. Who's SLUB maintainer? :)
I was modelling it on the logic in check_valid_pointer(), which also does the
restore_red_left(), and then checks for % s->size:
static inline int check_valid_pointer(struct kmem_cache *s,
struct page *page, void *object)
{
void *base;
if (!object)
return 1;
base = page_address(page);
object = restore_red_left(s, object);
if (object < base || object >= base + page->objects * s->size ||
(object - base) % s->size) {
return 0;
}
return 1;
}
cheers
More information about the Linuxppc-dev
mailing list