Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751373AbdGQQpW (ORCPT ); Mon, 17 Jul 2017 12:45:22 -0400 Received: from mail-lf0-f66.google.com ([209.85.215.66]:35909 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751291AbdGQQpU (ORCPT ); Mon, 17 Jul 2017 12:45:20 -0400 From: Alexander Popov To: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, keescook@chromium.org, alex.popov@linux.com Subject: [PATCH 1/1] mm/slub.c: add a naive detection of double free or corruption Date: Mon, 17 Jul 2017 19:45:07 +0300 Message-Id: <1500309907-9357-1-git-send-email-alex.popov@linux.com> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 832 Lines: 25 Add an assertion similar to "fasttop" check in GNU C Library allocator: an object added to a singly linked freelist should not point to itself. That helps to detect some double free errors (e.g. CVE-2017-2636) without slub_debug and KASAN. Testing with hackbench doesn't show any noticeable performance penalty. Signed-off-by: Alexander Popov --- mm/slub.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/slub.c b/mm/slub.c index 1d3f983..a106939b 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -261,6 +261,7 @@ static inline void *get_freepointer_safe(struct kmem_cache *s, void *object) static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp) { + BUG_ON(object == fp); /* naive detection of double free or corruption */ *(void **)(object + s->offset) = fp; } -- 2.7.4