Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751353AbdGQRzG (ORCPT ); Mon, 17 Jul 2017 13:55:06 -0400 Received: from bombadil.infradead.org ([65.50.211.133]:41619 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751312AbdGQRzF (ORCPT ); Mon, 17 Jul 2017 13:55:05 -0400 Date: Mon, 17 Jul 2017 10:54:59 -0700 From: Matthew Wilcox To: Alexander Popov Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, keescook@chromium.org Subject: Re: [PATCH 1/1] mm/slub.c: add a naive detection of double free or corruption Message-ID: <20170717175459.GC14983@bombadil.infradead.org> References: <1500309907-9357-1-git-send-email-alex.popov@linux.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1500309907-9357-1-git-send-email-alex.popov@linux.com> User-Agent: Mutt/1.8.0 (2017-02-23) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 690 Lines: 15 On Mon, Jul 17, 2017 at 07:45:07PM +0300, Alexander Popov wrote: > Add an assertion similar to "fasttop" check in GNU C Library allocator: > an object added to a singly linked freelist should not point to itself. > That helps to detect some double free errors (e.g. CVE-2017-2636) without > slub_debug and KASAN. Testing with hackbench doesn't show any noticeable > performance penalty. > { > + BUG_ON(object == fp); /* naive detection of double free or corruption */ > *(void **)(object + s->offset) = fp; > } Is BUG() the best response to this situation? If it's a corruption, then yes, but if we spot a double-free, then surely we should WARN() and return without doing anything?