Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751779AbdGZOln (ORCPT ); Wed, 26 Jul 2017 10:41:43 -0400 Received: from resqmta-ch2-10v.sys.comcast.net ([69.252.207.42]:47594 "EHLO resqmta-ch2-10v.sys.comcast.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751756AbdGZOlk (ORCPT ); Wed, 26 Jul 2017 10:41:40 -0400 Date: Wed, 26 Jul 2017 09:08:01 -0500 (CDT) From: Christopher Lameter X-X-Sender: cl@nuc-kabylake To: Kees Cook cc: Alexander Popov , Andrew Morton , Pekka Enberg , David Rientjes , Joonsoo Kim , "Paul E. McKenney" , Ingo Molnar , Josh Triplett , Andy Lutomirski , Nicolas Pitre , Tejun Heo , Daniel Mack , Sebastian Andrzej Siewior , Sergey Senozhatsky , Helge Deller , Rik van Riel , Linux-MM , Tycho Andersen , LKML , "kernel-hardening@lists.openwall.com" Subject: Re: [v3] mm: Add SLUB free list pointer obfuscation In-Reply-To: Message-ID: References: <20170706002718.GA102852@beast> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-CMAE-Envelope: MS4wfGO1K7M5Mh/B8Gll7leJOMLrl2oS0tSxCmRZOqzFc4fyv06+UCtbm1lgM5Tg7sgPszEzlx2m70X3GQHC6dorojETdO3ukErEo6VM46nwaceTpUrD7zoW tiDSYuE/8H9Wl3nh1coOXMu9mtLpGGedPJVFuaPcH8aijSi/VLyz+lvav1YJ6Kpt63LyfnqJBFHNydK6DbkKdWvhi+tU3D2C6YfvJ9Q0Qg/BPvPOzvqeg6CO dAlEGvxne6jPBVWfUnKnPTJVZnzcnJyvKHTyzj/fz9c6aC8NK9++T9lGdgHqnSXBKu6N0gbknuQgt4+k91eSFNJUKD1Od7phRb0q5msRlVHnpTVTFg3eR7Tp IE/XEGYvNATLiwhFhFVqypzVkt0lYhyWT/VTXMLB+RCGeMqNIQ2vBqjYD9eS0MS8rvzM8Uh/FvlAfx5medTXBPqap1v+RTZiC1jhHYEdqh2kbHkia+FYku4Z 9pWRuXSpsn35j4eVWNd6FF2j8bP5z/MpFFSpvsuB90ws820fEvfHED7kg7PG/w+byibrNTgtJdLwckon+ov4STU7/563siN9jDB2gYcJEres5ZHZ9Dt6ULYI 0aAimrQeTdEm4aBZ2fn8TyChDN9ZpVGslQSaRvaSPYLSLE8VxOEpHZbdu4r0NLlNvg+IiU2HtRBxNgS2ktnu9e6PFjmCYrPHBqycQn8LQVyfyVTegnuGaETf HpbEXYDOO5Iq82U6sYALy1cEewAOpHmoJuslmOMLa3DJHKwqZl8JrXy3VEPofd5uHZ0L5QMkPDbaXgmnRWTcgEUjA2MwV/4k Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 761 Lines: 21 On Tue, 25 Jul 2017, Kees Cook wrote: > > @@ -290,6 +290,10 @@ static inline void set_freepointer(struct kmem_cache *s, > > void *object, void *fp) > > { > > unsigned long freeptr_addr = (unsigned long)object + s->offset; > > > > +#ifdef CONFIG_SLAB_FREELIST_HARDENED > > + BUG_ON(object == fp); /* naive detection of double free or corruption */ > > +#endif > > + > > *(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr); > > What happens if, instead of BUG_ON, we do: > > if (unlikely(WARN_RATELIMIT(object == fp, "double-free detected")) > return; This may work for the free fastpath but the set_freepointer function is use in multiple other locations. Maybe just add this to the fastpath instead of to this fucnction?