Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751835AbdGZQVA (ORCPT ); Wed, 26 Jul 2017 12:21:00 -0400 Received: from mail-io0-f171.google.com ([209.85.223.171]:38812 "EHLO mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751806AbdGZQU6 (ORCPT ); Wed, 26 Jul 2017 12:20:58 -0400 MIME-Version: 1.0 In-Reply-To: References: <20170706002718.GA102852@beast> From: Kees Cook Date: Wed, 26 Jul 2017 09:20:56 -0700 X-Google-Sender-Auth: zBfFJqWfDHrDMdHXMayN92mXQUE Message-ID: Subject: Re: [v3] mm: Add SLUB free list pointer obfuscation To: Christopher Lameter Cc: Alexander Popov , Andrew Morton , Pekka Enberg , David Rientjes , Joonsoo Kim , "Paul E. McKenney" , Ingo Molnar , Josh Triplett , Andy Lutomirski , Nicolas Pitre , Tejun Heo , Daniel Mack , Sebastian Andrzej Siewior , Sergey Senozhatsky , Helge Deller , Rik van Riel , Linux-MM , Tycho Andersen , LKML , "kernel-hardening@lists.openwall.com" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 927 Lines: 30 On Wed, Jul 26, 2017 at 7:08 AM, Christopher Lameter wrote: > On Tue, 25 Jul 2017, Kees Cook wrote: > >> > @@ -290,6 +290,10 @@ static inline void set_freepointer(struct kmem_cache *s, >> > void *object, void *fp) >> > { >> > unsigned long freeptr_addr = (unsigned long)object + s->offset; >> > >> > +#ifdef CONFIG_SLAB_FREELIST_HARDENED >> > + BUG_ON(object == fp); /* naive detection of double free or corruption */ >> > +#endif >> > + >> > *(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr); >> >> What happens if, instead of BUG_ON, we do: >> >> if (unlikely(WARN_RATELIMIT(object == fp, "double-free detected")) >> return; > > This may work for the free fastpath but the set_freepointer function is > use in multiple other locations. Maybe just add this to the fastpath > instead of to this fucnction? Do you mean do_slab_free()? -Kees -- Kees Cook Pixel Security