Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3920714pxj; Mon, 21 Jun 2021 09:24:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJytFCjnhhd3seNU1Ax+O0ZPCV2VOTG/5MGpaBt8tF6W8qLdku8n4PI2P97BZKxgtCBCoe+m X-Received: by 2002:a05:6e02:cd1:: with SMTP id c17mr6203257ilj.86.1624292642678; Mon, 21 Jun 2021 09:24:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624292642; cv=none; d=google.com; s=arc-20160816; b=q96PuqXt0L1YQqULbuMYLK0r9jisHLIHEUwZhjqe6X40dzE6w9Dl3xdzNDlfFTgOQh fxgwAOaCymRKGFXch1LDko4xGL+rL24L6Ls+eRLAB4aojdv2FB0tsugCQ0JVwgImFo2z h4vGzIFKHmImn+A1sO95R9fYwkMSk88cjE4wKq7pkzSDJmruhHI6+VPqJuDkpw7nVR82 ml/kosUtio+rQBU9k1PO8XzJZakyINDYsMQ0KbTbdp9h9GlK1EyC6sVF80Bd7DlcpDbG jdv/P7MJDhjckPBOz6PhYSKiV9slGOzkb/5pK+Fvwu/BjRx+G48Jvd8sowALHmLScrRB HCnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QOZ1k4QQwJ5uBy8TVvArp0m5IqtugdtUrIErs8JuFQE=; b=yPLKBTAJyqBKeFkfTJbBH36LYs5+QpYxfdHbV+zBo7RrzBsY69huTmVxUH/E0FOutc dSoo8Qo9ohCavjDXhJfExpimaBCTTWJm82DA+O7uOSpVbGf+JiYMYYrl4mCMtE0QrL8S k1HX4irxrFy8HFAnCvE4wlArwUr6p0VxKHc9s15Dv2wHH8eYeFxLsfsGzfIrufEdJs61 LAQRmNo0xevxlKp05YCyTfypMgvOIcqlNZlfBbIaEudd1beMqoHv0h4612dhg7KB1rZl pmA3RCVW2+w/lT0Y2GCsn2njUon4IN2iWsuYMRfWzhNIMPgsDvm/JxYfYOnJk5mbr442 zK9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=amshJI2X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r14si14160439ila.121.2021.06.21.09.23.50; Mon, 21 Jun 2021 09:24:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=amshJI2X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232172AbhFUQZd (ORCPT + 99 others); Mon, 21 Jun 2021 12:25:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:40508 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231855AbhFUQX4 (ORCPT ); Mon, 21 Jun 2021 12:23:56 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 80DAE613B1; Mon, 21 Jun 2021 16:20:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1624292453; bh=JpF9PHmnLFcRm9SP4W7S5Qc4n7/hmkgnJicBGZ+qye8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=amshJI2XtveEBh3hVVgaOx06fM/Zwa6k0J/0PquFClfD+eqGv5MO8UBsi1HIYzq0M tQ/2LwBxxWvYMH5etYJMqpYs4fFmkSB27Ld1bOMElGXBlmMzvjz0mhjkAozvzdfT5z oCCQNU/J5DlQ3Vvwv4xXvWP23t8sDQZ1cPQPv9AM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Vlastimil Babka , Christoph Lameter , David Rientjes , Joonsoo Kim , "Lin, Zhenpeng" , Marco Elver , Pekka Enberg , Roman Gushchin , Andrew Morton , Linus Torvalds Subject: [PATCH 5.4 79/90] mm/slub: fix redzoning for small allocations Date: Mon, 21 Jun 2021 18:15:54 +0200 Message-Id: <20210621154906.829857412@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210621154904.159672728@linuxfoundation.org> References: <20210621154904.159672728@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook commit 74c1d3e081533825f2611e46edea1fcdc0701985 upstream. The redzone area for SLUB exists between s->object_size and s->inuse (which is at least the word-aligned object_size). If a cache were created with an object_size smaller than sizeof(void *), the in-object stored freelist pointer would overwrite the redzone (e.g. with boot param "slub_debug=ZF"): BUG test (Tainted: G B ): Right Redzone overwritten ----------------------------------------------------------------------------- INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200 INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620 Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........ Object (____ptrval____): f6 f4 a5 40 1d e8 ...@.. Redzone (____ptrval____): 1a aa .. Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........ Store the freelist pointer out of line when object_size is smaller than sizeof(void *) and redzoning is enabled. Additionally remove the "smaller than sizeof(void *)" check under CONFIG_DEBUG_VM in kmem_cache_sanity_check() as it is now redundant: SLAB and SLOB both handle small sizes. (Note that no caches within this size range are known to exist in the kernel currently.) Link: https://lkml.kernel.org/r/20210608183955.280836-3-keescook@chromium.org Fixes: 81819f0fc828 ("SLUB core") Signed-off-by: Kees Cook Acked-by: Vlastimil Babka Cc: Christoph Lameter Cc: David Rientjes Cc: Joonsoo Kim Cc: "Lin, Zhenpeng" Cc: Marco Elver Cc: Pekka Enberg Cc: Roman Gushchin Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/slab_common.c | 3 +-- mm/slub.c | 8 +++++--- 2 files changed, 6 insertions(+), 5 deletions(-) --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -85,8 +85,7 @@ EXPORT_SYMBOL(kmem_cache_size); #ifdef CONFIG_DEBUG_VM static int kmem_cache_sanity_check(const char *name, unsigned int size) { - if (!name || in_interrupt() || size < sizeof(void *) || - size > KMALLOC_MAX_SIZE) { + if (!name || in_interrupt() || size > KMALLOC_MAX_SIZE) { pr_err("kmem_cache_create(%s) integrity check failed\n", name); return -EINVAL; } --- a/mm/slub.c +++ b/mm/slub.c @@ -3586,15 +3586,17 @@ static int calculate_sizes(struct kmem_c */ s->inuse = size; - if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || - s->ctor)) { + if ((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || + ((flags & SLAB_RED_ZONE) && s->object_size < sizeof(void *)) || + s->ctor) { /* * Relocate free pointer after the object if it is not * permitted to overwrite the first word of the object on * kmem_cache_free. * * This is the case if we do RCU, have a constructor or - * destructor or are poisoning the objects. + * destructor, are poisoning the objects, or are + * redzoning an object smaller than sizeof(void *). * * The assumption that s->offset >= s->inuse means free * pointer is outside of the object is used in the