Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • L linux-iv
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • linux-arm
  • linux-iv
  • Repository
Switch branch/tag
  • linux-iv
  • include
  • linux
  • kasan.h
Find file BlameHistoryPermalink
  • Marco Elver's avatar
    mm/kasan: add object validation in ksize() · 0d4ca4c9
    Marco Elver authored Jul 11, 2019
    ksize() has been unconditionally unpoisoning the whole shadow memory
    region associated with an allocation.  This can lead to various undetected
    bugs, for example, double-kzfree().
    
    Specifically, kzfree() uses ksize() to determine the actual allocation
    size, and subsequently zeroes the memory.  Since ksize() used to just
    unpoison the whole shadow memory region, no invalid free was detected.
    
    This patch addresses this as follows:
    
    1. Add a check in ksize(), and only then unpoison the memory region.
    
    2. Preserve kasan_unpoison_slab() semantics by explicitly unpoisoning
       the shadow memory region using the size obtained from __ksize().
    
    Tested:
    1. With SLAB allocator: a) normal boot without warnings; b) verified the
       added double-kzfree() is detected.
    2. With SLUB allocator: a) normal boot without warnings; b) verified the
       added double-kzfree() is detected.
    
    [elver@google.com: s/BUG_ON/WARN_ON_ONCE/, per Kees]
      Link: http://lkml.kernel.org/r/20190627094445.216365-6-elver@google.com
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199359
    Link: http://lkml.kernel.org/r/20190626142014.141844-6-elver@google.com
    
    Signed-off-by: default avatarMarco Elver <elver@google.com>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Reviewed-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Andrey Konovalov <andreyknvl@google.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    0d4ca4c9

Replace kasan.h

Attach a file by drag & drop or click to upload


Cancel
GitLab will create a branch in your fork and start a merge request.