Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • L linux-iv
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • linux-arm
  • linux-iv
  • Repository
  • linux-iv
  • mm
  • slab_common.c
Find file BlameHistoryPermalink
  • Marco Elver's avatar
    mm/kasan: add object validation in ksize() · 0d4ca4c9
    Marco Elver authored Jul 11, 2019
    ksize() has been unconditionally unpoisoning the whole shadow memory
    region associated with an allocation.  This can lead to various undetected
    bugs, for example, double-kzfree().
    
    Specifically, kzfree() uses ksize() to determine the actual allocation
    size, and subsequently zeroes the memory.  Since ksize() used to just
    unpoison the whole shadow memory region, no invalid free was detected.
    
    This patch addresses this as follows:
    
    1. Add a check in ksize(), and only then unpoison the memory region.
    
    2. Preserve kasan_unpoison_slab() semantics by explicitly unpoisoning
       the shadow memory region using the size obtained from __ksize().
    
    Tested:
    1. With SLAB allocator: a) normal boot without warnings; b) verified the
       added double-kzfree() is detected.
    2. With SLUB allocator: a) normal boot without warnings; b) verified the
       added double-kzfree() is detected.
    
    [elver@google.com: s/BUG_ON/WARN_ON_ONCE/, per Kees]
      Link: http://lkml.kernel.org/r/20190627094445.216365-6-elver@google.com
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199359
    Link: http://lkml.kernel.org/r/20190626142014.141844-6-elver@google.com
    
    
    Signed-off-by: default avatarMarco Elver <elver@google.com>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Reviewed-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Andrey Konovalov <andreyknvl@google.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    0d4ca4c9