Currently, crash-utility still depends on detecting the kernel version,
or the asm instruction 'bswap' on X86 64/X86 architectures to decide how
to deal with the freelist ptr obfuscation, when kernel option
CONFIG_SLAB_FREELIST_HARDENED is enabled.
As you known, the bit diffusion for freelist ptr obfuscation has
experienced the changes several times on the kernel side, For most
distributions, usually they might backport these kernel patches from
upstream, especially for the old kernel, the 'kmem -s|-S' will fail with
an error "invalid freepointer", which can be observed on ppc64le and
S390x architectures, etc. That is really not friendly.
Given that, let's fix the above issues this time, and it won't rely
on the linux version number or asm instruction 'bswap' to decide how to
dereference the freelist ptr.
Reported-by: Lucas Oakley <soakley@xxxxxxxxxx>
Signed-off-by: Lianbo Jiang <lijiang@xxxxxxxxxx>
---
memory.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/memory.c b/memory.c
index 626c6039c6d9..562914ee9230 100644
--- a/memory.c
+++ b/memory.c
@@ -19654,9 +19654,12 @@ freelist_ptr(struct meminfo *si, ulong ptr, ulong ptr_addr)
if (VALID_MEMBER(kmem_cache_random)) {
/* CONFIG_SLAB_FREELIST_HARDENED */
- if (THIS_KERNEL_VERSION >= LINUX(5,7,0))
- ptr_addr = (sizeof(long) == 8) ? bswap_64(ptr_addr)
- : bswap_32(ptr_addr);
+ ulong addr = (sizeof(long) == 8) ? bswap_64(ptr_addr) : bswap_32(ptr_addr);
+ addr = ptr ^ si->random ^ addr;
+
+ if (!addr || accessible(addr))
+ return addr;
+
return (ptr ^ si->random ^ ptr_addr);
} else
return ptr;
--
2.37.1
--
Crash-utility mailing list
Crash-utility@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/crash-utility
Contribution Guidelines: https://github.com/crash-utility/crash/wiki
