Re: [PATCH 2/2] Fix "kmem -s|-S" not working properly when CONFIG_SLAB_FREELIST_HARDENED is enabled

Rafael Aquini <aquini@xxxxxxxxxx> · Wed, 16 Aug 2023 08:09:32 -0400

On Mon, Aug 14, 2023 at 09:54:24AM +0800, Lianbo Jiang wrote:
> Currently, crash-utility still depends on detecting the kernel version,
> or the asm instruction 'bswap' on X86 64/X86 architectures to decide how
> to deal with the freelist ptr obfuscation, when kernel option
> CONFIG_SLAB_FREELIST_HARDENED is enabled.
> 
> As you known, the bit diffusion for freelist ptr obfuscation has
> experienced the changes several times on the kernel side, For most
> distributions, usually they might backport these kernel patches from
> upstream, especially for the old kernel, the 'kmem -s|-S' will fail with
> an error "invalid freepointer", which can be observed on ppc64le and
> S390x architectures, etc. That is really not friendly.
> 
> Given that, let's fix the above issues this time, and it won't rely
> on the linux version number or asm instruction 'bswap' to decide how to
> dereference the freelist ptr.
> 
> Reported-by: Lucas Oakley <soakley@xxxxxxxxxx>
> Signed-off-by: Lianbo Jiang <lijiang@xxxxxxxxxx>
> ---
>  memory.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/memory.c b/memory.c
> index 626c6039c6d9..562914ee9230 100644
> --- a/memory.c
> +++ b/memory.c
> @@ -19654,9 +19654,12 @@ freelist_ptr(struct meminfo *si, ulong ptr, ulong ptr_addr)
>  	if (VALID_MEMBER(kmem_cache_random)) {
>  		/* CONFIG_SLAB_FREELIST_HARDENED */
>  
> -		if (THIS_KERNEL_VERSION >= LINUX(5,7,0))
> -			ptr_addr = (sizeof(long) == 8) ? bswap_64(ptr_addr)
> -						       : bswap_32(ptr_addr);
> +		ulong addr = (sizeof(long) == 8) ? bswap_64(ptr_addr) : bswap_32(ptr_addr);
> +		addr = ptr ^ si->random ^ addr;
> +
> +		if (!addr || accessible(addr))
> +			return addr;
> +
>  		return (ptr ^ si->random ^ ptr_addr);
>  	} else
>  		return ptr;
> -- 
> 2.37.1
>

Lucas and I finished testing this set across x86_64, AARCH64, PPC64LE and
S390X with no hiccups observed.

Thanks for following it up!

Acked-by: Rafael Aquini <aquini@xxxxxxxxxx>

--
Crash-utility mailing list
Crash-utility@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/crash-utility
Contribution Guidelines: https://github.com/crash-utility/crash/wiki