On 6/8/21 8:39 PM, Kees Cook wrote: > The redzone area for SLUB exists between s->object_size and s->inuse > (which is at least the word-aligned object_size). If a cache were created > with an object_size smaller than sizeof(void *), the in-object stored > freelist pointer would overwrite the redzone (e.g. with boot param > "slub_debug=ZF"): > > BUG test (Tainted: G B ): Right Redzone overwritten > ----------------------------------------------------------------------------- > > INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb > INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200 > INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620 > > Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........ > Object (____ptrval____): f6 f4 a5 40 1d e8 ...@.. > Redzone (____ptrval____): 1a aa .. > Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........ > > Store the freelist pointer out of line when object_size is smaller than > sizeof(void *) and redzoning is enabled. > > Additionally remove the "smaller than sizeof(void *)" check under > CONFIG_DEBUG_VM in kmem_cache_sanity_check() as it is now redundant: > SLAB and SLOB both handle small sizes. > > (Note that no caches within this size range are known to exist in the > kernel currently.) > > Fixes: 81819f0fc828 ("SLUB core") > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Acked-by: Vlastimil Babka <vbabka@xxxxxxx> > --- > mm/slab_common.c | 3 +-- > mm/slub.c | 8 +++++--- > 2 files changed, 6 insertions(+), 5 deletions(-) > > diff --git a/mm/slab_common.c b/mm/slab_common.c > index a4a571428c51..7cab77655f11 100644 > --- a/mm/slab_common.c > +++ b/mm/slab_common.c > @@ -97,8 +97,7 @@ EXPORT_SYMBOL(kmem_cache_size); > #ifdef CONFIG_DEBUG_VM > static int kmem_cache_sanity_check(const char *name, unsigned int size) > { > - if (!name || in_interrupt() || size < sizeof(void *) || > - size > KMALLOC_MAX_SIZE) { > + if (!name || in_interrupt() || size > KMALLOC_MAX_SIZE) { > pr_err("kmem_cache_create(%s) integrity check failed\n", name); > return -EINVAL; > } > diff --git a/mm/slub.c b/mm/slub.c > index f91d9fe7d0d8..f58cfd456548 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -3734,15 +3734,17 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > */ > s->inuse = size; > > - if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || > - s->ctor)) { > + if ((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || > + ((flags & SLAB_RED_ZONE) && s->object_size < sizeof(void *)) || > + s->ctor) { > /* > * Relocate free pointer after the object if it is not > * permitted to overwrite the first word of the object on > * kmem_cache_free. > * > * This is the case if we do RCU, have a constructor or > - * destructor or are poisoning the objects. > + * destructor, are poisoning the objects, or are > + * redzoning an object smaller than sizeof(void *). > * > * The assumption that s->offset >= s->inuse means free > * pointer is outside of the object is used in the >