On Thu, Oct 3, 2013 at 10:58 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > On Thu, Oct 03, 2013 at 09:34:11AM -0700, Kees Cook wrote: >> In dentry_string_cmp (via__d_lookup_rcu), when CONFIG_DCACHE_WORD_ACCESS >> is set, word-width memory reads are performed. However, the string >> allocation size may not be a multiple of the word size. To avoid reading >> past the end of such an allocation, we must allocate in multiples of >> the word size. > > grep ^kmalloc /proc/slabinfo. Observe the suffix after "kmalloc-"... > > IOW, kmalloc() does round its argument up. Seeing that we allocate an > external name only when allocation has to be longer than 32 bytes, the > sucker is guaranteed to be at least a multiple of 32 by the time we > pick the fitting cache (the worst case is when length is between 65 > and 96; then we use kmalloc-96). > > When you start a port to a 512-bit architecture, you'll have much nastier > problems than this one... Well, this is simply taking advantage of this particular allocator's behavior. Instead of depending on this side-effect, why not change the allocation so that we never risk a potentially broken read? (Even SLOB notes that it may have as low as 2-byte granularity.) -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
