Kees Cook <keescook@xxxxxxxxxxxx> writes:
> On Thu, Jul 7, 2016 at 12:35 AM, Michael Ellerman <mpe@xxxxxxxxxxxxxx> wrote:
>> I gave this a quick spin on powerpc, it blew up immediately :)
>
> Wheee :) This series is rather easy to test: blows up REALLY quickly
> if it's wrong. ;)
Better than subtle race conditions which is the usual :)
>> diff --git a/mm/slub.c b/mm/slub.c
>> index 0c8ace04f075..66191ea4545a 100644
>> --- a/mm/slub.c
>> +++ b/mm/slub.c
>> @@ -3630,6 +3630,9 @@ const char *__check_heap_object(const void *ptr, unsigned long n,
>> /* Find object. */
>> s = page->slab_cache;
>>
>> + /* Subtract red zone if enabled */
>> + ptr = restore_red_left(s, ptr);
>> +
>
> Ah, interesting. Just to make sure: you've built with
> CONFIG_SLUB_DEBUG and either CONFIG_SLUB_DEBUG_ON or booted with
> either slub_debug or slub_debug=z ?
Yeah built with CONFIG_SLUB_DEBUG_ON, and booted with and without slub_debug
options.
> Thanks for the slub fix!
>
> I wonder if this code should be using size_from_object() instead of s->size?
Hmm, not sure. Who's SLUB maintainer? :)
I was modelling it on the logic in check_valid_pointer(), which also does the
restore_red_left(), and then checks for % s->size:
static inline int check_valid_pointer(struct kmem_cache *s,
struct page *page, void *object)
{
void *base;
if (!object)
return 1;
base = page_address(page);
object = restore_red_left(s, object);
if (object < base || object >= base + page->objects * s->size ||
(object - base) % s->size) {
return 0;
}
return 1;
}
cheers
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>