POISON_POINTER_DELTA is defined in poison.h, and is intended to be used
to shift poison values so that they don't alias userspace.
We should add it to ZERO_SIZE_PTR so that attackers can't use
ZERO_SIZE_PTR as a way to get a non-NULL pointer to userspace.
Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
That no longer really works once we add the poison delta, so split it
into two checks. Assign x to a temporary to avoid evaluating it
twice (suggested by Kees Cook).
Signed-off-by: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
---
include/linux/slab.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
v2: Rework ZERO_OR_NULL_PTR() to do the two checks separately.
diff --git a/include/linux/slab.h b/include/linux/slab.h
index 084b12bad198..404419d9860f 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -12,6 +12,7 @@
#define _LINUX_SLAB_H
#include <linux/gfp.h>
+#include <linux/poison.h>
#include <linux/types.h>
#include <linux/workqueue.h>
@@ -109,10 +110,13 @@
* ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
* Both make kfree a no-op.
*/
-#define ZERO_SIZE_PTR ((void *)16)
+#define ZERO_SIZE_PTR ((void *)(16 + POISON_POINTER_DELTA))
-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
- (unsigned long)ZERO_SIZE_PTR)
+#define ZERO_OR_NULL_PTR(x) \
+ ({ \
+ void *p = (void *)(x); \
+ (p == NULL || p == ZERO_SIZE_PTR); \
+ })
#include <linux/kmemleak.h>
#include <linux/kasan.h>
--
2.7.4
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>