[PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



POISON_POINTER_DELTA is defined in poison.h, and is intended to be used
to shift poison values so that they don't alias userspace.

We should add it to ZERO_SIZE_PTR so that attackers can't use
ZERO_SIZE_PTR as a way to get a non-NULL pointer to userspace.

Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
That no longer really works once we add the poison delta, so split it
into two checks. Assign x to a temporary to avoid evaluating it
twice (suggested by Kees Cook).

Signed-off-by: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
---
 include/linux/slab.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

v2: Rework ZERO_OR_NULL_PTR() to do the two checks separately.

diff --git a/include/linux/slab.h b/include/linux/slab.h
index 084b12bad198..404419d9860f 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -12,6 +12,7 @@
 #define	_LINUX_SLAB_H
 
 #include <linux/gfp.h>
+#include <linux/poison.h>
 #include <linux/types.h>
 #include <linux/workqueue.h>
 
@@ -109,10 +110,13 @@
  * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
  * Both make kfree a no-op.
  */
-#define ZERO_SIZE_PTR ((void *)16)
+#define ZERO_SIZE_PTR ((void *)(16 + POISON_POINTER_DELTA))
 
-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
-				(unsigned long)ZERO_SIZE_PTR)
+#define ZERO_OR_NULL_PTR(x)				\
+	({						\
+		void *p = (void *)(x);			\
+		(p == NULL || p == ZERO_SIZE_PTR);	\
+	})
 
 #include <linux/kmemleak.h>
 #include <linux/kasan.h>
-- 
2.7.4

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]