Hi Kees,
On Sat, Apr 25, 2020 at 03:48:31PM -0700, Kees Cook wrote:
> On Sat, Apr 25, 2020 at 05:13:38PM +0800, Changbin Du wrote:
> > The recent kernel fails to boot when slub redzone is turned on. This is
> > caused by commit 3202fa62fb ("slub: relocate freelist pointer to middle of
> > object") which relocates freelist pointer to middle of object. In this
> > case, get_track() gets a wrong address and then the redzone is overwritten.
>
> Hi! A fix for this is already in -next:
>
> https://www.ozlabs.org/~akpm/mmotm/broken-out/slub-avoid-redzone-when-choosing-freepointer-location.patch
>
> the above doesn't disable the mitigation when using redzones, so I
> prefer that to this suggested solution.
>
Glade to see it's been reported. But I am sorry that your patch cannot fix it.
With your fix, I suppose the layout of slub is:
|obj-fp-obj|redzone|track|...
While get_track():
p = object + s->offset + sizeof(void *);
Then we still get a wrong location. I just tested linux-next and the problem is
still there.
Is the right and left redzone good enough to protect the freepointer? If not,
I will send a patch to fix get_track() along with your patch.
> --
> Kees Cook
--
Cheers,
Changbin Du
