On 10/21/22 05:24, Feng Tang wrote:
> kmalloc's API family is critical for mm, and one of its nature is that
> it will round up the request size to a fixed one (mostly power of 2).
> When user requests memory for '2^n + 1' bytes, actually 2^(n+1) bytes
> could be allocated, so there is an extra space than what is originally
> requested.
>
> This patchset tries to extend the redzone sanity check to the extra
> kmalloced buffer than requested, to better detect un-legitimate access
> to it. (dependson SLAB_STORE_USER & SLAB_RED_ZONE)
>
> The redzone part has been tested with code below:
>
> for (shift = 3; shift <= 12; shift++) {
> size = 1 << shift;
> buf = kmalloc(size + 4, GFP_KERNEL);
> /* We have 96, 196 kmalloc size, which is not power of 2 */
> if (size == 64 || size == 128)
> oob_size = 16;
> else
> oob_size = size - 4;
> memset(buf + size + 4, 0xee, oob_size);
> kfree(buf);
> }
Sounds like a new slub_kunit test would be useful? :) doesn't need to be
that exhaustive wrt all sizes, we could just pick one and check that a write
beyond requested kmalloc size is detected?
Thanks!
