On Tue, Dec 22, 2015 at 12:48 PM, Vlastimil Babka <vbabka@xxxxxxx> wrote: > On 22.12.2015 4:40, Laura Abbott wrote: >> Each of the different allocators (SLAB/SLUB/SLOB) handles >> clearing of objects differently depending on configuration. >> Add common infrastructure for selecting sanitization levels >> (off, slow path only, partial, full) and marking caches as >> appropriate. >> >> All credit for the original work should be given to Brad Spengler and >> the PaX Team. >> >> Signed-off-by: Laura Abbott <laura@xxxxxxxxxxxx> >> >> +#ifdef CONFIG_SLAB_MEMORY_SANITIZE >> +#ifdef CONFIG_X86_64 >> +#define SLAB_MEMORY_SANITIZE_VALUE '\xfe' >> +#else >> +#define SLAB_MEMORY_SANITIZE_VALUE '\xff' >> +#endif >> +enum slab_sanitize_mode { >> + /* No sanitization */ >> + SLAB_SANITIZE_OFF = 0, >> + >> + /* Partial sanitization happens only on the slow path */ >> + SLAB_SANITIZE_PARTIAL_SLOWPATH = 1, > > Can you explain more about this variant? I wonder who might find it useful > except someone getting a false sense of security, but cheaper. > It sounds like wanting the cake and eat it too :) > I would be surprised if such IMHO half-solution existed in the original > PAX_MEMORY_SANITIZE too? > > Or is there something that guarantees that the objects freed on hotpath won't > stay there for long so the danger of leak is low? (And what about > use-after-free?) It depends on further slab activity, no? (I'm not that familiar > with SLUB, but I would expect the hotpath there being similar to SLAB freeing > the object on per-cpu array_cache. But, it seems the PARTIAL_SLOWPATH is not > implemented for SLAB, so there might be some fundamental difference I'm missing.) Perhaps the partial sanitize could be a separate patch so it's features were more logically separated? -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>