Re: [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects

From: Vlastimil Babka
Date: Fri Nov 11 2022 - 03:16:39 EST

Next message: Damien Le Moal: "Re: [PATCH] ata: sata_dwc_460ex: Check !irq instead of irq == NO_IRQ"
Previous message: Tian, Kevin: "RE: [PATCH v2 2/8] iommu/vt-d: Improve iommu_enable_pci_caps()"
Next in thread: Feng Tang: "Re: [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/21/22 05:24, Feng Tang wrote:
> kmalloc's API family is critical for mm, and one of its nature is that
> it will round up the request size to a fixed one (mostly power of 2).
> When user requests memory for '2^n + 1' bytes, actually 2^(n+1) bytes
> could be allocated, so there is an extra space than what is originally
> requested.
>
> This patchset tries to extend the redzone sanity check to the extra
> kmalloced buffer than requested, to better detect un-legitimate access
> to it. (dependson SLAB_STORE_USER & SLAB_RED_ZONE)
>
> The redzone part has been tested with code below:
>
> for (shift = 3; shift <= 12; shift++) {
> size = 1 << shift;
> buf = kmalloc(size + 4, GFP_KERNEL);
> /* We have 96, 196 kmalloc size, which is not power of 2 */
> if (size == 64 || size == 128)
> oob_size = 16;
> else
> oob_size = size - 4;
> memset(buf + size + 4, 0xee, oob_size);
> kfree(buf);
> }

Sounds like a new slub_kunit test would be useful? :) doesn't need to be
that exhaustive wrt all sizes, we could just pick one and check that a write
beyond requested kmalloc size is detected?

Thanks!

Next message: Damien Le Moal: "Re: [PATCH] ata: sata_dwc_460ex: Check !irq instead of irq == NO_IRQ"
Previous message: Tian, Kevin: "RE: [PATCH v2 2/8] iommu/vt-d: Improve iommu_enable_pci_caps()"
Next in thread: Feng Tang: "Re: [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]