• Feng Tang's avatar
    mm/slub: extend redzone check to extra allocated kmalloc space than requested · 946fa0db
    Feng Tang authored
    kmalloc will round up the request size to a fixed size (mostly power
    of 2), so there could be a extra space than what is requested, whose
    size is the actual buffer size minus original request size.
    
    To better detect out of bound access or abuse of this space, add
    redzone sanity check for it.
    
    In current kernel, some kmalloc user already knows the existence of
    the space and utilizes it after calling 'ksize()' to know the real
    size of the allocated buffer. So we skip the sanity check for objects
    which have been called with ksize(), as treating them as legitimate
    users. Kees Cook is working on sanitizing all these user cases,
    by using kmalloc_size_roundup() to avoid ambiguous usages. And after
    this is done, this special handling for ksize() can be removed.
    
    In some cases, the free pointer could be saved inside the latter
    part of object data area, which may overlap the redzone part(for
    small sizes of kmalloc objects). As suggested by Hyeonggon Yoo,
    force the free pointer to be in meta data area when kmalloc redzone
    debug is enabled, to make all kmalloc objects covered by redzone
    check.
    Suggested-by: default avatarVlastimil Babka <vbabka@suse.cz>
    Signed-off-by: default avatarFeng Tang <feng.tang@intel.com>
    Acked-by: default avatarHyeonggon Yoo <42.hyeyoo@gmail.com>
    Signed-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
    946fa0db
slub.c 157 KB