From: Qian Cai <cai@lca.pw>
To: Alexander Potapenko <glider@google.com>,
Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Linux Memory Management List <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH -next v2] mm/page_alloc: fix a false memory corruption
Date: Fri, 21 Jun 2019 08:26:23 -0400 [thread overview]
Message-ID: <1561119983.5154.33.camel@lca.pw> (raw)
In-Reply-To: <CAG_fn=VRehbrhvNRg0igZ==YvONug_nAYMqyrOXh3kO2+JaszQ@mail.gmail.com>
On Fri, 2019-06-21 at 12:39 +0200, Alexander Potapenko wrote:
> On Fri, Jun 21, 2019 at 3:01 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > On Thu, Jun 20, 2019 at 04:46:06PM -0400, Qian Cai wrote:
> > > The linux-next commit "mm: security: introduce init_on_alloc=1 and
> > > init_on_free=1 boot options" [1] introduced a false positive when
> > > init_on_free=1 and page_poison=on, due to the page_poison expects the
> > > pattern 0xaa when allocating pages which were overwritten by
> > > init_on_free=1 with 0.
> > >
> > > Fix it by switching the order between kernel_init_free_pages() and
> > > kernel_poison_pages() in free_pages_prepare().
> >
> > Cool; this seems like the right approach. Alexander, what do you think?
>
> Can using init_on_free together with page_poison bring any value at all?
> Isn't it better to decide at boot time which of the two features we're
> going to enable?
I think the typical use case is people are using init_on_free=1, and then decide
to debug something by enabling page_poison=on. Definitely, don't want
init_on_free=1 to disable page_poison as the later has additional checking in
the allocation time to make sure that poison pattern set in the free time is
still there.
>
> > Reviewed-by: Kees Cook <keescook@chromium.org>
> >
> > -Kees
> >
> > >
> > > [1] https://patchwork.kernel.org/patch/10999465/
> > >
> > > Signed-off-by: Qian Cai <cai@lca.pw>
> > > ---
> > >
> > > v2: After further debugging, the issue after switching order is likely a
> > > separate issue as clear_page() should not cause issues with future
> > > accesses.
> > >
> > > mm/page_alloc.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> > > index 54dacf35d200..32bbd30c5f85 100644
> > > --- a/mm/page_alloc.c
> > > +++ b/mm/page_alloc.c
> > > @@ -1172,9 +1172,10 @@ static __always_inline bool
> > > free_pages_prepare(struct page *page,
> > > PAGE_SIZE << order);
> > > }
> > > arch_free_page(page, order);
> > > - kernel_poison_pages(page, 1 << order, 0);
> > > if (want_init_on_free())
> > > kernel_init_free_pages(page, 1 << order);
> > > +
> > > + kernel_poison_pages(page, 1 << order, 0);
> > > if (debug_pagealloc_enabled())
> > > kernel_map_pages(page, 1 << order, 0);
> > >
> > > --
> > > 1.8.3.1
> > >
> >
> > --
> > Kees Cook
>
>
>
next prev parent reply other threads:[~2019-06-21 12:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 20:46 [PATCH -next v2] mm/page_alloc: fix a false memory corruption Qian Cai
2019-06-21 1:01 ` Kees Cook
2019-06-21 10:39 ` Alexander Potapenko
2019-06-21 12:26 ` Qian Cai [this message]
2019-06-21 14:37 ` Alexander Potapenko
2019-06-21 14:56 ` Qian Cai
2019-06-21 15:26 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1561119983.5154.33.camel@lca.pw \
--to=cai@lca.pw \
--cc=akpm@linux-foundation.org \
--cc=glider@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.