From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Kees Cook <keescook@chromium.org>
Subject: [PATCH 5.8 22/38] lkdtm/heap: Avoid edge and middle of slabs
Date: Mon, 10 Aug 2020 17:19:12 +0200 [thread overview]
Message-ID: <20200810151804.989498491@linuxfoundation.org> (raw)
In-Reply-To: <20200810151803.920113428@linuxfoundation.org>
From: Kees Cook <keescook@chromium.org>
commit e12145cf1c3a8077e6d9f575711e38dd7d8a3ebc upstream.
Har har, after I moved the slab freelist pointer into the middle of the
slab, now it looks like the contents are getting poisoned. Adjust the
test to avoid the freelist pointer again.
Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20200625203704.317097-3-keescook@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/lkdtm/heap.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/misc/lkdtm/heap.c
+++ b/drivers/misc/lkdtm/heap.c
@@ -58,11 +58,12 @@ void lkdtm_READ_AFTER_FREE(void)
int *base, *val, saw;
size_t len = 1024;
/*
- * The slub allocator uses the first word to store the free
- * pointer in some configurations. Use the middle of the
- * allocation to avoid running into the freelist
+ * The slub allocator will use the either the first word or
+ * the middle of the allocation to store the free pointer,
+ * depending on configurations. Store in the second word to
+ * avoid running into the freelist.
*/
- size_t offset = (len / sizeof(*base)) / 2;
+ size_t offset = sizeof(*base);
base = kmalloc(len, GFP_KERNEL);
if (!base) {
next prev parent reply other threads:[~2020-08-10 15:21 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-10 15:18 [PATCH 5.8 00/38] 5.8.1-rc1 review Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 01/38] scsi: ufs: Fix and simplify setup_xfer_req variant operation Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 02/38] USB: serial: qcserial: add EM7305 QDL product ID Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 03/38] USB: iowarrior: fix up report size handling for some devices Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 04/38] usb: xhci: define IDs for various ASMedia host controllers Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 05/38] usb: xhci: Fix ASMedia ASM1142 DMA addressing Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 06/38] Revert "ALSA: hda: call runtime_allow() for all hda controllers" Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 07/38] ALSA: hda/realtek: Add alc269/alc662 pin-tables for Loongson-3 laptops Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 08/38] ALSA: hda/ca0132 - Add new quirk ID for Recon3D Greg Kroah-Hartman
2020-08-10 15:18 ` [PATCH 5.8 09/38] ALSA: hda/ca0132 - Fix ZxR Headphone gain control get value Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 10/38] ALSA: hda/ca0132 - Fix AE-5 microphone selection commands Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 11/38] ALSA: seq: oss: Serialize ioctls Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 12/38] staging: android: ashmem: Fix lockdep warning for write operation Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 13/38] staging: rtl8712: handle firmware load failure Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 14/38] Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 15/38] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 16/38] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 17/38] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 18/38] omapfb: dss: Fix max fclk divider for omap36xx Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 19/38] binder: Prevent context manager from incrementing ref 0 Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 20/38] Smack: fix use-after-free in smk_write_relabel_self() Greg Kroah-Hartman
2020-08-10 15:19 ` [Cocci] [PATCH 5.8 21/38] scripts: add dummy report mode to add_namespace.cocci Greg Kroah-Hartman
2020-08-10 15:19 ` Greg Kroah-Hartman
2020-08-10 15:19 ` Greg Kroah-Hartman [this message]
2020-08-10 15:19 ` [PATCH 5.8 23/38] vgacon: Fix for missing check in scrollback handling Greg Kroah-Hartman
2020-08-10 15:19 ` Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 24/38] mtd: properly check all write ioctls for permissions Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 25/38] leds: wm831x-status: fix use-after-free on unbind Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 26/38] leds: lm36274: " Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 27/38] leds: da903x: " Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 28/38] leds: lm3533: " Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 29/38] leds: 88pm860x: " Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 30/38] gpio: max77620: Fix missing release of interrupt Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 31/38] xattr: break delegations in {set,remove}xattr Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 32/38] Revert "powerpc/kasan: Fix shadow pages allocation failure" Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 33/38] powerpc/kasan: Fix shadow pages allocation failure Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 34/38] PCI: tegra: Revert tegra124 raw_violation_fixup Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 35/38] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 36/38] random32: move the pseudo-random 32-bit definitions to prandom.h Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 37/38] random: random.h should include archrandom.h, not the other way around Greg Kroah-Hartman
2020-08-10 15:19 ` [PATCH 5.8 38/38] arm64: kaslr: Use standard early random function Greg Kroah-Hartman
2020-08-10 23:04 ` [PATCH 5.8 00/38] 5.8.1-rc1 review Shuah Khan
2020-08-11 16:19 ` Greg Kroah-Hartman
2020-08-11 6:29 ` Naresh Kamboju
2020-08-11 16:20 ` Greg Kroah-Hartman
2020-08-11 7:57 ` Jon Hunter
2020-08-11 16:19 ` Greg Kroah-Hartman
2020-08-11 10:54 ` Puranjay Mohan
2020-08-11 14:24 ` Guenter Roeck
2020-08-11 16:20 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200810151804.989498491@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.