From: Dmitry Vyukov <dvyukov@google.com>
To: akpm@linux-foundation.org, aryabinin@virtuozzo.com
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
kasan-dev@googlegroups.com, Dmitry Vyukov <dvyukov@google.com>
Subject: [PATCH 0/5] kasan: detect invalid frees
Date: Wed, 27 Dec 2017 13:44:31 +0100 [thread overview]
Message-ID: <cover.1514378558.git.dvyukov@google.com> (raw)
KASAN detects double-frees, but does not detect invalid-frees
(when a pointer into a middle of heap object is passed to free).
We recently had a very unpleasant case in crypto code which freed
an inner object inside of a heap allocation. This left unnoticed
during free, but totally corrupted heap and later lead to a bunch
of random crashes all over kernel code.
Detect invalid frees.
Dmitry Vyukov (5):
kasan: detect invalid frees for large objects
kasan: don't use __builtin_return_address(1)
kasan: detect invalid frees for large mempool objects
kasan: unify code between kasan_slab_free() and kasan_poison_kfree()
kasan: detect invalid frees
include/linux/kasan.h | 13 ++++----
lib/test_kasan.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++
mm/kasan/kasan.c | 57 +++++++++++++++++++----------------
mm/kasan/kasan.h | 3 +-
mm/kasan/report.c | 5 ++--
mm/mempool.c | 6 ++--
mm/slab.c | 6 ++--
mm/slub.c | 10 +++----
8 files changed, 135 insertions(+), 48 deletions(-)
--
2.15.1.620.gb9897f4670-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Dmitry Vyukov <dvyukov@google.com>
To: akpm@linux-foundation.org, aryabinin@virtuozzo.com
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
kasan-dev@googlegroups.com, Dmitry Vyukov <dvyukov@google.com>
Subject: [PATCH 0/5] kasan: detect invalid frees
Date: Wed, 27 Dec 2017 13:44:31 +0100 [thread overview]
Message-ID: <cover.1514378558.git.dvyukov@google.com> (raw)
KASAN detects double-frees, but does not detect invalid-frees
(when a pointer into a middle of heap object is passed to free).
We recently had a very unpleasant case in crypto code which freed
an inner object inside of a heap allocation. This left unnoticed
during free, but totally corrupted heap and later lead to a bunch
of random crashes all over kernel code.
Detect invalid frees.
Dmitry Vyukov (5):
kasan: detect invalid frees for large objects
kasan: don't use __builtin_return_address(1)
kasan: detect invalid frees for large mempool objects
kasan: unify code between kasan_slab_free() and kasan_poison_kfree()
kasan: detect invalid frees
include/linux/kasan.h | 13 ++++----
lib/test_kasan.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++
mm/kasan/kasan.c | 57 +++++++++++++++++++----------------
mm/kasan/kasan.h | 3 +-
mm/kasan/report.c | 5 ++--
mm/mempool.c | 6 ++--
mm/slab.c | 6 ++--
mm/slub.c | 10 +++----
8 files changed, 135 insertions(+), 48 deletions(-)
--
2.15.1.620.gb9897f4670-goog
next reply other threads:[~2017-12-27 12:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-27 12:44 Dmitry Vyukov [this message]
2017-12-27 12:44 ` [PATCH 0/5] kasan: detect invalid frees Dmitry Vyukov
2017-12-27 12:44 ` [PATCH 1/5] kasan: detect invalid frees for large objects Dmitry Vyukov
2017-12-27 12:44 ` Dmitry Vyukov
2017-12-27 12:44 ` [PATCH 2/5] kasan: don't use __builtin_return_address(1) Dmitry Vyukov
2017-12-27 12:44 ` Dmitry Vyukov
2017-12-27 12:44 ` [PATCH 3/5] kasan: detect invalid frees for large mempool objects Dmitry Vyukov
2017-12-27 12:44 ` Dmitry Vyukov
2017-12-27 12:44 ` [PATCH 4/5] kasan: unify code between kasan_slab_free() and kasan_poison_kfree() Dmitry Vyukov
2017-12-27 12:44 ` Dmitry Vyukov
2017-12-27 12:44 ` [PATCH 5/5] kasan: detect invalid frees Dmitry Vyukov
2017-12-27 12:44 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1514378558.git.dvyukov@google.com \
--to=dvyukov@google.com \
--cc=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.