Skip to content

Commit

Permalink
kasan: slab: always reset the tag in get_freepointer_safe()
Browse files Browse the repository at this point in the history 
With CONFIG_DEBUG_PAGEALLOC enabled, the kernel should also untag the
object pointer, as done in get_freepointer().

Failing to do so reportedly leads to SLUB freelist corruptions that
manifest as boot-time crashes.

Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Alexander Potapenko <[email protected]>
Cc: Marco Elver <[email protected]>
Cc: Vincenzo Frascino <[email protected]>
Cc: Andrey Ryabinin <[email protected]>
Cc: Andrey Konovalov <[email protected]>
Cc: Elliot Berman <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@ramosian-glider @torvalds
ramosian-glider authored and torvalds committed May 23, 2021
1 parent 4d1cd3b commit f70b004
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions mm/slub.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,6 +301,7 @@ static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
if (!debug_pagealloc_enabled_static())
return get_freepointer(s, object);

object = kasan_reset_tag(object);
freepointer_addr = (unsigned long)object + s->offset;
copy_from_kernel_nofault(&p, (void **)freepointer_addr, sizeof(p));
return freelist_ptr(s, p, freepointer_addr);
Expand Down

0 comments on commit f70b004

Please sign in to comment.