kfence: zero guard page after out-of-bounds access

After an out-of-bounds accesses, zero the guard page before re-protecting in kfence_guarded_free(). On one hand this helps make the failure mode of subsequent out-of-bounds accesses more deterministic, but could also prevent certain information leaks. Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Marco Elver <[email protected]> Acked-by: Alexander Potapenko <[email protected]> Cc: Dmitry Vyukov <[email protected]> Cc: Andrey Konovalov <[email protected]> Cc: Jann Horn <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
author: Marco Elver <[email protected]> 2021-05-04 18:40:18 -0700
committer: Linus Torvalds <[email protected]> 2021-05-05 11:27:27 -0700
commit: 94868a1e127bbe0e03a4467f27196cd668cbc344 (patch)
tree: c2e4043df74a4ca224270c4f8ab3772e89fa7007
parent: 0c4ff27a0e541bcee167612fc9065623d75314a3 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/mm/kfence/core.c b/mm/kfence/core.c
index d53c91f881a4..768dbd58170d 100644
--- a/mm/kfence/core.c
+++ b/mm/kfence/core.c
@@ -372,6 +372,7 @@ static void kfence_guarded_free(void *addr, struct kfence_metadata *meta, bool z
 
 	/* Restore page protection if there was an OOB access. */
 	if (meta->unprotected_page) {
+		memzero_explicit((void *)ALIGN_DOWN(meta->unprotected_page, PAGE_SIZE), PAGE_SIZE);
 		kfence_protect(meta->unprotected_page);
 		meta->unprotected_page = 0;
 	}
author	Marco Elver <[email protected]>	2021-05-04 18:40:18 -0700
committer	Linus Torvalds <[email protected]>	2021-05-05 11:27:27 -0700
commit	94868a1e127bbe0e03a4467f27196cd668cbc344 (patch)
tree	c2e4043df74a4ca224270c4f8ab3772e89fa7007
parent	0c4ff27a0e541bcee167612fc9065623d75314a3 (diff)