diff options
| author | Kees Cook <[email protected]> | 2019-07-11 20:53:26 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2019-07-12 11:05:41 -0700 |
| commit | a64b53780ec35b77daf817210c88aa42d172c98f (patch) | |
| tree | 68b21fc96d39f7a4570e0816b44ff83428a69173 /drivers/misc/lkdtm/heap.c | |
| parent | 598a0717a816abc8f5d3c4598628338b9190d127 (diff) | |
mm/slab: sanity-check page type when looking up cache
This avoids any possible type confusion when looking up an object. For
example, if a non-slab were to be passed to kfree(), the invalid
slab_cache pointer (i.e. overlapped with some other value from the
struct page union) would be used for subsequent slab manipulations that
could lead to further memory corruption.
Since the page is already in cache, adding the PageSlab() check will
have nearly zero cost, so add a check and WARN() to virt_to_cache().
Additionally replaces an open-coded virt_to_cache(). To support the
failure mode this also updates all callers of virt_to_cache() and
cache_from_obj() to handle a NULL cache pointer return value (though
note that several already handle this case gracefully).
[[email protected]: restore IRQs in kfree()]
Link: http://lkml.kernel.org/r/20190613065637.GE16334@mwanda
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Cc: Alexander Popov <[email protected]>
Cc: Alexander Potapenko <[email protected]>
Cc: Christoph Lameter <[email protected]>
Cc: David Rientjes <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: Joonsoo Kim <[email protected]>
Cc: Matthew Wilcox <[email protected]>
Cc: Pekka Enberg <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'drivers/misc/lkdtm/heap.c')
0 files changed, 0 insertions, 0 deletions