Commit 19da3dd1 authored by David Rientjes's avatar David Rientjes Committed by Linus Torvalds
Browse files

flex_array: poison free elements 



Newly initialized flex_array's and/or flex_array_part's are now poisoned
with a new poison value, FLEX_ARRAY_FREE.  It's value is similar to
POISON_FREE used in the various slab allocators, but is different to
distinguish between flex array's poisoned kmem and slab allocator poisoned
kmem.

This will allow us to identify flex_array_part's that only contain free
elements (and free them with an addition to the flex_array API).  This
could also be extended in the future to identify `get' uses on elements
that have not been `put'.

If __GFP_ZERO is passed for a part's gfp mask, the poisoning is avoided.
These elements are considered to be in-use since they have been
initialized.

Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
Cc: Dave Hansen <dave@linux.vnet.ibm.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent e6de3988

include/linux/poison.h

+3 −0
Original line number Diff line number Diff line
@@ -65,6 +65,9 @@ 
#define MUTEX_DEBUG_INIT	0x11

#define MUTEX_DEBUG_FREE	0x22



/********** lib/flex_array.c **********/

#define FLEX_ARRAY_FREE	0x6c	/* for use-after-free poisoning */



/********** security/ **********/

#define KEY_DESTROY		0xbd

lib/flex_array.c

+7 −8
Original line number Diff line number Diff line
@@ -113,6 +113,8 @@ struct flex_array *flex_array_alloc(int element_size, unsigned int total, 
		return NULL;

	ret->element_size = element_size;

	ret->total_nr_elements = total;

	if (elements_fit_in_base(ret) && !(flags & __GFP_ZERO))

		memset(ret->parts[0], FLEX_ARRAY_FREE, bytes_left_in_base());

	return ret;

}
@@ -159,15 +161,12 @@ __fa_get_part(struct flex_array *fa, int part_nr, gfp_t flags) 
{

	struct flex_array_part *part = fa->parts[part_nr];

	if (!part) {

		/*

		 * This leaves the part pages uninitialized

		 * and with potentially random data, just

		 * as if the user had kmalloc()'d the whole.

		 * __GFP_ZERO can be used to zero it.

		 */

		part = kmalloc(FLEX_ARRAY_PART_SIZE, flags);

		part = kmalloc(sizeof(struct flex_array_part), flags);

		if (!part)

			return NULL;

		if (!(flags & __GFP_ZERO))

			memset(part, FLEX_ARRAY_FREE,

				sizeof(struct flex_array_part));

		fa->parts[part_nr] = part;

	}

	return part;
@@ -228,7 +227,7 @@ int flex_array_clear(struct flex_array *fa, unsigned int element_nr) 
			return -EINVAL;

	}

	dst = &part->elements[index_inside_part(fa, element_nr)];

	memset(dst, 0, fa->element_size);

	memset(dst, FLEX_ARRAY_FREE, fa->element_size);

	return 0;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE