Re: [PATCH] crypto: ccp - zero the cmd data after use it
On 8/4/20 12:22, Herbert Xu wrote: > On Tue, Aug 04, 2020 at 12:20:21PM +0800, Liwei Song wrote: >> >> Yes, the other process should do this zero work, but the case I met is >> this address will appear in the slab_alloc_node() as freelist pointer of >> slub, >> and before slub do zero wrok, even kzalloc() doesn't work with this address. > > That would be memory corruption which has nothing to do with your > patch. If it is occurring then you should fix the place that is > corrupting the memory and not work around it like this. OK, understand, thanks for your suggestion. Liwei. > > Cheers, >
Re: [PATCH] crypto: ccp - zero the cmd data after use it
On Tue, Aug 04, 2020 at 12:20:21PM +0800, Liwei Song wrote: > > Yes, the other process should do this zero work, but the case I met is > this address will appear in the slab_alloc_node() as freelist pointer of slub, > and before slub do zero wrok, even kzalloc() doesn't work with this address. That would be memory corruption which has nothing to do with your patch. If it is occurring then you should fix the place that is corrupting the memory and not work around it like this. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Re: [PATCH] crypto: ccp - zero the cmd data after use it
On 8/4/20 12:04, Herbert Xu wrote: > On Tue, Aug 04, 2020 at 11:51:47AM +0800, Liwei Song wrote: >> >> On 8/3/20 20:52, Herbert Xu wrote: >>> On Mon, Aug 03, 2020 at 03:58:58PM +0800, Liwei Song wrote: exist the following assignment in ccp(ignore the force convert of the struct) by list_del in ccp_dequeue_cmd(): req->__ctx->cmd->entry->next = LIST_POISON1; after use the req, kzfree(req) can not zero the entry entry->next = LIST_POISON1 of the ccp_cmd(cmd) struct when this address available as slub freelist pointer, this will cause the following "general protection fault" error if some process meet this LIST_POISON1 value address when request memory: >>> >>> Your description makes no sense. Please rewrite it and explain >>> the problem properly. >> >> The problem here is that the entry of struct ccp_cmd is not zeroed after we >> use it, >> If the other process got this address by kmalloc(), this illegal value >> "LIST_POISON1" >> will cause "general protection fault" error. > > If that's the case surely the other process should be zeroing > the memory? Your explanation still makes no sense. Yes, the other process should do this zero work, but the case I met is this address will appear in the slab_alloc_node() as freelist pointer of slub, and before slub do zero wrok, even kzalloc() doesn't work with this address. Thanks, Liwei. > > Thanks, >
Re: [PATCH] crypto: ccp - zero the cmd data after use it
On Tue, Aug 04, 2020 at 11:51:47AM +0800, Liwei Song wrote: > > On 8/3/20 20:52, Herbert Xu wrote: > > On Mon, Aug 03, 2020 at 03:58:58PM +0800, Liwei Song wrote: > >> exist the following assignment in ccp(ignore the force > >> convert of the struct) by list_del in ccp_dequeue_cmd(): > >> req->__ctx->cmd->entry->next = LIST_POISON1; > >> > >> after use the req, kzfree(req) can not zero the entry > >> entry->next = LIST_POISON1 of the ccp_cmd(cmd) struct > >> when this address available as slub freelist pointer, this will cause > >> the following "general protection fault" error if some process meet > >> this LIST_POISON1 value address when request memory: > > > > Your description makes no sense. Please rewrite it and explain > > the problem properly. > > The problem here is that the entry of struct ccp_cmd is not zeroed after we > use it, > If the other process got this address by kmalloc(), this illegal value > "LIST_POISON1" > will cause "general protection fault" error. If that's the case surely the other process should be zeroing the memory? Your explanation still makes no sense. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Re: [PATCH] crypto: ccp - zero the cmd data after use it
On 8/3/20 20:52, Herbert Xu wrote: > On Mon, Aug 03, 2020 at 03:58:58PM +0800, Liwei Song wrote: >> exist the following assignment in ccp(ignore the force >> convert of the struct) by list_del in ccp_dequeue_cmd(): >> req->__ctx->cmd->entry->next = LIST_POISON1; >> >> after use the req, kzfree(req) can not zero the entry >> entry->next = LIST_POISON1 of the ccp_cmd(cmd) struct >> when this address available as slub freelist pointer, this will cause >> the following "general protection fault" error if some process meet >> this LIST_POISON1 value address when request memory: > > Your description makes no sense. Please rewrite it and explain > the problem properly. The problem here is that the entry of struct ccp_cmd is not zeroed after we use it, If the other process got this address by kmalloc(), this illegal value "LIST_POISON1" will cause "general protection fault" error. Thanks, Liwei. > > Thanks, >
Re: [PATCH] crypto: ccp - zero the cmd data after use it
On Mon, Aug 03, 2020 at 03:58:58PM +0800, Liwei Song wrote: > exist the following assignment in ccp(ignore the force > convert of the struct) by list_del in ccp_dequeue_cmd(): > req->__ctx->cmd->entry->next = LIST_POISON1; > > after use the req, kzfree(req) can not zero the entry > entry->next = LIST_POISON1 of the ccp_cmd(cmd) struct > when this address available as slub freelist pointer, this will cause > the following "general protection fault" error if some process meet > this LIST_POISON1 value address when request memory: Your description makes no sense. Please rewrite it and explain the problem properly. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
