Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Aug 2017 19:17:26 +0300
From: Alexander Popov <>
To: Kees Cook <>,
	Andrew Morton <>,
	Christoph Lameter <>,
	Pekka Enberg <>,
	David Rientjes <>,
	Joonsoo Kim <>,
	Paul E McKenney <>,
	Ingo Molnar <>,
	Tejun Heo <>,
	Andy Lutomirski <>,
	Nicolas Pitre <>,,
	Rik van Riel <>,
	Tycho Andersen <>,
	Alexander Popov <>,,
Subject: [linux-next][PATCH v2] mm/slub.c: add a naive detection of double free or corruption

Add an assertion similar to "fasttop" check in GNU C Library allocator
as a part of SLAB_FREELIST_HARDENED feature. An object added to a singly
linked freelist should not point to itself. That helps to detect some
double free errors (e.g. CVE-2017-2636) without slub_debug and KASAN.

Signed-off-by: Alexander Popov <>
 mm/slub.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/mm/slub.c b/mm/slub.c
index b9c7f1a..77b2781 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -290,6 +290,10 @@ static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)
 	unsigned long freeptr_addr = (unsigned long)object + s->offset;
+	BUG_ON(object == fp); /* naive detection of double free or corruption */
 	*(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr);

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.