Re: [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR

From: Kees Cook
Date: Fri Nov 18 2016 - 12:55:15 EST


On Fri, Nov 18, 2016 at 9:47 AM, Christoph Lameter <cl@xxxxxxxxx> wrote:
> On Thu, 17 Nov 2016, Michael Ellerman wrote:
>
>> Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
>> x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
>
> Well yes that was done so we do not add too many branches all over the
> kernel.....

There are actually very few callers of this macro. (Though it's
possible they're executed frequently.)

>> That no longer really works once we add the poison delta, so split it
>> into two checks. Assign x to a temporary to avoid evaluating it
>> twice (suggested by Kees Cook).
>
> And now you are doing just that.

In this case, what about the original < ZERO_SIZE_PTR check Michael
suggested? At least the one use in usercopy.c needs to be fixed, but
otherwise, it should be fine?

-Kees

--
Kees Cook
Nexus Security