Re: [PATCH 4/5] slab: Set freed variables to NULL by default

From: Jann Horn
Date: Thu Mar 27 2025 - 15:24:38 EST


On Sat, Mar 22, 2025 at 8:18 AM Kees Cook <kees@xxxxxxxxxx> wrote:
> On Sat, Mar 22, 2025 at 02:50:15AM +0100, Jann Horn wrote:
> > On Fri, Mar 21, 2025 at 9:41 PM Kees Cook <kees@xxxxxxxxxx> wrote:
> > > To defang a subset of "dangling pointer" use-after-free flaws[1], take the
> > > address of any lvalues passed to kfree() and set them to NULL after
> > > freeing.
> > >
> > > To do this manually, kfree_and_null() (and the "sensitive" variant)
> > > are introduced.
> >
> > Unless callers of kfree() are allowed to rely on this behavior, we
> > might want to have an option to use a poison value instead of NULL for
> > this in debug builds.
>
> Sure -- we have many to choose from. Is there a specific one you think
> would be good?

Forgot to reply to this, sorry. No, I don't have a particular one in mind.