Date: Mon, 1 Jun 2015 16:50:50 +0000 From: "Gumpula, Suresh" <Suresh.Gumpula@netapp.com> To: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Use after free check for all private zones too Message-ID: <D19203B6.3975C%gsuresh@netapp.com> In-Reply-To: <D16D1B68.377D6%gsuresh@netapp.com> References: <D16D1B68.377D6%gsuresh@netapp.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Hi, I have attached the diff. Can somebody please review and commit this ? Thanks Suresh On 5/4/15, 12:49 PM, "Gumpula, Suresh" <Suresh.Gumpula@netapp.com> wrote: >Hi , > Currently use after free check is available for power of 2 malloc >zones ( mt_rash_ctor/ m_trash_dotr ) which writes uma_junk(0xdeadc0de) on >freed memory and >validates on reusing the object for others . > Similary we( NETAPP) have added a check for all other private zones >too with trash_ctor/ trash_dtor . We pass the trash_ctor/trash_dtor >to uma_zcreate(9) if it is called with NULL for constructor/destructor. >This change uncovered the couple of bugs inernally. One of this is in >tcp timer bug >https://svnweb.freebsd.org/base?view=revision&revision=281599 > >Its a useful check and uncovers use after free bugs . Would like to push >this change . Any comments/suggestions please ? > >Thanks >Suresh > > > >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" [-- Attachment #2 --] diff -urN head/sys/vm/uma_core.c zone_cpu_cache/sys/vm/uma_core.c --- head/sys/vm/uma_core.c 2014-11-13 20:36:45.011406000 -0500 +++ zone_cpu_cache/sys/vm/uma_core.c 2015-05-21 10:33:41.239568000 -0400 @@ -1939,6 +1939,17 @@ args.dtor = dtor; args.uminit = uminit; args.fini = fini; +#ifdef INVARIANTS + /*If a zone is being created with an empty constructor and destructor , pass UMA constructor/destructor + which check for use after free of memory + */ + if ((!(flags & UMA_ZONE_ZINIT)) && ctor == NULL && dtor == NULL && uminit == NULL && fini == NULL) { + args.ctor = trash_ctor; + args.dtor = trash_dtor; + args.uminit = trash_init; + args.fini = trash_fini; + } +#endif args.align = align; args.flags = flags; args.keg = NULL; diff -urN head/sys/vm/uma_dbg.c zone_cpu_cache/sys/vm/uma_dbg.c --- head/sys/vm/uma_dbg.c 2014-11-13 20:36:44.814400000 -0500 +++ zone_cpu_cache/sys/vm/uma_dbg.c 2015-05-21 10:36:04.858468000 -0400 @@ -69,8 +69,11 @@ for (p = mem; cnt > 0; cnt--, p++) if (*p != uma_junk) { - printf("Memory modified after free %p(%d) val=%x @ %p\n", - mem, size, *p, p); +#ifdef INVARIANTS + panic("Memory modified after free %p(%d) val=%x @ %p\n", mem, size, *p, p); +#else + printf("Memory modified after free %p(%d) val=%x @ %p\n", mem, size, *p, p); +#endif return (0); } return (0);help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D19203B6.3975C%gsuresh>