OrgZephyr/zephyr
OrgZephyr
/
zephyr
mirror of https://github.com/zephyrproject-rtos/zephyr.git
1
0
Fork 0
Code Issues Releases Wiki Activity

kernel: mem_slab: always validate memory address on free 

Allowing an invalid address to be "freed" when asserts are disabled
is dangerous and can lead to a very hard class of bugs (and potential
security issues) to troubleshoot. This change always validates the
address before adding it to the free list and calls k_panic() if
asserts are not enabled.

Signed-off-by: Corey Wharton <xodus7@cwharton.com>
This commit is contained in:
Corey Wharton 2024-10-23 14:36:25 -07:00 committed by Anas Nashif
parent e330b55f81
commit 76bceb9ed2
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
kernel/mem_slab.c
View File

@ -204,7 +204,6 @@ out:
return rc; return rc;
} }
#if __ASSERT_ON
static bool slab_ptr_is_good(struct k_mem_slab *slab, const void *ptr) static bool slab_ptr_is_good(struct k_mem_slab *slab, const void *ptr)
{ {
const char *p = ptr; const char *p = ptr;
@ -214,7 +213,6 @@ static bool slab_ptr_is_good(struct k_mem_slab *slab, const void *ptr)
(offset < (slab->info.block_size * slab->info.num_blocks)) && (offset < (slab->info.block_size * slab->info.num_blocks)) &&
((offset % slab->info.block_size) == 0); ((offset % slab->info.block_size) == 0);
} }
#endif
int k_mem_slab_alloc(struct k_mem_slab *slab, void **mem, k_timeout_t timeout) int k_mem_slab_alloc(struct k_mem_slab *slab, void **mem, k_timeout_t timeout)
{ {
@ -267,9 +265,13 @@ int k_mem_slab_alloc(struct k_mem_slab *slab, void **mem, k_timeout_t timeout)
void k_mem_slab_free(struct k_mem_slab *slab, void *mem) void k_mem_slab_free(struct k_mem_slab *slab, void *mem)
{ {
k_spinlock_key_t key = k_spin_lock(&slab->lock); if (!slab_ptr_is_good(slab, mem)) {
__ASSERT(false, "Invalid memory pointer provided");
k_panic();
return;
}
__ASSERT(slab_ptr_is_good(slab, mem), "Invalid memory pointer provided"); k_spinlock_key_t key = k_spin_lock(&slab->lock);
SYS_PORT_TRACING_OBJ_FUNC_ENTER(k_mem_slab, free, slab); SYS_PORT_TRACING_OBJ_FUNC_ENTER(k_mem_slab, free, slab);
if ((slab->free_list == NULL) && IS_ENABLED(CONFIG_MULTITHREADING)) { if ((slab->free_list == NULL) && IS_ENABLED(CONFIG_MULTITHREADING)) {