Re: [PATCH] Make LIST_POISON less deadly

From: Ingo Molnar
Date: Mon May 19 2008 - 09:02:26 EST

* Avi Kivity <avi@xxxxxxxxxxxx> wrote:

> The list macros use LIST_POISON1 and LIST_POISON2 as undereferencable
> pointers in order to trap erronous use of freed list_heads.
> Unfortunately userspace can arrange for those pointers to actually be
> dereferencable, potentially turning an oops to an expolit.
> To avoid this allow architectures (currently x86_64 only) to override
> the default values for these pointers with truly-undereferncable
> values. This is easy on x86_64 as the virtual address space is smaller
> than the range spanned by pointer values.

nice idea!

i'd suggest a slightly different solution:

> +/*
> + * Define LIST_POISON[12] as pointers that cannot be dereferenced.
> + */
> +#ifdef CONFIG_X86_84
> +# undef LIST_POISON1
> +# undef LIST_POISON2
> +# define LIST_POISON1 ((void *)0x8001000100010001L)
> +# define LIST_POISON2 ((void *)0x8002000200020002L)
> +#endif

i'd suggest to add an ARCH_ILLEGAL_POINTER define instead, which
defaults to zero and gets added to pointer-ish poison values. That makes
it both simpler and also it does not need any include/asm changes
because ARCH_ILLEGAL_POINTER can be set from the Kconfig space.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at