kernel: mem_slab: always validate memory address on free

xodus7 · nashif · commit 76bceb9ed29d · 2024-11-16T15:54:56.000-05:00
Allowing an invalid address to be "freed" when asserts are disabled
is dangerous and can lead to a very hard class of bugs (and potential
security issues) to troubleshoot. This change always validates the
address before adding it to the free list and calls k_panic() if
asserts are not enabled.

Signed-off-by: Corey Wharton &lt;xodus7@cwharton.com&gt;
diff --git a/kernel/mem_slab.c b/kernel/mem_slab.c
@@ -204,7 +204,6 @@ int k_mem_slab_init(struct k_mem_slab *slab, void *buffer,
 	return rc;
 }
 
-#if __ASSERT_ON
 static bool slab_ptr_is_good(struct k_mem_slab *slab, const void *ptr)
 {
 	const char *p = ptr;
@@ -214,7 +213,6 @@ static bool slab_ptr_is_good(struct k_mem_slab *slab, const void *ptr)
 	       (offset < (slab->info.block_size * slab->info.num_blocks)) &&
 	       ((offset % slab->info.block_size) == 0);
 }
-#endif
 
 int k_mem_slab_alloc(struct k_mem_slab *slab, void **mem, k_timeout_t timeout)
 {
@@ -267,9 +265,13 @@ int k_mem_slab_alloc(struct k_mem_slab *slab, void **mem, k_timeout_t timeout)
 
 void k_mem_slab_free(struct k_mem_slab *slab, void *mem)
 {
-	k_spinlock_key_t key = k_spin_lock(&slab->lock);
+	if (!slab_ptr_is_good(slab, mem)) {
+		__ASSERT(false, "Invalid memory pointer provided");
+		k_panic();
+		return;
+	}
 
-	__ASSERT(slab_ptr_is_good(slab, mem), "Invalid memory pointer provided");
+	k_spinlock_key_t key = k_spin_lock(&slab->lock);
 
 	SYS_PORT_TRACING_OBJ_FUNC_ENTER(k_mem_slab, free, slab);
 	if ((slab->free_list == NULL) && IS_ENABLED(CONFIG_MULTITHREADING)) {

Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,6 @@ int k_mem_slab_init(struct k_mem_slab slab, void buffer,`
`204`	`204`	`return rc;`
`205`	`205`	`}`
`206`	`206`
`207`		`-#if __ASSERT_ON`
`208`	`207`	`static bool slab_ptr_is_good(struct k_mem_slab slab, const void ptr)`
`209`	`208`	`{`
`210`	`209`	`const char *p = ptr;`
`@@ -214,7 +213,6 @@ static bool slab_ptr_is_good(struct k_mem_slab slab, const void ptr)`
`214`	`213`	`(offset < (slab->info.block_size * slab->info.num_blocks)) &&`
`215`	`214`	`((offset % slab->info.block_size) == 0);`
`216`	`215`	`}`
`217`		`-#endif`
`218`	`216`
`219`	`217`	`int k_mem_slab_alloc(struct k_mem_slab slab, void *mem, k_timeout_t timeout)`
`220`	`218`	`{`
`@@ -267,9 +265,13 @@ int k_mem_slab_alloc(struct k_mem_slab slab, void *mem, k_timeout_t timeout)`
`267`	`265`
`268`	`266`	`void k_mem_slab_free(struct k_mem_slab slab, void mem)`
`269`	`267`	`{`
`270`		`- k_spinlock_key_t key = k_spin_lock(&slab->lock);`
	`268`	`+ if (!slab_ptr_is_good(slab, mem)) {`
	`269`	`+ __ASSERT(false, "Invalid memory pointer provided");`
	`270`	`+ k_panic();`
	`271`	`+ return;`
	`272`	`+ }`
`271`	`273`
`272`		`- __ASSERT(slab_ptr_is_good(slab, mem), "Invalid memory pointer provided");`
	`274`	`+ k_spinlock_key_t key = k_spin_lock(&slab->lock);`
`273`	`275`
`274`	`276`	`SYS_PORT_TRACING_OBJ_FUNC_ENTER(k_mem_slab, free, slab);`
`275`	`277`	`if ((slab->free_list == NULL) && IS_ENABLED(CONFIG_MULTITHREADING)) {`