From: Kent Overstreet <kent.overstreet@linux.dev>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Roman Gushchin <roman.gushchin@linux.dev>,
Hyeonggon Yoo <42.hyeyoo@gmail.com>,
"GONG, Ruiqi" <gongruiqi@huaweicloud.com>,
Xiu Jianfeng <xiujianfeng@huawei.com>,
Suren Baghdasaryan <surenb@google.com>,
Jann Horn <jannh@google.com>,
Matteo Rizzo <matteorizzo@google.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-hardening@vger.kernel.org,
jvoisin <julien.voisin@dustri.org>
Subject: Re: [PATCH v2 0/9] slab: Introduce dedicated bucket allocator
Date: Mon, 25 Mar 2024 15:32:12 -0400 [thread overview]
Message-ID: <24vn56fs7oohqgw3rhssiwglmviruqnt44y6oeajzvskostcrr@7jzhmxjbhcha> (raw)
In-Reply-To: <5e1571de-2c5a-4be4-93f4-01582094ee96@suse.cz>
On Mon, Mar 25, 2024 at 10:03:23AM +0100, Vlastimil Babka wrote:
> On 3/5/24 11:10 AM, Kees Cook wrote:
> > Hi,
> >
> > Repeating the commit logs for patch 4 here:
> >
> > Dedicated caches are available For fixed size allocations via
> > kmem_cache_alloc(), but for dynamically sized allocations there is only
> > the global kmalloc API's set of buckets available. This means it isn't
> > possible to separate specific sets of dynamically sized allocations into
> > a separate collection of caches.
> >
> > This leads to a use-after-free exploitation weakness in the Linux
> > kernel since many heap memory spraying/grooming attacks depend on using
> > userspace-controllable dynamically sized allocations to collide with
> > fixed size allocations that end up in same cache.
> >
> > While CONFIG_RANDOM_KMALLOC_CACHES provides a probabilistic defense
> > against these kinds of "type confusion" attacks, including for fixed
> > same-size heap objects, we can create a complementary deterministic
> > defense for dynamically sized allocations.
> >
> > In order to isolate user-controllable sized allocations from system
> > allocations, introduce kmem_buckets_create(), which behaves like
> > kmem_cache_create(). (The next patch will introduce kmem_buckets_alloc(),
> > which behaves like kmem_cache_alloc().)
> >
> > Allows for confining allocations to a dedicated set of sized caches
> > (which have the same layout as the kmalloc caches).
> >
> > This can also be used in the future once codetag allocation annotations
> > exist to implement per-caller allocation cache isolation[0] even for
> > dynamic allocations.
> >
> > Link: https://lore.kernel.org/lkml/202402211449.401382D2AF@keescook [0]
> >
> > After the implemetation are 2 example patches of how this could be used
> > for some repeat "offenders" that get used in exploits. There are more to
> > be isolated beyond just these. Repeating the commit log for patch 8 here:
> >
> > The msg subsystem is a common target for exploiting[1][2][3][4][5][6]
> > use-after-free type confusion flaws in the kernel for both read and
> > write primitives. Avoid having a user-controlled size cache share the
> > global kmalloc allocator by using a separate set of kmalloc buckets.
> >
> > Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1]
> > Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2]
> > Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3]
> > Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4]
> > Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5]
> > Link: https://zplin.me/papers/ELOISE.pdf [6]
>
> Hi Kees,
>
> after reading [1] I think the points should be addressed, mainly about the
> feasibility of converting users manually. On a related technical note I
> worry what will become of /proc/slabinfo when we convert non-trivial amounts
> of users.
There shouldn't be any need to convert users to this interface - just
leverage the alloc_hooks() macro.
next prev parent reply other threads:[~2024-03-25 19:32 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-05 10:10 [PATCH v2 0/9] slab: Introduce dedicated bucket allocator Kees Cook
2024-03-05 10:10 ` [PATCH v2 1/9] slab: Introduce kmem_buckets typedef Kees Cook
2024-03-05 10:10 ` [PATCH v2 2/9] slub: Plumb kmem_buckets into __do_kmalloc_node() Kees Cook
2024-03-05 10:10 ` [PATCH v2 3/9] util: Introduce __kvmalloc_node() that can take kmem_buckets argument Kees Cook
2024-03-05 10:10 ` [PATCH v2 4/9] slab: Introduce kmem_buckets_create() Kees Cook
2024-03-25 19:40 ` Kent Overstreet
2024-03-25 20:40 ` Kees Cook
2024-03-25 21:49 ` Kent Overstreet
2024-03-25 23:13 ` Kees Cook
2024-03-05 10:10 ` [PATCH v2 5/9] slab: Introduce kmem_buckets_alloc() Kees Cook
2024-03-05 10:10 ` [PATCH v2 6/9] slub: Introduce kmem_buckets_alloc_track_caller() Kees Cook
2024-03-05 10:10 ` [PATCH v2 7/9] slab: Introduce kmem_buckets_valloc() Kees Cook
2024-03-05 10:10 ` [PATCH v2 8/9] ipc, msg: Use dedicated slab buckets for alloc_msg() Kees Cook
2024-03-05 10:10 ` [PATCH v2 9/9] mm/util: Use dedicated slab buckets for memdup_user() Kees Cook
2024-03-06 1:47 ` [PATCH v2 0/9] slab: Introduce dedicated bucket allocator GONG, Ruiqi
2024-03-07 20:31 ` Kees Cook
2024-03-15 10:28 ` GONG, Ruiqi
2024-03-25 9:03 ` Vlastimil Babka
2024-03-25 18:24 ` Kees Cook
2024-03-26 18:07 ` julien.voisin
2024-03-26 19:41 ` Kees Cook
2024-03-25 19:32 ` Kent Overstreet [this message]
2024-03-25 20:26 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=24vn56fs7oohqgw3rhssiwglmviruqnt44y6oeajzvskostcrr@7jzhmxjbhcha \
--to=kent.overstreet@linux.dev \
--cc=42.hyeyoo@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=gongruiqi@huaweicloud.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jannh@google.com \
--cc=julien.voisin@dustri.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=matteorizzo@google.com \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
--cc=xiujianfeng@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.