All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] slub: Improve bit diffusion for freelist ptr obfuscation
@ 2020-03-06  0:24 Kees Cook
  2020-03-07 23:20 ` Sasha Levin
  0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2020-03-06  0:24 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Christoph Lameter, Pekka Enberg, David Rientjes, Joonsoo Kim,
	Daniel Micay, Silvio Cesare, linux-mm, linux-kernel

Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak
in that the ptr and ptr address were usually so close that the first XOR
would result in an almost entirely 0-byte value[1], leaving most of the
"secret" number ultimately being stored after the third XOR. A single
blind memory content exposure of the freelist was generally sufficient
to learn the secret.

Add a swab() call to mix bits a little more. This is a cheap way
(1 cycle) to make attacks need more than a single exposure to learn
the secret (or to know _where_ the exposure is in memory).

kmalloc-32 freelist walk, before:

ptr              ptr_addr            stored value      secret
ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d)
ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d)
ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d)
ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d)
ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d)
...

after:

ptr              ptr_addr            stored value      secret
ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)

[1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html

Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
Fixes: 2482ddec670f ("mm: add SLUB free list pointer obfuscation")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 mm/slub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/slub.c b/mm/slub.c
index 17dc00e33115..107d9d89cf96 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -259,7 +259,7 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
 	 * freepointer to be restored incorrectly.
 	 */
 	return (void *)((unsigned long)ptr ^ s->random ^
-			(unsigned long)kasan_reset_tag((void *)ptr_addr));
+			swab((unsigned long)kasan_reset_tag((void *)ptr_addr)));
 #else
 	return ptr;
 #endif
-- 
2.20.1


-- 
Kees Cook

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] slub: Improve bit diffusion for freelist ptr obfuscation
  2020-03-06  0:24 [PATCH] slub: Improve bit diffusion for freelist ptr obfuscation Kees Cook
@ 2020-03-07 23:20 ` Sasha Levin
  2020-03-08 21:51   ` Kees Cook
  0 siblings, 1 reply; 5+ messages in thread
From: Sasha Levin @ 2020-03-07 23:20 UTC (permalink / raw)
  To: Sasha Levin, Kees Cook, Andrew Morton
  Cc: Christoph Lameter, Pekka Enberg, stable, stable

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1008 bytes --]

Hi

[This is an automated email]

This commit has been processed because it contains a "Fixes:" tag
fixing commit: 2482ddec670f ("mm: add SLUB free list pointer obfuscation").

The bot has tested the following trees: v5.5.8, v5.4.24, v4.19.108, v4.14.172.

v5.5.8: Build failed! Errors:
    mm/slub.c:262:4: error: implicit declaration of function ‘swab’; did you mean ‘swap’? [-Werror=implicit-function-declaration]

v5.4.24: Build failed! Errors:
    mm/slub.c:264:4: error: implicit declaration of function ‘swab’; did you mean ‘swap’? [-Werror=implicit-function-declaration]

v4.19.108: Failed to apply! Possible dependencies:
    d36a63a943e3 ("kasan, slub: fix more conflicts with CONFIG_SLAB_FREELIST_HARDENED")

v4.14.172: Failed to apply! Possible dependencies:
    d36a63a943e3 ("kasan, slub: fix more conflicts with CONFIG_SLAB_FREELIST_HARDENED")


NOTE: The patch will not be queued to stable trees until it is upstream.

How should we proceed with this patch?

-- 
Thanks
Sasha

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] slub: Improve bit diffusion for freelist ptr obfuscation
  2020-03-07 23:20 ` Sasha Levin
@ 2020-03-08 21:51   ` Kees Cook
  2020-03-09  0:51     ` Sasha Levin
  0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2020-03-08 21:51 UTC (permalink / raw)
  To: Sasha Levin; +Cc: Andrew Morton, Christoph Lameter, Pekka Enberg, stable

On Sat, Mar 07, 2020 at 11:20:37PM +0000, Sasha Levin wrote:
> Hi
> 
> [This is an automated email]
> 
> This commit has been processed because it contains a "Fixes:" tag
> fixing commit: 2482ddec670f ("mm: add SLUB free list pointer obfuscation").
> 
> The bot has tested the following trees: v5.5.8, v5.4.24, v4.19.108, v4.14.172.
> 
> v5.5.8: Build failed! Errors:
>     mm/slub.c:262:4: error: implicit declaration of function ‘swab’; did you mean ‘swap’? [-Werror=implicit-function-declaration]
> 

Eek; this must be missing an include that is implicit from something
recent? I will investigate...

-Kees

> v5.4.24: Build failed! Errors:
>     mm/slub.c:264:4: error: implicit declaration of function ‘swab’; did you mean ‘swap’? [-Werror=implicit-function-declaration]
> 
> v4.19.108: Failed to apply! Possible dependencies:
>     d36a63a943e3 ("kasan, slub: fix more conflicts with CONFIG_SLAB_FREELIST_HARDENED")
> 
> v4.14.172: Failed to apply! Possible dependencies:
>     d36a63a943e3 ("kasan, slub: fix more conflicts with CONFIG_SLAB_FREELIST_HARDENED")
> 
> 
> NOTE: The patch will not be queued to stable trees until it is upstream.
> 
> How should we proceed with this patch?
> 
> -- 
> Thanks
> Sasha

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] slub: Improve bit diffusion for freelist ptr obfuscation
  2020-03-08 21:51   ` Kees Cook
@ 2020-03-09  0:51     ` Sasha Levin
  2020-03-09 16:41       ` Kees Cook
  0 siblings, 1 reply; 5+ messages in thread
From: Sasha Levin @ 2020-03-09  0:51 UTC (permalink / raw)
  To: Kees Cook; +Cc: Andrew Morton, Christoph Lameter, Pekka Enberg, stable

On Sun, Mar 08, 2020 at 02:51:27PM -0700, Kees Cook wrote:
>On Sat, Mar 07, 2020 at 11:20:37PM +0000, Sasha Levin wrote:
>> Hi
>>
>> [This is an automated email]
>>
>> This commit has been processed because it contains a "Fixes:" tag
>> fixing commit: 2482ddec670f ("mm: add SLUB free list pointer obfuscation").
>>
>> The bot has tested the following trees: v5.5.8, v5.4.24, v4.19.108, v4.14.172.
>>
>> v5.5.8: Build failed! Errors:
>>     mm/slub.c:262:4: error: implicit declaration of function ‘swab’; did you mean ‘swap’? [-Werror=implicit-function-declaration]
>>
>
>Eek; this must be missing an include that is implicit from something
>recent? I will investigate...

swab() didn't exist "back then" :) It was introduced by d5767057c9a7
("uapi: rename ext2_swab() to swab() and share globally in swab.h"). I
can just take that patch to stable kernels.

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] slub: Improve bit diffusion for freelist ptr obfuscation
  2020-03-09  0:51     ` Sasha Levin
@ 2020-03-09 16:41       ` Kees Cook
  0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2020-03-09 16:41 UTC (permalink / raw)
  To: Sasha Levin; +Cc: Andrew Morton, Christoph Lameter, Pekka Enberg, stable

On Sun, Mar 08, 2020 at 08:51:12PM -0400, Sasha Levin wrote:
> On Sun, Mar 08, 2020 at 02:51:27PM -0700, Kees Cook wrote:
> > On Sat, Mar 07, 2020 at 11:20:37PM +0000, Sasha Levin wrote:
> > > Hi
> > > 
> > > [This is an automated email]
> > > 
> > > This commit has been processed because it contains a "Fixes:" tag
> > > fixing commit: 2482ddec670f ("mm: add SLUB free list pointer obfuscation").
> > > 
> > > The bot has tested the following trees: v5.5.8, v5.4.24, v4.19.108, v4.14.172.
> > > 
> > > v5.5.8: Build failed! Errors:
> > >     mm/slub.c:262:4: error: implicit declaration of function ‘swab’; did you mean ‘swap’? [-Werror=implicit-function-declaration]
> > > 
> > 
> > Eek; this must be missing an include that is implicit from something
> > recent? I will investigate...
> 
> swab() didn't exist "back then" :) It was introduced by d5767057c9a7
> ("uapi: rename ext2_swab() to swab() and share globally in swab.h"). I
> can just take that patch to stable kernels.

Ah, perfect. Yes, that would be very nice.

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-03-09 16:41 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-06  0:24 [PATCH] slub: Improve bit diffusion for freelist ptr obfuscation Kees Cook
2020-03-07 23:20 ` Sasha Levin
2020-03-08 21:51   ` Kees Cook
2020-03-09  0:51     ` Sasha Levin
2020-03-09 16:41       ` Kees Cook

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.