From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Silvio Cesare <silvio.cesare@gmail.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.5 20/44] slub: improve bit diffusion for freelist ptr obfuscation
Date: Sat, 11 Apr 2020 14:09:40 +0200 [thread overview]
Message-ID: <20200411115458.744487200@linuxfoundation.org> (raw)
In-Reply-To: <20200411115456.934174282@linuxfoundation.org>
From: Kees Cook <keescook@chromium.org>
commit 1ad53d9fa3f6168ebcf48a50e08b170432da2257 upstream.
Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak
in that the ptr and ptr address were usually so close that the first XOR
would result in an almost entirely 0-byte value[1], leaving most of the
"secret" number ultimately being stored after the third XOR. A single
blind memory content exposure of the freelist was generally sufficient to
learn the secret.
Add a swab() call to mix bits a little more. This is a cheap way (1
cycle) to make attacks need more than a single exposure to learn the
secret (or to know _where_ the exposure is in memory).
kmalloc-32 freelist walk, before:
ptr ptr_addr stored value secret
ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d)
ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d)
ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d)
ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d)
ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d)
...
after:
ptr ptr_addr stored value secret
ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)
[1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
Fixes: 2482ddec670f ("mm: add SLUB free list pointer obfuscation")
Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/202003051623.AF4F8CB@keescook
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -259,7 +259,7 @@ static inline void *freelist_ptr(const s
* freepointer to be restored incorrectly.
*/
return (void *)((unsigned long)ptr ^ s->random ^
- (unsigned long)kasan_reset_tag((void *)ptr_addr));
+ swab((unsigned long)kasan_reset_tag((void *)ptr_addr)));
#else
return ptr;
#endif
next prev parent reply other threads:[~2020-04-11 12:19 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-11 12:09 [PATCH 5.5 00/44] 5.5.17-rc1 review Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 01/44] cxgb4: fix MPS index overwrite when setting MAC address Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 02/44] ipv6: dont auto-add link-local address to lag ports Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 03/44] net: dsa: bcm_sf2: Do not register slave MDIO bus with OF Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 04/44] net: dsa: bcm_sf2: Ensure correct sub-node is parsed Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 05/44] net: dsa: mt7530: fix null pointer dereferencing in port5 setup Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 06/44] net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 07/44] net_sched: add a temporary refcnt for struct tcindex_data Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 08/44] net_sched: fix a missing refcnt in tcindex_init() Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 09/44] net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 10/44] slcan: Dont transmit uninitialized stack data in padding Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 11/44] tun: Dont put_page() for all negative return values from XDP program Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 12/44] mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 13/44] r8169: change back SG and TSO to be disabled by default Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 14/44] cxgb4: free MQPRIO resources in shutdown path Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 15/44] net: phy: at803x: fix clock sink configuration on ATH8030 and ATH8035 Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 16/44] s390: prevent leaking kernel address in BEAR Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 17/44] random: always use batched entropy for get_random_u{32,64} Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 18/44] usb: dwc3: gadget: Wrap around when skip TRBs Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 19/44] uapi: rename ext2_swab() to swab() and share globally in swab.h Greg Kroah-Hartman
2020-04-11 12:09 ` Greg Kroah-Hartman [this message]
2020-04-11 12:09 ` [PATCH 5.5 21/44] include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 22/44] ubi: fastmap: Free unused fastmap anchor peb during detach Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 23/44] RDMA/ucma: Put a lock around every call to the rdma_cm layer Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 24/44] RDMA/cma: Teach lockdep about the order of rtnl and lock Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 25/44] RDMA/siw: Fix passive connection establishment Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 26/44] Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 27/44] RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 28/44] blk-mq: Keep set->nr_hw_queues and set->map[].nr_queues in sync Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 29/44] fbcon: fix null-ptr-deref in fbcon_switch Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 30/44] driver core: Reevaluate dev->links.need_for_probe as suppliers are added Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 31/44] iommu/vt-d: Allow devices with RMRRs to use identity domain Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 32/44] tools/accounting/getdelays.c: fix netlink attribute length Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 33/44] hwrng: imx-rngc - fix an error path Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 34/44] ACPI: PM: Add acpi_[un]register_wakeup_handler() Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 35/44] platform/x86: intel_int0002_vgpio: Use acpi_register_wakeup_handler() Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 36/44] ASoC: tas2562: Fixed incorrect amp_level setting Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 37/44] ASoC: jz4740-i2s: Fix divider written at incorrect offset in register Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 38/44] IB/hfi1: Call kobject_put() when kobject_init_and_add() fails Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.5 39/44] IB/hfi1: Fix memory leaks in sysfs registration and unregistration Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.5 40/44] IB/mlx5: Replace tunnel mpls capability bits for tunnel_offloads Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.5 41/44] ARM: imx: Enable ARM_ERRATA_814220 for i.MX6UL and i.MX7D Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.5 42/44] ARM: imx: only select ARM_ERRATA_814220 for ARMv7-A Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.5 43/44] ceph: remove the extra slashes in the server path Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.5 44/44] ceph: canonicalize server path in place Greg Kroah-Hartman
2020-04-11 20:42 ` [PATCH 5.5 00/44] 5.5.17-rc1 review Guenter Roeck
2020-04-12 7:04 ` Naresh Kamboju
[not found] ` <20200411115456.934174282-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-04-14 10:36 ` Jon Hunter
2020-04-14 10:36 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200411115458.744487200@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=silvio.cesare@gmail.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.