From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752836AbdFUAJU (ORCPT ); Tue, 20 Jun 2017 20:09:20 -0400 Received: from merlin.infradead.org ([205.233.59.134]:60230 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752377AbdFUAJS (ORCPT ); Tue, 20 Jun 2017 20:09:18 -0400 Subject: Re: [PATCH v2] mm: Allow slab_nomerge to be set at build time To: Kees Cook Cc: Christoph Lameter , Jonathan Corbet , Daniel Micay , David Windsor , Eric Biggers , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , "Rafael J. Wysocki" , Thomas Gleixner , Ingo Molnar , Mauro Carvalho Chehab , "Paul E. McKenney" , Arnd Bergmann , Andy Lutomirski , Nicolas Pitre , Tejun Heo , Daniel Mack , Sebastian Andrzej Siewior , Sergey Senozhatsky , Helge Deller , Rik van Riel , "linux-doc@vger.kernel.org" , Linux-MM , LKML References: <20170620230911.GA25238@beast> <1eb1cfff-14f0-8fa9-1b48-679865339646@infradead.org> From: Randy Dunlap Message-ID: <3299def6-0c86-3a5c-88d2-12f8c87e151f@infradead.org> Date: Tue, 20 Jun 2017 17:09:07 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/20/2017 04:29 PM, Kees Cook wrote: > On Tue, Jun 20, 2017 at 4:16 PM, Randy Dunlap wrote: >> On 06/20/2017 04:09 PM, Kees Cook wrote: >>> Some hardened environments want to build kernels with slab_nomerge >>> already set (so that they do not depend on remembering to set the kernel >>> command line option). This is desired to reduce the risk of kernel heap >>> overflows being able to overwrite objects from merged caches and changes >>> the requirements for cache layout control, increasing the difficulty of >>> these attacks. By keeping caches unmerged, these kinds of exploits can >>> usually only damage objects in the same cache (though the risk to metadata >>> exploitation is unchanged). >>> >>> Cc: Daniel Micay >>> Cc: David Windsor >>> Cc: Eric Biggers >>> Signed-off-by: Kees Cook >>> --- >>> v2: split out of slab whitelisting series >>> --- >>> Documentation/admin-guide/kernel-parameters.txt | 10 ++++++++-- >>> init/Kconfig | 14 ++++++++++++++ >>> mm/slab_common.c | 5 ++--- >>> 3 files changed, 24 insertions(+), 5 deletions(-) >> >>> diff --git a/init/Kconfig b/init/Kconfig >>> index 1d3475fc9496..ce813acf2f4f 100644 >>> --- a/init/Kconfig >>> +++ b/init/Kconfig >>> @@ -1891,6 +1891,20 @@ config SLOB >>> >>> endchoice >>> >>> +config SLAB_MERGE_DEFAULT >>> + bool "Allow slab caches to be merged" >>> + default y >>> + help >>> + For reduced kernel memory fragmentation, slab caches can be >>> + merged when they share the same size and other characteristics. >>> + This carries a risk of kernel heap overflows being able to >>> + overwrite objects from merged caches (and more easily control >>> + cache layout), which makes such heap attacks easier to exploit >>> + by attackers. By keeping caches unmerged, these kinds of exploits >>> + can usually only damage objects in the same cache. To disable >>> + merging at runtime, "slab_nomerge" can be passed on the kernel >>> + command line. >> >> command line or this option can be disabled in the kernel config. > > Isn't that implicit in that it is Kconfig help text? Happy to add it, > but seems redundant to me. > Just trying for completeness instead of being implicit. > >> >>> + >>> config SLAB_FREELIST_RANDOM >>> default n >>> depends on SLAB || SLUB >> >> -- >> ~Randy > > > -- ~Randy From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-f70.google.com (mail-it0-f70.google.com [209.85.214.70]) by kanga.kvack.org (Postfix) with ESMTP id 7E5F86B0279 for ; Tue, 20 Jun 2017 20:09:21 -0400 (EDT) Received: by mail-it0-f70.google.com with SMTP id o7so29175350ite.13 for ; Tue, 20 Jun 2017 17:09:21 -0700 (PDT) Received: from merlin.infradead.org (merlin.infradead.org. [2001:8b0:10b:1231::1]) by mx.google.com with ESMTPS id t191si15225267itb.13.2017.06.20.17.09.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Jun 2017 17:09:20 -0700 (PDT) Subject: Re: [PATCH v2] mm: Allow slab_nomerge to be set at build time References: <20170620230911.GA25238@beast> <1eb1cfff-14f0-8fa9-1b48-679865339646@infradead.org> From: Randy Dunlap Message-ID: <3299def6-0c86-3a5c-88d2-12f8c87e151f@infradead.org> Date: Tue, 20 Jun 2017 17:09:07 -0700 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Kees Cook Cc: Christoph Lameter , Jonathan Corbet , Daniel Micay , David Windsor , Eric Biggers , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , "Rafael J. Wysocki" , Thomas Gleixner , Ingo Molnar , Mauro Carvalho Chehab , "Paul E. McKenney" , Arnd Bergmann , Andy Lutomirski , Nicolas Pitre , Tejun Heo , Daniel Mack , Sebastian Andrzej Siewior , Sergey Senozhatsky , Helge Deller , Rik van Riel , "linux-doc@vger.kernel.org" , Linux-MM , LKML On 06/20/2017 04:29 PM, Kees Cook wrote: > On Tue, Jun 20, 2017 at 4:16 PM, Randy Dunlap wrote: >> On 06/20/2017 04:09 PM, Kees Cook wrote: >>> Some hardened environments want to build kernels with slab_nomerge >>> already set (so that they do not depend on remembering to set the kernel >>> command line option). This is desired to reduce the risk of kernel heap >>> overflows being able to overwrite objects from merged caches and changes >>> the requirements for cache layout control, increasing the difficulty of >>> these attacks. By keeping caches unmerged, these kinds of exploits can >>> usually only damage objects in the same cache (though the risk to metadata >>> exploitation is unchanged). >>> >>> Cc: Daniel Micay >>> Cc: David Windsor >>> Cc: Eric Biggers >>> Signed-off-by: Kees Cook >>> --- >>> v2: split out of slab whitelisting series >>> --- >>> Documentation/admin-guide/kernel-parameters.txt | 10 ++++++++-- >>> init/Kconfig | 14 ++++++++++++++ >>> mm/slab_common.c | 5 ++--- >>> 3 files changed, 24 insertions(+), 5 deletions(-) >> >>> diff --git a/init/Kconfig b/init/Kconfig >>> index 1d3475fc9496..ce813acf2f4f 100644 >>> --- a/init/Kconfig >>> +++ b/init/Kconfig >>> @@ -1891,6 +1891,20 @@ config SLOB >>> >>> endchoice >>> >>> +config SLAB_MERGE_DEFAULT >>> + bool "Allow slab caches to be merged" >>> + default y >>> + help >>> + For reduced kernel memory fragmentation, slab caches can be >>> + merged when they share the same size and other characteristics. >>> + This carries a risk of kernel heap overflows being able to >>> + overwrite objects from merged caches (and more easily control >>> + cache layout), which makes such heap attacks easier to exploit >>> + by attackers. By keeping caches unmerged, these kinds of exploits >>> + can usually only damage objects in the same cache. To disable >>> + merging at runtime, "slab_nomerge" can be passed on the kernel >>> + command line. >> >> command line or this option can be disabled in the kernel config. > > Isn't that implicit in that it is Kconfig help text? Happy to add it, > but seems redundant to me. > Just trying for completeness instead of being implicit. > >> >>> + >>> config SLAB_FREELIST_RANDOM >>> default n >>> depends on SLAB || SLUB >> >> -- >> ~Randy > > > -- ~Randy -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org