From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752453AbcAFCGl (ORCPT ); Tue, 5 Jan 2016 21:06:41 -0500 Received: from mail-pa0-f48.google.com ([209.85.220.48]:36743 "EHLO mail-pa0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751043AbcAFCGi (ORCPT ); Tue, 5 Jan 2016 21:06:38 -0500 Subject: Re: [RFC][PATCH 1/7] mm/slab_common.c: Add common support for slab saniziation To: Kees Cook , Vlastimil Babka References: <1450755641-7856-1-git-send-email-laura@labbott.name> <1450755641-7856-2-git-send-email-laura@labbott.name> <5679B701.9040802@suse.cz> Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , LKML , "kernel-hardening@lists.openwall.com" , Mathias Krause From: Laura Abbott Message-ID: <568C76AB.1060804@labbott.name> Date: Tue, 5 Jan 2016 18:06:35 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/5/16 4:17 PM, Kees Cook wrote: > On Tue, Dec 22, 2015 at 12:48 PM, Vlastimil Babka wrote: >> On 22.12.2015 4:40, Laura Abbott wrote: >>> Each of the different allocators (SLAB/SLUB/SLOB) handles >>> clearing of objects differently depending on configuration. >>> Add common infrastructure for selecting sanitization levels >>> (off, slow path only, partial, full) and marking caches as >>> appropriate. >>> >>> All credit for the original work should be given to Brad Spengler and >>> the PaX Team. >>> >>> Signed-off-by: Laura Abbott >>> >>> +#ifdef CONFIG_SLAB_MEMORY_SANITIZE >>> +#ifdef CONFIG_X86_64 >>> +#define SLAB_MEMORY_SANITIZE_VALUE '\xfe' >>> +#else >>> +#define SLAB_MEMORY_SANITIZE_VALUE '\xff' >>> +#endif >>> +enum slab_sanitize_mode { >>> + /* No sanitization */ >>> + SLAB_SANITIZE_OFF = 0, >>> + >>> + /* Partial sanitization happens only on the slow path */ >>> + SLAB_SANITIZE_PARTIAL_SLOWPATH = 1, >> >> Can you explain more about this variant? I wonder who might find it useful >> except someone getting a false sense of security, but cheaper. >> It sounds like wanting the cake and eat it too :) >> I would be surprised if such IMHO half-solution existed in the original >> PAX_MEMORY_SANITIZE too? >> >> Or is there something that guarantees that the objects freed on hotpath won't >> stay there for long so the danger of leak is low? (And what about >> use-after-free?) It depends on further slab activity, no? (I'm not that familiar >> with SLUB, but I would expect the hotpath there being similar to SLAB freeing >> the object on per-cpu array_cache. But, it seems the PARTIAL_SLOWPATH is not >> implemented for SLAB, so there might be some fundamental difference I'm missing.) > > Perhaps the partial sanitize could be a separate patch so it's > features were more logically separated? > I've done some more thinking and testing and I'm just going to drop the slowpath idea. It helps some benchmarks but not enough. The concept is out there if it's worth picking up later. Thanks, Laura From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f50.google.com (mail-pa0-f50.google.com [209.85.220.50]) by kanga.kvack.org (Postfix) with ESMTP id 928786B0003 for ; Tue, 5 Jan 2016 21:06:39 -0500 (EST) Received: by mail-pa0-f50.google.com with SMTP id cy9so224632814pac.0 for ; Tue, 05 Jan 2016 18:06:39 -0800 (PST) Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com. [2607:f8b0:400e:c03::235]) by mx.google.com with ESMTPS id tw2si44369892pab.238.2016.01.05.18.06.38 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Jan 2016 18:06:38 -0800 (PST) Received: by mail-pa0-x235.google.com with SMTP id yy13so132103008pab.3 for ; Tue, 05 Jan 2016 18:06:38 -0800 (PST) Subject: Re: [RFC][PATCH 1/7] mm/slab_common.c: Add common support for slab saniziation References: <1450755641-7856-1-git-send-email-laura@labbott.name> <1450755641-7856-2-git-send-email-laura@labbott.name> <5679B701.9040802@suse.cz> From: Laura Abbott Message-ID: <568C76AB.1060804@labbott.name> Date: Tue, 5 Jan 2016 18:06:35 -0800 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Kees Cook , Vlastimil Babka Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , LKML , "kernel-hardening@lists.openwall.com" , Mathias Krause On 1/5/16 4:17 PM, Kees Cook wrote: > On Tue, Dec 22, 2015 at 12:48 PM, Vlastimil Babka wrote: >> On 22.12.2015 4:40, Laura Abbott wrote: >>> Each of the different allocators (SLAB/SLUB/SLOB) handles >>> clearing of objects differently depending on configuration. >>> Add common infrastructure for selecting sanitization levels >>> (off, slow path only, partial, full) and marking caches as >>> appropriate. >>> >>> All credit for the original work should be given to Brad Spengler and >>> the PaX Team. >>> >>> Signed-off-by: Laura Abbott >>> >>> +#ifdef CONFIG_SLAB_MEMORY_SANITIZE >>> +#ifdef CONFIG_X86_64 >>> +#define SLAB_MEMORY_SANITIZE_VALUE '\xfe' >>> +#else >>> +#define SLAB_MEMORY_SANITIZE_VALUE '\xff' >>> +#endif >>> +enum slab_sanitize_mode { >>> + /* No sanitization */ >>> + SLAB_SANITIZE_OFF = 0, >>> + >>> + /* Partial sanitization happens only on the slow path */ >>> + SLAB_SANITIZE_PARTIAL_SLOWPATH = 1, >> >> Can you explain more about this variant? I wonder who might find it useful >> except someone getting a false sense of security, but cheaper. >> It sounds like wanting the cake and eat it too :) >> I would be surprised if such IMHO half-solution existed in the original >> PAX_MEMORY_SANITIZE too? >> >> Or is there something that guarantees that the objects freed on hotpath won't >> stay there for long so the danger of leak is low? (And what about >> use-after-free?) It depends on further slab activity, no? (I'm not that familiar >> with SLUB, but I would expect the hotpath there being similar to SLAB freeing >> the object on per-cpu array_cache. But, it seems the PARTIAL_SLOWPATH is not >> implemented for SLAB, so there might be some fundamental difference I'm missing.) > > Perhaps the partial sanitize could be a separate patch so it's > features were more logically separated? > I've done some more thinking and testing and I'm just going to drop the slowpath idea. It helps some benchmarks but not enough. The concept is out there if it's worth picking up later. Thanks, Laura -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com References: <1450755641-7856-1-git-send-email-laura@labbott.name> <1450755641-7856-2-git-send-email-laura@labbott.name> <5679B701.9040802@suse.cz> From: Laura Abbott Message-ID: <568C76AB.1060804@labbott.name> Date: Tue, 5 Jan 2016 18:06:35 -0800 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: [kernel-hardening] Re: [RFC][PATCH 1/7] mm/slab_common.c: Add common support for slab saniziation To: Kees Cook , Vlastimil Babka Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , LKML , "kernel-hardening@lists.openwall.com" , Mathias Krause List-ID: On 1/5/16 4:17 PM, Kees Cook wrote: > On Tue, Dec 22, 2015 at 12:48 PM, Vlastimil Babka wrote: >> On 22.12.2015 4:40, Laura Abbott wrote: >>> Each of the different allocators (SLAB/SLUB/SLOB) handles >>> clearing of objects differently depending on configuration. >>> Add common infrastructure for selecting sanitization levels >>> (off, slow path only, partial, full) and marking caches as >>> appropriate. >>> >>> All credit for the original work should be given to Brad Spengler and >>> the PaX Team. >>> >>> Signed-off-by: Laura Abbott >>> >>> +#ifdef CONFIG_SLAB_MEMORY_SANITIZE >>> +#ifdef CONFIG_X86_64 >>> +#define SLAB_MEMORY_SANITIZE_VALUE '\xfe' >>> +#else >>> +#define SLAB_MEMORY_SANITIZE_VALUE '\xff' >>> +#endif >>> +enum slab_sanitize_mode { >>> + /* No sanitization */ >>> + SLAB_SANITIZE_OFF = 0, >>> + >>> + /* Partial sanitization happens only on the slow path */ >>> + SLAB_SANITIZE_PARTIAL_SLOWPATH = 1, >> >> Can you explain more about this variant? I wonder who might find it useful >> except someone getting a false sense of security, but cheaper. >> It sounds like wanting the cake and eat it too :) >> I would be surprised if such IMHO half-solution existed in the original >> PAX_MEMORY_SANITIZE too? >> >> Or is there something that guarantees that the objects freed on hotpath won't >> stay there for long so the danger of leak is low? (And what about >> use-after-free?) It depends on further slab activity, no? (I'm not that familiar >> with SLUB, but I would expect the hotpath there being similar to SLAB freeing >> the object on per-cpu array_cache. But, it seems the PARTIAL_SLOWPATH is not >> implemented for SLAB, so there might be some fundamental difference I'm missing.) > > Perhaps the partial sanitize could be a separate patch so it's > features were more logically separated? > I've done some more thinking and testing and I'm just going to drop the slowpath idea. It helps some benchmarks but not enough. The concept is out there if it's worth picking up later. Thanks, Laura