From: Andrey Konovalov <andreyknvl@google.com>
To: Kees Cook <keescook@chromium.org>,
Alexander Popov <alex.popov@linux.com>
Cc: Jann Horn <jannh@google.com>, Will Deacon <will@kernel.org>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Steven Rostedt <rostedt@goodmis.org>,
Peter Zijlstra <peterz@infradead.org>,
Krzysztof Kozlowski <krzk@kernel.org>,
Patrick Bellasi <patrick.bellasi@arm.com>,
David Howells <dhowells@redhat.com>,
Eric Biederman <ebiederm@xmission.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Laura Abbott <labbott@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
kasan-dev <kasan-dev@googlegroups.com>,
Linux Memory Management List <linux-mm@kvack.org>,
kernel-hardening@lists.openwall.com,
LKML <linux-kernel@vger.kernel.org>,
notify@kernel.org
Subject: Re: [PATCH RFC 1/2] mm: Extract SLAB_QUARANTINE from KASAN
Date: Mon, 17 Aug 2020 13:53:51 +0200 [thread overview]
Message-ID: <CAAeHK+yPFoQZanzjXBty8rM9eY4thv+ThdHX7mz-sgeg147F7w@mail.gmail.com> (raw)
In-Reply-To: <202008150939.A994680@keescook>
On Sat, Aug 15, 2020 at 6:52 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Thu, Aug 13, 2020 at 06:19:21PM +0300, Alexander Popov wrote:
> > Heap spraying is an exploitation technique that aims to put controlled
> > bytes at a predetermined memory location on the heap. Heap spraying for
> > exploiting use-after-free in the Linux kernel relies on the fact that on
> > kmalloc(), the slab allocator returns the address of the memory that was
> > recently freed. Allocating a kernel object with the same size and
> > controlled contents allows overwriting the vulnerable freed object.
> >
> > Let's extract slab freelist quarantine from KASAN functionality and
> > call it CONFIG_SLAB_QUARANTINE. This feature breaks widespread heap
> > spraying technique used for exploiting use-after-free vulnerabilities
> > in the kernel code.
> >
> > If this feature is enabled, freed allocations are stored in the quarantine
> > and can't be instantly reallocated and overwritten by the exploit
> > performing heap spraying.
[...]
> In doing this extraction, I wonder if function naming should be changed?
> If it's going to live a new life outside of KASAN proper, maybe call
> these functions quarantine_cache_*()? But perhaps that's too much
> churn...
If quarantine is to be used without the rest of KASAN, I'd prefer for
it to be separated from KASAN completely: move to e.g. mm/quarantine.c
and don't mention KASAN in function/config names.
next prev parent reply other threads:[~2020-08-17 11:54 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-13 15:19 [PATCH RFC 0/2] Break heap spraying needed for exploiting use-after-free Alexander Popov
2020-08-13 15:19 ` [PATCH RFC 1/2] mm: Extract SLAB_QUARANTINE from KASAN Alexander Popov
2020-08-15 16:52 ` Kees Cook
2020-08-17 11:53 ` Andrey Konovalov [this message]
2020-08-17 11:53 ` Andrey Konovalov
2020-08-17 17:32 ` Alexander Popov
2020-08-18 15:45 ` Andrey Konovalov
2020-08-18 15:45 ` Andrey Konovalov
2020-08-18 20:50 ` Alexander Popov
2020-08-15 18:54 ` Matthew Wilcox
2020-08-16 19:59 ` Pavel Machek
2020-08-17 21:03 ` Alexander Popov
2020-08-17 20:34 ` Alexander Popov
2020-08-13 15:19 ` [PATCH RFC 2/2] lkdtm: Add heap spraying test Alexander Popov
2020-08-15 16:59 ` Kees Cook
2020-08-17 17:54 ` Alexander Popov
2020-08-17 18:24 ` Eric W. Biederman
2020-08-17 18:24 ` Eric W. Biederman
2020-08-17 18:24 ` Eric W. Biederman
2020-08-17 19:24 ` Kees Cook
2020-08-17 19:24 ` Kees Cook
2020-08-14 21:01 ` [PATCH RFC 0/2] Break heap spraying needed for exploiting use-after-free Alexander Popov
2020-08-15 16:39 ` Kees Cook
2020-08-18 9:08 ` Alexander Popov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAeHK+yPFoQZanzjXBty8rM9eY4thv+ThdHX7mz-sgeg147F7w@mail.gmail.com \
--to=andreyknvl@google.com \
--cc=akpm@linux-foundation.org \
--cc=alex.popov@linux.com \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=cl@linux.com \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=ebiederm@xmission.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hannes@cmpxchg.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=jannh@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=krzk@kernel.org \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=masahiroy@kernel.org \
--cc=mhiramat@kernel.org \
--cc=notify@kernel.org \
--cc=patrick.bellasi@arm.com \
--cc=penberg@kernel.org \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=rostedt@goodmis.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.