From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=cph+=44=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C26F9C0044D
	for <linux-mm@archiver.kernel.org>; Wed, 11 Mar 2020 17:37:45 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 3560620738
	for <linux-mm@archiver.kernel.org>; Wed, 11 Mar 2020 17:37:46 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="l8Y5WO63"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3560620738
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 25FB76B0037; Wed, 11 Mar 2020 13:37:45 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 20F176B006C; Wed, 11 Mar 2020 13:37:45 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0D7E76B006E; Wed, 11 Mar 2020 13:37:45 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0135.hostedemail.com [216.40.44.135])
	by kanga.kvack.org (Postfix) with ESMTP id E72B26B0037
	for <linux-mm@kvack.org>; Wed, 11 Mar 2020 13:37:44 -0400 (EDT)
Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id A7AC5180AD83B
	for <linux-mm@kvack.org>; Wed, 11 Mar 2020 17:37:44 +0000 (UTC)
X-FDA: 76583788848.21.dogs09_267a84570c13e
X-HE-Tag: dogs09_267a84570c13e
X-Filterd-Recvd-Size: 4435
Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194])
	by imf03.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Wed, 11 Mar 2020 17:37:44 +0000 (UTC)
Received: by mail-pf1-f194.google.com with SMTP id x2so1357578pfn.9
        for <linux-mm@kvack.org>; Wed, 11 Mar 2020 10:37:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=apEu9N/pFu25fe7Vqmx6y36i/WaTLbYKboYSmzmWmdI=;
        b=l8Y5WO63bmnms6wYDERKf+nPQ07ujfaSMsBS/MjhTJdIyr52i3qKwMRtlG+68DyuQb
         1eZctlrhU8ij5/BvkiFwIjETBRx3uUkdVn1hu1MimLHfwA3PhYNRv9GsL6jl7o9Rqbb2
         3f6hCbES4VNJC5sJbOEz7Vq3m/NZtxYj7wQrY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=apEu9N/pFu25fe7Vqmx6y36i/WaTLbYKboYSmzmWmdI=;
        b=UqxzofSzDh1UeEssGReYSdLRZQaXqTchSeo8LahrXkerkQ/7v2bdi080zkOAmgAnQ7
         8miR1F7QtIwZX9tYszXusv3PeaHONzWKRxAX8r6KSqNCEl2jqTAslcYiovZZSsnbXOEv
         1n4RVP3rKuAxIS0LEccLOgecdCleXVCbSIWKelRP3i+sHMx6drCnSBkUsKmWW+s5Pm+q
         rwa3yqq1cSOq58lR24rRR1H1mDbj2On9CnbsG97QGoTGOi8oOeZwKMWI7gRTkBNifx8t
         UJYCQwvOmBfmSdu8NyouK51R70j8Tsz0XHU6un85RFRYhoOHKTphBTtBPZeEj4oO731f
         PbmA==
X-Gm-Message-State: ANhLgQ3A6UcoT184vPQRv7afGvJE+iHh6uAN+j63UkmTfUsXMwc8LLvO
	aNUFYRYHAmwU97kKwRqdwE3Caw==
X-Google-Smtp-Source: ADFU+vswXXoOnWhIYDbnMCIFSjDRcmVBiJ4nhzgaFobMHV0hGKkrUvnoqselwWa48XEKR6xl0ZCVFw==
X-Received: by 2002:a62:f24d:: with SMTP id y13mr4093191pfl.27.1583948263031;
        Wed, 11 Mar 2020 10:37:43 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id i187sm11966774pfg.33.2020.03.11.10.37.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Mar 2020 10:37:41 -0700 (PDT)
Date: Wed, 11 Mar 2020 10:37:40 -0700
From: Kees Cook <keescook@chromium.org>
To: David Laight <David.Laight@ACULAB.COM>
Cc: 'Christopher Lameter' <cl@linux.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Daniel Micay <danielmicay@gmail.com>,
	Vitaly Nikolenko <vnik@duasynt.com>,
	Silvio Cesare <silvio.cesare@gmail.com>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] slub: Relocate freelist pointer to middle of object
Message-ID: <202003111036.80DEE85@keescook>
References: <202003051624.AAAC9AECC@keescook>
 <alpine.DEB.2.21.2003081919290.14266@www.lameter.com>
 <6fbf67b5936a44feaf9ad5b58d39082b@AcuMS.aculab.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <6fbf67b5936a44feaf9ad5b58d39082b@AcuMS.aculab.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Mar 11, 2020 at 02:48:05PM +0000, David Laight wrote:
> From: Christopher Lameter
> > Sent: 08 March 2020 19:21
> 
> > 
> > On Thu, 5 Mar 2020, Kees Cook wrote:
> > 
> > > Instead of having the freelist pointer at the very beginning of an
> > > allocation (offset 0) or at the very end of an allocation (effectively
> > > offset -sizeof(void *) from the next allocation), move it away from
> > > the edges of the allocation and into the middle. This provides some
> > > protection against small-sized neighboring overflows (or underflows),
> > > for which the freelist pointer is commonly the target. (Large or well
> > > controlled overwrites are much more likely to attack live object contents,
> > > instead of attempting freelist corruption.)
> > 
> > Sounds good. You could even randomize the position to avoid attacks on via
> > the freelist pointer.
> 
> Random overwrites could be detected (fairly cheaply) by putting two
> copies of the pointer into the same cacheline in the buffer.
> Or better make the second one 'pointer xor constant'.

My sense is that this starts to stray closer to "too much overhead" vs
the mitigation benefit against known heap metadata attacks. I'm open to
seeing patches, of course, though! :)

-- 
Kees Cook