From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-26.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D242C433DB for ; Fri, 12 Mar 2021 12:16:59 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id DB6CC64FFD for ; Fri, 12 Mar 2021 12:16:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DB6CC64FFD Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 49AA18D034E; Fri, 12 Mar 2021 07:16:58 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 471838D0346; Fri, 12 Mar 2021 07:16:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3390A8D034E; Fri, 12 Mar 2021 07:16:58 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0107.hostedemail.com [216.40.44.107]) by kanga.kvack.org (Postfix) with ESMTP id 14A758D0346 for ; Fri, 12 Mar 2021 07:16:58 -0500 (EST) Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id BF451181FFCBC for ; Fri, 12 Mar 2021 12:16:57 +0000 (UTC) X-FDA: 77911121274.21.6B16A59 Received: from mail-qt1-f202.google.com (mail-qt1-f202.google.com [209.85.160.202]) by imf12.hostedemail.com (Postfix) with ESMTP id 2F911EB for ; Fri, 12 Mar 2021 12:16:53 +0000 (UTC) Received: by mail-qt1-f202.google.com with SMTP id m8so15622516qtp.14 for ; Fri, 12 Mar 2021 04:16:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=lKkSFyfUt4v/K1TZ3S0RPtMBMYYMM41WrxOgRZxr+i0=; b=gJGZNvjry+gw1+ZgyiRQ62ujkPUEFw4uDzOqg2hLxaDjdAvqKra4PKwRCgzEiVdu9k Wf8LlSX/3iIXYKXA1uPrYqvSsxBI0HZ3mDMoaV6UYUNLjFJcH6G64+HGPUsr8SI0iipK lg+6Irj5THH86N+UMxsJ/KjukjGqtq4xgSPK3rFzt2DBW5J5mEo7dIXSTvj8P6xTcqTu 4m01AufPnzboMGl8zVMDot71KxcBkzGJunAp6KSFr+qWxAulb1h2C3d+1Au44nkqVzLs x5F7kOWaNacpNawAPZ4E0hEXArNVaAj3d3vJEijJ3zfvw3fF7psXOldcwIp8edAZR8mG pDMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=lKkSFyfUt4v/K1TZ3S0RPtMBMYYMM41WrxOgRZxr+i0=; b=S6U0ntXsv/1IpYUl8jjs4cG3p3TEX04X5qInwj01awT8oDXll4cCKJAWkk69KoYAJh DXePDl7aJvRzD1MVidmOL/5GSZWe4FaFG0I5e46E+GoEx6e+/du/qjwbtQoaw64k/no7 gXc3zJr6G3aVUpDaQc0lPZo2lC4KdEZx/YknNBlX69daWebdUQzxsoKJ6v8RISVzaLy5 wBzbprX4eHDDY1daGVJd7QhngwiT66YrsDa7n+dKr+NZIlUIDvFxycyM8DAwpH3x9DjQ hkGDkEt8p9ltn0PYoFb2JEgw7nkvrsjOdqk90WYm0F9OGf9YNgJgyldOiwGKhq6eoShK WE1g== X-Gm-Message-State: AOAM530quQLRoC2RUVT8rkipM/2z48n3XL4rGAMk0vuXUAAWcxmOkiz7 ox1MGZrmWSHFhqOIKtY58ocmq1AWGg== X-Google-Smtp-Source: ABdhPJyvBuVMaYATBlEOlMHkInkkY8IVbtesmiJENmvpJ0bX2KRyf5zY9q6eiq0WVw9Noi4r0ZWGaaAxyQ== X-Received: from elver.muc.corp.google.com ([2a00:79e0:15:13:d5de:d45f:f79c:cb62]) (user=elver job=sendgmr) by 2002:a05:6214:80a:: with SMTP id df10mr12249434qvb.46.1615551416493; Fri, 12 Mar 2021 04:16:56 -0800 (PST) Date: Fri, 12 Mar 2021 13:16:53 +0100 Message-Id: <20210312121653.348518-1-elver@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.0.rc2.261.g7f71774620-goog Subject: [PATCH mm] kfence: zero guard page after out-of-bounds access From: Marco Elver To: elver@google.com, akpm@linux-foundation.org Cc: glider@google.com, dvyukov@google.com, andreyknvl@google.com, jannh@google.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, kasan-dev@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 2F911EB X-Stat-Signature: 6ewzbi6pqi7n4fgecaj48xxhdh98pxas Received-SPF: none (flex--elver.bounces.google.com>: No applicable sender policy available) receiver=imf12; identity=mailfrom; envelope-from="<3uFtLYAUKCKUJQaJWLTTLQJ.HTRQNSZc-RRPaFHP.TWL@flex--elver.bounces.google.com>"; helo=mail-qt1-f202.google.com; client-ip=209.85.160.202 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1615551413-230760 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: After an out-of-bounds accesses, zero the guard page before re-protecting in kfence_guarded_free(). On one hand this helps make the failure mode of subsequent out-of-bounds accesses more deterministic, but could also prevent certain information leaks. Signed-off-by: Marco Elver --- mm/kfence/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/kfence/core.c b/mm/kfence/core.c index 3b8ec938470a..f7106f28443d 100644 --- a/mm/kfence/core.c +++ b/mm/kfence/core.c @@ -371,6 +371,7 @@ static void kfence_guarded_free(void *addr, struct kfence_metadata *meta, bool z /* Restore page protection if there was an OOB access. */ if (meta->unprotected_page) { + memzero_explicit((void *)ALIGN_DOWN(meta->unprotected_page, PAGE_SIZE), PAGE_SIZE); kfence_protect(meta->unprotected_page); meta->unprotected_page = 0; } -- 2.31.0.rc2.261.g7f71774620-goog