From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CE32C3F2C6 for ; Wed, 11 Mar 2020 14:48:12 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id C1DEE2073E for ; Wed, 11 Mar 2020 14:48:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C1DEE2073E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=ACULAB.COM Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id C2C3E6B000C; Wed, 11 Mar 2020 10:48:11 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BDD876B000D; Wed, 11 Mar 2020 10:48:11 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B19BC6B000E; Wed, 11 Mar 2020 10:48:11 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0128.hostedemail.com [216.40.44.128]) by kanga.kvack.org (Postfix) with ESMTP id 99BF56B000C for ; Wed, 11 Mar 2020 10:48:11 -0400 (EDT) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 7CBC581C1 for ; Wed, 11 Mar 2020 14:48:11 +0000 (UTC) X-FDA: 76583361582.09.sack15_d3e60de8c23f X-HE-Tag: sack15_d3e60de8c23f X-Filterd-Recvd-Size: 3306 Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [146.101.78.151]) by imf34.hostedemail.com (Postfix) with ESMTP for ; Wed, 11 Mar 2020 14:48:10 +0000 (UTC) Received: from AcuMS.aculab.com (156.67.243.126 [156.67.243.126]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-171-fMd22utfNWyW-zxpyZeZbg-1; Wed, 11 Mar 2020 14:48:06 +0000 X-MC-Unique: fMd22utfNWyW-zxpyZeZbg-1 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) by AcuMS.aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 11 Mar 2020 14:48:05 +0000 Received: from AcuMS.Aculab.com ([fe80::43c:695e:880f:8750]) by AcuMS.aculab.com ([fe80::43c:695e:880f:8750%12]) with mapi id 15.00.1347.000; Wed, 11 Mar 2020 14:48:05 +0000 From: David Laight To: 'Christopher Lameter' , Kees Cook CC: Andrew Morton , Pekka Enberg , David Rientjes , Joonsoo Kim , Daniel Micay , "Vitaly Nikolenko" , Silvio Cesare , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" Subject: RE: [PATCH] slub: Relocate freelist pointer to middle of object Thread-Topic: [PATCH] slub: Relocate freelist pointer to middle of object Thread-Index: AQHV9X67MmF5azEdVkObEXGGVdzyJahDfGRw Date: Wed, 11 Mar 2020 14:48:05 +0000 Message-ID: <6fbf67b5936a44feaf9ad5b58d39082b@AcuMS.aculab.com> References: <202003051624.AAAC9AECC@keescook> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000205, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Christopher Lameter > Sent: 08 March 2020 19:21 >=20 > On Thu, 5 Mar 2020, Kees Cook wrote: >=20 > > Instead of having the freelist pointer at the very beginning of an > > allocation (offset 0) or at the very end of an allocation (effectively > > offset -sizeof(void *) from the next allocation), move it away from > > the edges of the allocation and into the middle. This provides some > > protection against small-sized neighboring overflows (or underflows), > > for which the freelist pointer is commonly the target. (Large or well > > controlled overwrites are much more likely to attack live object conten= ts, > > instead of attempting freelist corruption.) >=20 > Sounds good. You could even randomize the position to avoid attacks on vi= a > the freelist pointer. Random overwrites could be detected (fairly cheaply) by putting two copies of the pointer into the same cacheline in the buffer. Or better make the second one 'pointer xor constant'. =09David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1= PT, UK Registration No: 1397386 (Wales)