linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Linux-MM <linux-mm@kvack.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: Add additional consistency check
Date: Fri, 31 Mar 2017 17:04:00 -0700	[thread overview]
Message-ID: <CAGXu5jK8RrHwa1Uv464=5+T5iBnhhx796CdLcJMAA88wi8bzaA@mail.gmail.com> (raw)
In-Reply-To: <20170331143317.3865149a6b6112f0d1a63499@linux-foundation.org>

On Fri, Mar 31, 2017 at 2:33 PM, Andrew Morton
<akpm@linux-foundation.org> wrote:
> On Fri, 31 Mar 2017 09:40:28 -0700 Kees Cook <keescook@chromium.org> wrote:
>
>> As found in PaX, this adds a cheap check on heap consistency, just to
>> notice if things have gotten corrupted in the page lookup.
>
> "As found in PaX" isn't a very illuminating justification for such a
> change.  Was there a real kernel bug which this would have exposed, or
> what?

I don't know off the top of my head, but given the kinds of heap
attacks I've been seeing, I think this added consistency check is
worth it given how inexpensive it is. When heap metadata gets
corrupted, we can get into nasty side-effects that can be
attacker-controlled, so better to catch obviously bad states as early
as possible.

>> --- a/mm/slab.h
>> +++ b/mm/slab.h
>> @@ -384,6 +384,7 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x)
>>               return s;
>>
>>       page = virt_to_head_page(x);
>> +     BUG_ON(!PageSlab(page));
>>       cachep = page->slab_cache;
>>       if (slab_equal_or_root(cachep, s))
>>               return cachep;
>
> BUG_ON might be too severe.  I expect the kindest VM_WARN_ON_ONCE()
> would suffice here, but without more details it is hard to say.

So, WARN isn't enough to protect the kernel (execution continues and
the memory is still dereferenced for malicious purposes, etc). Perhaps
use CHECK_DATA_CORRUPTION() here, which can either WARN and take a
"safe" path, or BUG (depending on config paranoia of the builder).
I've got a series adding it in a number of other places, so I could
add this patch to that series?

-Kees

-- 
Kees Cook
Pixel Security

  reply	other threads:[~2017-04-01  0:04 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-31 16:40 [PATCH] mm: Add additional consistency check Kees Cook
2017-03-31 21:33 ` Andrew Morton
2017-04-01  0:04   ` Kees Cook [this message]
2017-04-03  3:40     ` Michael Ellerman
2017-04-03 14:03       ` Christoph Lameter
2017-04-03 14:53         ` Matthew Wilcox
2017-04-04 11:30 ` Michal Hocko
2017-04-04 15:07   ` Christoph Lameter
2017-04-04 15:16     ` Michal Hocko
2017-04-04 15:46       ` Kees Cook
2017-04-04 15:58         ` Michal Hocko
2017-04-04 16:02           ` Kees Cook
2017-04-04 19:13       ` Christoph Lameter
2017-04-04 19:42         ` Michal Hocko
2017-04-04 19:58           ` Christoph Lameter
2017-04-04 20:13             ` Michal Hocko
2017-04-11  4:58               ` Kees Cook
2017-04-11 13:46                 ` Michal Hocko
2017-04-11 14:14                   ` Kees Cook
2017-04-11 14:19                     ` Michal Hocko
2017-04-11 16:05                       ` Kees Cook
2017-04-11 16:16                       ` Christoph Lameter
2017-04-11 16:19                         ` Kees Cook
2017-04-11 16:23                           ` Christoph Lameter
2017-04-11 16:30                             ` Kees Cook
2017-04-11 16:26                           ` Christoph Lameter
2017-04-11 16:41                         ` Michal Hocko
2017-04-11 18:03                           ` Christoph Lameter
2017-04-11 18:30                             ` Michal Hocko
2017-04-11 18:44                               ` Christoph Lameter
2017-04-11 18:55                                 ` Michal Hocko
2017-04-11 18:59                                   ` Christoph Lameter
2017-04-11 19:39                                     ` Michal Hocko
2017-04-17 15:22                                       ` Christoph Lameter
2017-04-18  6:41                                         ` Michal Hocko
2017-04-18 13:31                                           ` Christoph Lameter
2017-04-18 13:37                                           ` Christoph Lameter
2017-04-28  1:11                       ` Kees Cook
2017-04-28  6:16                         ` Michal Hocko
2017-04-27 12:06   ` Michal Hocko
2017-04-11 18:30 ` Christoph Lameter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5jK8RrHwa1Uv464=5+T5iBnhhx796CdLcJMAA88wi8bzaA@mail.gmail.com' \
    --to=keescook@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=cl@linux.com \
    --cc=iamjoonsoo.kim@lge.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=penberg@kernel.org \
    --cc=rientjes@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).