From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>,
Matthew Wilcox <willy@infradead.org>,
Alexander Popov <alex.popov@linux.com>,
Alexander Potapenko <glider@google.com>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: [PATCH 0/3] mm/slab: Improved sanity checking
Date: Wed, 29 May 2019 21:50:14 -0700 [thread overview]
Message-ID: <20190530045017.15252-1-keescook@chromium.org> (raw)
Hi,
This adds defenses against slab cache confusion (as seen in real-world
exploits[1]) and gracefully handles type confusions when trying to look
up slab caches from an arbitrary page. (Also is patch 3: new LKDTM tests
for these defenses as well as for the existing double-free detection. To
avoid possible merge conflicts, I'd prefer patch 3 went via drivers/misc,
which I will send to Greg separately, but I've included it here to help
illustrate the issues.)
-Kees
[1] https://github.com/ThomasKing2014/slides/raw/master/Building%20universal%20Android%20rooting%20with%20a%20type%20confusion%20vulnerability.pdf
Kees Cook (3):
mm/slab: Validate cache membership under freelist hardening
mm/slab: Sanity-check page type when looking up cache
lkdtm/heap: Add tests for freelist hardening
drivers/misc/lkdtm/core.c | 5 +++
drivers/misc/lkdtm/heap.c | 72 ++++++++++++++++++++++++++++++++++++++
drivers/misc/lkdtm/lkdtm.h | 5 +++
mm/slab.c | 14 ++++----
mm/slab.h | 29 +++++++++------
5 files changed, 107 insertions(+), 18 deletions(-)
--
2.17.1
next reply other threads:[~2019-05-30 4:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-30 4:50 Kees Cook [this message]
2019-05-30 4:50 ` [PATCH 1/3] mm/slab: Validate cache membership under freelist hardening Kees Cook
2019-05-30 4:50 ` [PATCH 2/3] mm/slab: Sanity-check page type when looking up cache Kees Cook
2019-05-30 4:50 ` [PATCH 3/3] lkdtm/heap: Add tests for freelist hardening Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190530045017.15252-1-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=alex.popov@linux.com \
--cc=cl@linux.com \
--cc=glider@google.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.