Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751362AbdFYT4Y (ORCPT ); Sun, 25 Jun 2017 15:56:24 -0400 Received: from mail-it0-f47.google.com ([209.85.214.47]:37178 "EHLO mail-it0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751136AbdFYT4W (ORCPT ); Sun, 25 Jun 2017 15:56:22 -0400 MIME-Version: 1.0 In-Reply-To: <20170623015010.GA137429@beast> References: <20170623015010.GA137429@beast> From: Kees Cook Date: Sun, 25 Jun 2017 12:56:21 -0700 X-Google-Sender-Auth: GL9uS8mJKyGa440hk2uSmsImAXI Message-ID: Subject: Re: [PATCH v2] mm: Add SLUB free list pointer obfuscation To: Christoph Lameter , Andrew Morton Cc: Laura Abbott , Daniel Micay , Pekka Enberg , David Rientjes , Joonsoo Kim , "Paul E. McKenney" , Ingo Molnar , Josh Triplett , Andy Lutomirski , Nicolas Pitre , Tejun Heo , Daniel Mack , Sebastian Andrzej Siewior , Sergey Senozhatsky , Helge Deller , Rik van Riel , LKML , Linux-MM , "kernel-hardening@lists.openwall.com" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1145 Lines: 33 On Thu, Jun 22, 2017 at 6:50 PM, Kees Cook wrote: > This SLUB free list pointer obfuscation code is modified from Brad > Spengler/PaX Team's code in the last public patch of grsecurity/PaX based > on my understanding of the code. Changes or omissions from the original > code are mine and don't reflect the original grsecurity/PaX code. > > This adds a per-cache random value to SLUB caches that is XORed with > their freelist pointers. This adds nearly zero overhead and frustrates the > very common heap overflow exploitation method of overwriting freelist > pointers. A recent example of the attack is written up here: > http://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit BTW, to quantify "nearly zero overhead", I ran multiple 200-run cycles of "hackbench -g 20 -l 1000", and saw: before: mean 10.11882499999999999995 variance .03320378329145728642 stdev .18221905304181911048 after: mean 10.12654000000000000014 variance .04700556623115577889 stdev .21680767106160192064 The difference gets lost in the noise, but if the above is sensible, it's 0.07% slower. ;) -Kees -- Kees Cook Pixel Security