Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752614AbdGFNnZ (ORCPT <rfc822;w@1wt.eu>);
        Thu, 6 Jul 2017 09:43:25 -0400
Received: from resqmta-ch2-09v.sys.comcast.net ([69.252.207.41]:53644 "EHLO
        resqmta-ch2-09v.sys.comcast.net" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1752418AbdGFNnY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 6 Jul 2017 09:43:24 -0400
Date: Thu, 6 Jul 2017 08:43:19 -0500 (CDT)
From: Christoph Lameter <cl@linux.com>
X-X-Sender: cl@east.gentwo.org
To: Kees Cook <keescook@chromium.org>
cc: Andrew Morton <akpm@linux-foundation.org>,
        Pekka Enberg <penberg@kernel.org>,
        David Rientjes <rientjes@google.com>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
        Ingo Molnar <mingo@kernel.org>, Josh Triplett <josh@joshtriplett.org>,
        Andy Lutomirski <luto@kernel.org>,
        Nicolas Pitre <nicolas.pitre@linaro.org>, Tejun Heo <tj@kernel.org>,
        Daniel Mack <daniel@zonque.org>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
        Helge Deller <deller@gmx.de>, Rik van Riel <riel@redhat.com>,
        linux-mm@kvack.org, Tycho Andersen <tycho@docker.com>,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation
In-Reply-To: <20170706002718.GA102852@beast>
Message-ID: <alpine.DEB.2.20.1707060841170.23867@east.gentwo.org>
References: <20170706002718.GA102852@beast>
Content-Type: text/plain; charset=US-ASCII
X-CMAE-Envelope: MS4wfPCGde2bRIH5d5RjcJ7WAA2tUCjBhJUVB2WidpzcqLZYP6/05WHSEIk31rOfdK1lrQkusxf9LFcb4/hLfwyPc50BMeXUB95sflkw79eQY+uaKjWqA55X
 8YRiIsDJ8ORZy0dUL0WXwWatVDYRXdC1Kg48gVYAxUFbYx9sqH/+5UdW1xdzjfoeyr/tjFbc+XTLL+tDbQ0t3mGUSBAiOPRSZlPp0jC1T/hRvHhHdtcQ7Iom
 Nml3EaHZDEHXyvQ7NFrHKVOpdXCMsZ/DbCwmykYZg3fqOyeQUzCs6Qt5cNTsEBY7FP13su8eVLVX2rjg+zJT9YpznPZZfYBSnAAMaWD9OhGD/cPjoZODshuN
 J7k9DU2ohHwSOubQ16ndJEbPu5ENpQOJu6iyU/REvPnmegrwwSbKhKAvA3/r2AG3U1VEE/1mCJGuLV0dO/9iHV5ZcyarpAYJPsj6lmimCaNjAdVy7+4xheg1
 cPNHV749aNnSjOmjwYo9XZJXqHi8SvUgDCTapMvosCKMXKB0N9W+Yh55gdJR5A84FxnYS5hOIjudKWZDhuWf4rRY2Twkby03/KlNJYpr6hirJziXGv6MfGnC
 uJQxhZV0BulHLxeHDZyhuEtXL7v83YXFHd6rumV2yVuq0j66DsV69S+pC27tK3po0mCglSpq1DfXxjxlIA9A1XL4KqifLrurhvIOFjQ/XvJ6a5wX71I2RJaV
 kvbtW9BC1x6T3PI2fa5KuURU4oBrfpjp79pY1uxapTXwwxJDDORuUNHMTC7I0GcHoc9YghZnjwY=
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 847
Lines: 23

On Wed, 5 Jul 2017, Kees Cook wrote:

> @@ -3536,6 +3565,9 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags)
>  {
>  	s->flags = kmem_cache_flags(s->size, flags, s->name, s->ctor);
>  	s->reserved = 0;
> +#ifdef CONFIG_SLAB_FREELIST_HARDENED
> +	s->random = get_random_long();
> +#endif
>
>  	if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU))
>  		s->reserved = sizeof(struct rcu_head);
>

So if an attacker knows the internal structure of data then he can simply
dereference page->kmem_cache->random to decode the freepointer.

Assuming someone is already targeting a freelist pointer (which indicates
detailed knowledge of the internal structure) then I would think that
someone like that will also figure out how to follow the pointer links to
get to the random value.

Not seeing the point of all of this.