Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752614AbdGFNnZ (ORCPT ); Thu, 6 Jul 2017 09:43:25 -0400 Received: from resqmta-ch2-09v.sys.comcast.net ([69.252.207.41]:53644 "EHLO resqmta-ch2-09v.sys.comcast.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752418AbdGFNnY (ORCPT ); Thu, 6 Jul 2017 09:43:24 -0400 Date: Thu, 6 Jul 2017 08:43:19 -0500 (CDT) From: Christoph Lameter X-X-Sender: cl@east.gentwo.org To: Kees Cook cc: Andrew Morton , Pekka Enberg , David Rientjes , Joonsoo Kim , "Paul E. McKenney" , Ingo Molnar , Josh Triplett , Andy Lutomirski , Nicolas Pitre , Tejun Heo , Daniel Mack , Sebastian Andrzej Siewior , Sergey Senozhatsky , Helge Deller , Rik van Riel , linux-mm@kvack.org, Tycho Andersen , linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation In-Reply-To: <20170706002718.GA102852@beast> Message-ID: References: <20170706002718.GA102852@beast> Content-Type: text/plain; charset=US-ASCII X-CMAE-Envelope: MS4wfPCGde2bRIH5d5RjcJ7WAA2tUCjBhJUVB2WidpzcqLZYP6/05WHSEIk31rOfdK1lrQkusxf9LFcb4/hLfwyPc50BMeXUB95sflkw79eQY+uaKjWqA55X 8YRiIsDJ8ORZy0dUL0WXwWatVDYRXdC1Kg48gVYAxUFbYx9sqH/+5UdW1xdzjfoeyr/tjFbc+XTLL+tDbQ0t3mGUSBAiOPRSZlPp0jC1T/hRvHhHdtcQ7Iom Nml3EaHZDEHXyvQ7NFrHKVOpdXCMsZ/DbCwmykYZg3fqOyeQUzCs6Qt5cNTsEBY7FP13su8eVLVX2rjg+zJT9YpznPZZfYBSnAAMaWD9OhGD/cPjoZODshuN J7k9DU2ohHwSOubQ16ndJEbPu5ENpQOJu6iyU/REvPnmegrwwSbKhKAvA3/r2AG3U1VEE/1mCJGuLV0dO/9iHV5ZcyarpAYJPsj6lmimCaNjAdVy7+4xheg1 cPNHV749aNnSjOmjwYo9XZJXqHi8SvUgDCTapMvosCKMXKB0N9W+Yh55gdJR5A84FxnYS5hOIjudKWZDhuWf4rRY2Twkby03/KlNJYpr6hirJziXGv6MfGnC uJQxhZV0BulHLxeHDZyhuEtXL7v83YXFHd6rumV2yVuq0j66DsV69S+pC27tK3po0mCglSpq1DfXxjxlIA9A1XL4KqifLrurhvIOFjQ/XvJ6a5wX71I2RJaV kvbtW9BC1x6T3PI2fa5KuURU4oBrfpjp79pY1uxapTXwwxJDDORuUNHMTC7I0GcHoc9YghZnjwY= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 847 Lines: 23 On Wed, 5 Jul 2017, Kees Cook wrote: > @@ -3536,6 +3565,9 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags) > { > s->flags = kmem_cache_flags(s->size, flags, s->name, s->ctor); > s->reserved = 0; > +#ifdef CONFIG_SLAB_FREELIST_HARDENED > + s->random = get_random_long(); > +#endif > > if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU)) > s->reserved = sizeof(struct rcu_head); > So if an attacker knows the internal structure of data then he can simply dereference page->kmem_cache->random to decode the freepointer. Assuming someone is already targeting a freelist pointer (which indicates detailed knowledge of the internal structure) then I would think that someone like that will also figure out how to follow the pointer links to get to the random value. Not seeing the point of all of this.