Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752058AbdGFPzo (ORCPT ); Thu, 6 Jul 2017 11:55:44 -0400 Received: from resqmta-ch2-09v.sys.comcast.net ([69.252.207.41]:57128 "EHLO resqmta-ch2-09v.sys.comcast.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750970AbdGFPzn (ORCPT ); Thu, 6 Jul 2017 11:55:43 -0400 Date: Thu, 6 Jul 2017 10:55:39 -0500 (CDT) From: Christoph Lameter X-X-Sender: cl@east.gentwo.org To: Kees Cook cc: Andrew Morton , Pekka Enberg , David Rientjes , Joonsoo Kim , "Paul E. McKenney" , Ingo Molnar , Josh Triplett , Andy Lutomirski , Nicolas Pitre , Tejun Heo , Daniel Mack , Sebastian Andrzej Siewior , Sergey Senozhatsky , Helge Deller , Rik van Riel , Linux-MM , Tycho Andersen , LKML , "kernel-hardening@lists.openwall.com" Subject: Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation In-Reply-To: Message-ID: References: <20170706002718.GA102852@beast> Content-Type: text/plain; charset=US-ASCII X-CMAE-Envelope: MS4wfCJy9fsODvcDRy/bc8pvBvDjAEmEd9WvL+na16e09CRFdIYeeG4qVvuCQimvShlEU/DqYbMSavNRmxLAXjz2rO7j1eSud2uTr3NL/eEDlcXefgKWE1Uh j2wkrhb1LAr05PxSkzF+a1it66db9/AbQ4OPttv+ctErcoqqhQutOLAD9rj3Yh7yy/TkGmbv+zpiJA3x8XCMP/5jBMU7xTZNmKJaAqsJNmq1r+Z4iSuhL8R7 /J7NU8LIH+poAMm+PPEmOdrHRdQPTqWHVvZZOOEB8cuEjhozziIkE3KaoC7g2hXa7AQMoj1v8uSxbZGVTv8Zdy9y0ljLOhFnYnf64DIB/KyVislA7+4CHhn/ jtClpFVBw/pN6cusgdnYggNLRgJZ86KCZK2pp8MFUSrPMycF4pIhLcROwfKEF3ab+ovl3B/e8VVLdtM4EEbuKuh2ZCg6T+QWY/ftv1Jw7AfXdpVp/PninMKo gUCd6rtnmUROWnoT755Ormq/1NVFZzQGsbmY11MfrBuXo00zYuvHMOZb0uh38A4NKK5WM5cK9SS13GUaP5aXlMgDuHDer374bGv7h/SDLZqVex0IucDTffHo JpojDRp3RixxxujRHdAioxGpORQ/W1fnkVAs9gEd3Nwxr7wauA4EkJZz+O8nt+RQtGH+W6Mq0YPVoIS5xQI79abcIZxFvWHDaxihxYjNUI57NWtukKTjtB+W 5O+v9NrnEjgoFNAfPP0gd3a7bt5lNw8DTNo7BxDKWCVQ+l2dyQ3YR0+DtSxDSsK7Evg2coU7vm4= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1637 Lines: 38 On Thu, 6 Jul 2017, Kees Cook wrote: > On Thu, Jul 6, 2017 at 6:43 AM, Christoph Lameter wrote: > > On Wed, 5 Jul 2017, Kees Cook wrote: > > > >> @@ -3536,6 +3565,9 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags) > >> { > >> s->flags = kmem_cache_flags(s->size, flags, s->name, s->ctor); > >> s->reserved = 0; > >> +#ifdef CONFIG_SLAB_FREELIST_HARDENED > >> + s->random = get_random_long(); > >> +#endif > >> > >> if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU)) > >> s->reserved = sizeof(struct rcu_head); > >> > > > > So if an attacker knows the internal structure of data then he can simply > > dereference page->kmem_cache->random to decode the freepointer. > > That requires a series of arbitrary reads. This is protecting against > attacks that use an adjacent slab object write overflow to write the > freelist pointer. This internal structure is very reliable, and has > been the basis of freelist attacks against the kernel for a decade. These reads are not arbitrary. You can usually calculate the page struct address easily from the address and then do a couple of loads to get there. Ok so you get rid of the old attacks because we did not have that hardening in effect when they designed their approaches? > It is a probabilistic defense, but then so is the stack protector. > This is a similar defense; while not perfect it makes the class of > attack much more difficult to mount. Na I am not convinced of the "much more difficult". Maybe they will just have to upgrade their approaches to fetch the proper values to decode.