Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752346AbdGRT4b (ORCPT ); Tue, 18 Jul 2017 15:56:31 -0400 Received: from mail-lf0-f66.google.com ([209.85.215.66]:34159 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751499AbdGRT43 (ORCPT ); Tue, 18 Jul 2017 15:56:29 -0400 Reply-To: alex.popov@linux.com Subject: Re: [PATCH 1/1] mm/slub.c: add a naive detection of double free or corruption To: Kees Cook Cc: Christopher Lameter , Matthew Wilcox , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , LKML , "kernel-hardening@lists.openwall.com" References: <1500309907-9357-1-git-send-email-alex.popov@linux.com> <20170717175459.GC14983@bombadil.infradead.org> From: Alexander Popov Message-ID: <1edb137c-356f-81d6-4592-f5dfc68e8ea9@linux.com> Date: Tue, 18 Jul 2017 22:56:23 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2602 Lines: 62 On 17.07.2017 22:11, Kees Cook wrote: > On Mon, Jul 17, 2017 at 12:01 PM, Alexander Popov wrote: >> Hello Christopher, >> >> Thanks for your reply. >> >> On 17.07.2017 21:04, Christopher Lameter wrote: >>> On Mon, 17 Jul 2017, Matthew Wilcox wrote: >>> >>>> On Mon, Jul 17, 2017 at 07:45:07PM +0300, Alexander Popov wrote: >>>>> Add an assertion similar to "fasttop" check in GNU C Library allocator: >>>>> an object added to a singly linked freelist should not point to itself. >>>>> That helps to detect some double free errors (e.g. CVE-2017-2636) without >>>>> slub_debug and KASAN. Testing with hackbench doesn't show any noticeable >>>>> performance penalty. >>>> >>>>> { >>>>> + BUG_ON(object == fp); /* naive detection of double free or corruption */ >>>>> *(void **)(object + s->offset) = fp; >>>>> } >>>> >>>> Is BUG() the best response to this situation? If it's a corruption, then >>>> yes, but if we spot a double-free, then surely we should WARN() and return >>>> without doing anything? >>> >>> The double free debug checking already does the same thing in a more >>> thourough way (this one only checks if the last free was the same >>> address). So its duplicating a check that already exists. >> >> Yes, absolutely. Enabled slub_debug (or KASAN with its quarantine) can detect >> more double-free errors. But it introduces much bigger performance penalty and >> it's disabled by default. >> >>> However, this one is always on. >> >> Yes, I would propose to have this relatively cheap check enabled by default. I >> think it will block a good share of double-free errors. Currently it's really >> easy to turn such a double-free into use-after-free and exploit it, since, as I >> wrote, next two kmalloc() calls return the same address. So we could make >> exploiting harder for a relatively low price. >> >> Christopher, if I change BUG_ON() to VM_BUG_ON(), it will be disabled by default >> again, right? > > Let's merge this with the proposed CONFIG_FREELIST_HARDENED, then the > performance change is behind a config, and we gain the rest of the > freelist protections at the same time: > > http://www.openwall.com/lists/kernel-hardening/2017/07/06/1 Hello Kees, If I change BUG_ON() to VM_BUG_ON(), this check will work at least on Fedora since it has CONFIG_DEBUG_VM enabled. Debian based distros have this option disabled. Do you like that more than having this check under CONFIG_FREELIST_HARDENED? If you insist on putting this check under CONFIG_FREELIST_HARDENED, should I rebase onto your patch and send again? Best regards, Alexander