Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752167AbdGRUEp (ORCPT ); Tue, 18 Jul 2017 16:04:45 -0400 Received: from mail-io0-f179.google.com ([209.85.223.179]:35012 "EHLO mail-io0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751837AbdGRUEn (ORCPT ); Tue, 18 Jul 2017 16:04:43 -0400 MIME-Version: 1.0 In-Reply-To: <1edb137c-356f-81d6-4592-f5dfc68e8ea9@linux.com> References: <1500309907-9357-1-git-send-email-alex.popov@linux.com> <20170717175459.GC14983@bombadil.infradead.org> <1edb137c-356f-81d6-4592-f5dfc68e8ea9@linux.com> From: Kees Cook Date: Tue, 18 Jul 2017 13:04:42 -0700 X-Google-Sender-Auth: v3vKdNYHW5Vnc_cxOv1pL6XiaJk Message-ID: Subject: Re: [PATCH 1/1] mm/slub.c: add a naive detection of double free or corruption To: Alexander Popov Cc: Christopher Lameter , Matthew Wilcox , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , LKML , "kernel-hardening@lists.openwall.com" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3302 Lines: 76 On Tue, Jul 18, 2017 at 12:56 PM, Alexander Popov wrote: > On 17.07.2017 22:11, Kees Cook wrote: >> On Mon, Jul 17, 2017 at 12:01 PM, Alexander Popov wrote: >>> Hello Christopher, >>> >>> Thanks for your reply. >>> >>> On 17.07.2017 21:04, Christopher Lameter wrote: >>>> On Mon, 17 Jul 2017, Matthew Wilcox wrote: >>>> >>>>> On Mon, Jul 17, 2017 at 07:45:07PM +0300, Alexander Popov wrote: >>>>>> Add an assertion similar to "fasttop" check in GNU C Library allocator: >>>>>> an object added to a singly linked freelist should not point to itself. >>>>>> That helps to detect some double free errors (e.g. CVE-2017-2636) without >>>>>> slub_debug and KASAN. Testing with hackbench doesn't show any noticeable >>>>>> performance penalty. >>>>> >>>>>> { >>>>>> + BUG_ON(object == fp); /* naive detection of double free or corruption */ >>>>>> *(void **)(object + s->offset) = fp; >>>>>> } >>>>> >>>>> Is BUG() the best response to this situation? If it's a corruption, then >>>>> yes, but if we spot a double-free, then surely we should WARN() and return >>>>> without doing anything? >>>> >>>> The double free debug checking already does the same thing in a more >>>> thourough way (this one only checks if the last free was the same >>>> address). So its duplicating a check that already exists. >>> >>> Yes, absolutely. Enabled slub_debug (or KASAN with its quarantine) can detect >>> more double-free errors. But it introduces much bigger performance penalty and >>> it's disabled by default. >>> >>>> However, this one is always on. >>> >>> Yes, I would propose to have this relatively cheap check enabled by default. I >>> think it will block a good share of double-free errors. Currently it's really >>> easy to turn such a double-free into use-after-free and exploit it, since, as I >>> wrote, next two kmalloc() calls return the same address. So we could make >>> exploiting harder for a relatively low price. >>> >>> Christopher, if I change BUG_ON() to VM_BUG_ON(), it will be disabled by default >>> again, right? >> >> Let's merge this with the proposed CONFIG_FREELIST_HARDENED, then the >> performance change is behind a config, and we gain the rest of the >> freelist protections at the same time: >> >> http://www.openwall.com/lists/kernel-hardening/2017/07/06/1 > > Hello Kees, > > If I change BUG_ON() to VM_BUG_ON(), this check will work at least on Fedora > since it has CONFIG_DEBUG_VM enabled. Debian based distros have this option > disabled. Do you like that more than having this check under > CONFIG_FREELIST_HARDENED? I think there are two issues: first, this should likely be under CONFIG_FREELIST_HARDENED since Christoph hasn't wanted to make these changes enabled by default (if I'm understanding his earlier review comments to me). The second issue is what to DO when a double-free is discovered. Is there any way to make it safe/survivable? If not, I think it should just be BUG_ON(). If it can be made safe, then likely a WARN_ONCE and do whatever is needed to prevent the double-free. > If you insist on putting this check under CONFIG_FREELIST_HARDENED, should I > rebase onto your patch and send again? That would be preferred for me -- I'd like to have both checks. :) -Kees -- Kees Cook Pixel Security