Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753203AbdGSIjL (ORCPT ); Wed, 19 Jul 2017 04:39:11 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:35108 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752070AbdGSIjI (ORCPT ); Wed, 19 Jul 2017 04:39:08 -0400 Reply-To: alex.popov@linux.com Subject: Re: [PATCH 1/1] mm/slub.c: add a naive detection of double free or corruption To: Kees Cook Cc: Christopher Lameter , Matthew Wilcox , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , LKML , "kernel-hardening@lists.openwall.com" References: <1500309907-9357-1-git-send-email-alex.popov@linux.com> <20170717175459.GC14983@bombadil.infradead.org> <1edb137c-356f-81d6-4592-f5dfc68e8ea9@linux.com> From: Alexander Popov Message-ID: <5f0ec56c-5cf1-58f7-5652-a5caedf3df88@linux.com> Date: Wed, 19 Jul 2017 11:38:57 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2091 Lines: 49 On 18.07.2017 23:04, Kees Cook wrote: > On Tue, Jul 18, 2017 at 12:56 PM, Alexander Popov wrote: >> On 17.07.2017 22:11, Kees Cook wrote: >>> Let's merge this with the proposed CONFIG_FREELIST_HARDENED, then the >>> performance change is behind a config, and we gain the rest of the >>> freelist protections at the same time: >>> >>> http://www.openwall.com/lists/kernel-hardening/2017/07/06/1 >> >> Hello Kees, >> >> If I change BUG_ON() to VM_BUG_ON(), this check will work at least on Fedora >> since it has CONFIG_DEBUG_VM enabled. Debian based distros have this option >> disabled. Do you like that more than having this check under >> CONFIG_FREELIST_HARDENED? > > I think there are two issues: first, this should likely be under > CONFIG_FREELIST_HARDENED since Christoph hasn't wanted to make these > changes enabled by default (if I'm understanding his earlier review > comments to me). Ok, I'll rebase onto FREELIST_HARDENED and test it all together. > The second issue is what to DO when a double-free is > discovered. Is there any way to make it safe/survivable? If not, I > think it should just be BUG_ON(). If it can be made safe, then likely > a WARN_ONCE and do whatever is needed to prevent the double-free. Please correct me if I'm wrong. It seems to me that double-free is a dangerous situation that indicates some serious kernel bug (which might be maliciously exploited). So I would not trust / rely on the process which experiences a double-free error in the kernel mode. But I guess the reaction to it should depend on the Linux kernel policy of handling faults. Is it defined explicitly? Anyway, if we try to mitigate the effect from a double-free error _here_ (for example, skip putting the duplicated object to the freelist), I think we should do the same for other cases of double-free and memory corruptions. >> If you insist on putting this check under CONFIG_FREELIST_HARDENED, should I >> rebase onto your patch and send again? > > That would be preferred for me -- I'd like to have both checks. :) Ok. Best regards, Alexander