Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751796AbdG0POW (ORCPT ); Thu, 27 Jul 2017 11:14:22 -0400 Received: from resqmta-po-05v.sys.comcast.net ([96.114.154.164]:48068 "EHLO resqmta-po-05v.sys.comcast.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751509AbdG0POV (ORCPT ); Thu, 27 Jul 2017 11:14:21 -0400 Date: Thu, 27 Jul 2017 10:14:18 -0500 (CDT) From: Christopher Lameter X-X-Sender: cl@nuc-kabylake To: Kees Cook cc: Andrew Morton , Pekka Enberg , David Rientjes , Joonsoo Kim , "Paul E. McKenney" , Ingo Molnar , Tejun Heo , Andy Lutomirski , Nicolas Pitre , linux-mm@kvack.org, Rik van Riel , Tycho Andersen , Alexander Popov , linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: Re: [PATCH v4] mm: Add SLUB free list pointer obfuscation In-Reply-To: <20170726041250.GA76741@beast> Message-ID: References: <20170726041250.GA76741@beast> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-CMAE-Envelope: MS4wfKO/++IL1cY3czjHwsafluR7W5m2r5A2reR/N14JPQ5FboatMN/Mp4FuRt9ZawG1PJI+CSJiEU436Z7v5goZ30XrrHdLaXQMPrHKmED9czoihXWpsV4P MHje+56k6ICqw7/7D++xuvaDWzgn/PRQan/p0Bi89qCtvZdwsfA2tX+D/Kkc35FcHYhoE/neT9IT1bIHPtEtdDgl07kCUKZfFH5pXUc3lP2qkqBLE5Ws2Ily JowvUiQMocFZx2AVebif9KB37xsujguYlf4qi0WudQoxv9CB7gGfFUaCFD2kUuaktNpEgEYiOPZUYir/3CFCLifMZqYZW4d+AEfWbVr4OxswqvB7P9VT0K9r Q45in8pmsR8t/YXGyQBIGtGNq7V6qB2QwtZ4gFhrFfVmAri5uxZ7lzagjZPpFZEKF3+fBLKI9aIMf9gTe4DFmK0xA3GVozwvYKUXL77kihkZbNWe5DRVjkp1 8lGZhfzsubLUREJaXM8XVLeDVBevR+nOFPXfHyuLThUW6nBbDXpz4OHptpVzi5ovRF63bXPqvkEQEV4vj1kAdcpbIvO0v51b9ATOwNJy7ErDgbjN4bmRQL5f 91Ma1rV7yVC/x6XtdPg7iaM7tj/V+OWegp1ogDY/gqnxNj1apCvVKmC0fvyVk5gqA+k= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2121 Lines: 63 On Tue, 25 Jul 2017, Kees Cook wrote: > +/* > + * Returns freelist pointer (ptr). With hardening, this is obfuscated > + * with an XOR of the address where the pointer is held and a per-cache > + * random number. > + */ > +static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr, > + unsigned long ptr_addr) > +{ > +#ifdef CONFIG_SLAB_FREELIST_HARDENED > + return (void *)((unsigned long)ptr ^ s->random ^ ptr_addr); > +#else > + return ptr; > +#endif > +} Weird function. Why pass both the pointer as well as the address of the pointer? The address of the pointer would be sufficient I think. Compiler can optimize the refs on its own. OK ptr_addr is really the obfuscation value. Maybe a bit confusing to call this ptr_addr and also pass this as a long. xor_value? If it is a pointer address the it should be void ** or so. > static inline void *get_freepointer_safe(struct kmem_cache *s, void *object) > { > + unsigned long freepointer_addr; > void *p; > > if (!debug_pagealloc_enabled()) > return get_freepointer(s, object); > > - probe_kernel_read(&p, (void **)(object + s->offset), sizeof(p)); > - return p; > + freepointer_addr = (unsigned long)object + s->offset; converts the void ** to unsigned long.... which requires another cast in the following line. > + probe_kernel_read(&p, (void **)freepointer_addr, sizeof(p)); > + return freelist_ptr(s, p, freepointer_addr); > } > > static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp) > { > - *(void **)(object + s->offset) = fp; > + unsigned long freeptr_addr = (unsigned long)object + s->offset; > + > + *(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr); > } > > /* Loop over all objects in a slab */ > @@ -3563,6 +3592,9 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags) > { > s->flags = kmem_cache_flags(s->size, flags, s->name, s->ctor); > s->reserved = 0; > +#ifdef CONFIG_SLAB_FREELIST_HARDENED > + s->random = get_random_long(); > +#endif > > if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU)) > s->reserved = sizeof(struct rcu_head); >