Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751768AbdG0WtC (ORCPT ); Thu, 27 Jul 2017 18:49:02 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:34111 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751678AbdG0WtB (ORCPT ); Thu, 27 Jul 2017 18:49:01 -0400 Reply-To: alex.popov@linux.com Subject: Re: [v3] mm: Add SLUB free list pointer obfuscation To: Christopher Lameter , Kees Cook Cc: Andrew Morton , Pekka Enberg , David Rientjes , Joonsoo Kim , "Paul E. McKenney" , Ingo Molnar , Josh Triplett , Andy Lutomirski , Nicolas Pitre , Tejun Heo , Daniel Mack , Sebastian Andrzej Siewior , Sergey Senozhatsky , Helge Deller , Rik van Riel , Linux-MM , Tycho Andersen , LKML , "kernel-hardening@lists.openwall.com" , alex.popov@linux.com References: <20170706002718.GA102852@beast> From: Alexander Popov Message-ID: <515333f5-1815-8591-503e-c0cf6941670e@linux.com> Date: Fri, 28 Jul 2017 01:48:56 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1146 Lines: 32 Hello Christopher and Kees, On 26.07.2017 19:55, Christopher Lameter wrote: > On Wed, 26 Jul 2017, Kees Cook wrote: > >>>> What happens if, instead of BUG_ON, we do: >>>> >>>> if (unlikely(WARN_RATELIMIT(object == fp, "double-free detected")) >>>> return; >>> >>> This may work for the free fastpath but the set_freepointer function is >>> use in multiple other locations. Maybe just add this to the fastpath >>> instead of to this fucnction? >> >> Do you mean do_slab_free()? > > Yes inserting these lines into do_slab_free() would simple ignore the > double free operation in the fast path and that would be safe. I don't really like ignoring double-free. I think, that: - it will hide dangerous bugs in the kernel, - it can make some kernel exploits more stable. I would rather add BUG_ON to set_freepointer() behind SLAB_FREELIST_HARDENED. Is it fine? At the same time avoiding the consequences of some double-free errors is better than not doing that. It may be considered as kernel "self-healing", I don't know. I can prepare a second patch for do_slab_free(), as you described. Would you like it? Best regards, Alexander