Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2237200pxa;
        Mon, 17 Aug 2020 04:57:14 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwoqkVA/UW3WLF98fqXkOeg8nu+J/rEQpc9+3BTMSpUGEYoOXGmAO3VTgCSIW3adTE2W6Bx
X-Received: by 2002:a17:906:6146:: with SMTP id p6mr15183145ejl.211.1597665433909;
        Mon, 17 Aug 2020 04:57:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597665433; cv=none;
        d=google.com; s=arc-20160816;
        b=gQnE+K9Kzkewsxl526VTLTQx611aiyrQ8p4giTOV5236EdJxSZT+sE6P30cbsqIY/Q
         YhK+WkmrWIoPO3IdYlupxfNCmbkaUK392rWPOPFs+31dCpc/eonQY7bB0s99x7pRrLIf
         IH+U8R2bbmGc50LZl0bz44qPhkd9rIuWwejNNPImP8uHQqC4oKQngY0rWkXNMGcqUU1d
         QNzwEqJf19ZmlBkxYAyqYIAkaW44zivL8s5YepwTV+UaG0AvNKBNRH9UmXwWK+wmg4FF
         juwW7Nk6EJ12OjzrhdG52CNMnqCD6qj2k6WYiBxQ7LxaFJLNyXwFDUfNte6UtB4NGbku
         vWKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=CPagJq8bfLV5JHleSz/YdyHxTxcPKxeM2AT318YsVDU=;
        b=Sj/qp7p/BmSeb/MvXh27t1RFGb6/+VBHOldTWcXmrKgaeMni8FfnGhDeC88LmFJVtx
         MlPBJ/kj+0UGiZ0+a9Ug6LfCK46y1HU6HryPTkVJ0T2xRtLsfUpbNoWauiYOP763mOp2
         62VsgLhtkobdhrkUGAbGFPx+i9zgdH2On+XGhn3H7xJfDhKfbsPfwedKI6BL0jlfwI+z
         mwlTV+gBlzD+PcTb+rXr7k7Yh+rIFTA1mUMEkBrdr31UXSVadoSKEcsHa0+1ugOgEoZi
         9tpx5GDmMe7ImvRV92Iv1lBInREUBHxU+AVU9SGgTA+O9p9OSfh9+9sBZ0VlTl3XmAnj
         5wkw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=cUo2YqnI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l25si10811516edv.47.2020.08.17.04.56.48;
        Mon, 17 Aug 2020 04:57:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=cUo2YqnI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726745AbgHQLyH (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Mon, 17 Aug 2020 07:54:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56850 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726530AbgHQLyD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 Aug 2020 07:54:03 -0400
Received: from mail-pf1-x444.google.com (mail-pf1-x444.google.com [IPv6:2607:f8b0:4864:20::444])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2A11C061342
        for <linux-kernel@vger.kernel.org>; Mon, 17 Aug 2020 04:54:02 -0700 (PDT)
Received: by mail-pf1-x444.google.com with SMTP id y206so8101681pfb.10
        for <linux-kernel@vger.kernel.org>; Mon, 17 Aug 2020 04:54:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=CPagJq8bfLV5JHleSz/YdyHxTxcPKxeM2AT318YsVDU=;
        b=cUo2YqnIduCfkp3HRFHUsby0zIh4dQYG3sMlKf28FS6lSwIo6RgJH+LytxK18B2Xwv
         CKGCwVlOVoB0vdx09P+hquL2g0fnLEFIl6278frwEGWyWh0wgn/FvpnULmcjwCMz4P1m
         QvOeSCUuHTNcDLC2nwxNGjoTp1xDchiJDXN4AKsy9QdAk3z3fxrZukSimZOz1mSFoEIM
         oenaufwaX+LZD3rAy7UYelrnzOy5gZWXAtEiJJlBEQfRb+iUgUW/mdb4BbuOnqpNqx/A
         l6MKMdZZ/IeSpillNWWS64wACRvp7VRH+Zs+o5syOFhQFzaMuHD9BMXIMcqXebI9ga5j
         Xmkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=CPagJq8bfLV5JHleSz/YdyHxTxcPKxeM2AT318YsVDU=;
        b=ZZlFxYa5No2o0pBKE06fI6zBfoed+TKrpZjI1pTq6rByQJodokDmG2nbuJkVLUFgcU
         yk18E9dAvFEl9kEk+sKF+OOFhmfY4+6gykjsVEg3kv8GYm2Mw01VZ3YJrlLkyOcN9lcp
         PzouN4OeSO2BY722Dy0QRqf9d1nIbqT+qZAZdCsRMSILl9k2twdI7AVMfA+4waVR4UXF
         I+0IDiQr6JEHj8TPhuIQIuf0ys9AU+lyxnZraLUd5ZjtywFAF8eYB5rYYuLS2A8LB3Wj
         lCMm/Z4mA0TtajJPPDvmZforKgRCQ6s5JgeTQUYlAL/Wc91rg1s0hq92f5Wyb0w3I373
         2YpQ==
X-Gm-Message-State: AOAM533+Jnf/02zNWpUPgU0e3o9bfpygKGOH8t+WvDqv9o259ydOW95h
        kT9IDNTsms91F9q8WtZ3UgzS1UiVK6lXjcUui1zPmg==
X-Received: by 2002:a65:680b:: with SMTP id l11mr3369972pgt.440.1597665241999;
 Mon, 17 Aug 2020 04:54:01 -0700 (PDT)
MIME-Version: 1.0
References: <20200813151922.1093791-1-alex.popov@linux.com>
 <20200813151922.1093791-2-alex.popov@linux.com> <202008150939.A994680@keescook>
In-Reply-To: <202008150939.A994680@keescook>
From:   Andrey Konovalov <andreyknvl@google.com>
Date:   Mon, 17 Aug 2020 13:53:51 +0200
Message-ID: <CAAeHK+yPFoQZanzjXBty8rM9eY4thv+ThdHX7mz-sgeg147F7w@mail.gmail.com>
Subject: Re: [PATCH RFC 1/2] mm: Extract SLAB_QUARANTINE from KASAN
To:     Kees Cook <keescook@chromium.org>,
        Alexander Popov <alex.popov@linux.com>
Cc:     Jann Horn <jannh@google.com>, Will Deacon <will@kernel.org>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Alexander Potapenko <glider@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Christoph Lameter <cl@linux.com>,
        Pekka Enberg <penberg@kernel.org>,
        David Rientjes <rientjes@google.com>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masahiro Yamada <masahiroy@kernel.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Steven Rostedt <rostedt@goodmis.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Krzysztof Kozlowski <krzk@kernel.org>,
        Patrick Bellasi <patrick.bellasi@arm.com>,
        David Howells <dhowells@redhat.com>,
        Eric Biederman <ebiederm@xmission.com>,
        Johannes Weiner <hannes@cmpxchg.org>,
        Laura Abbott <labbott@redhat.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        kasan-dev <kasan-dev@googlegroups.com>,
        Linux Memory Management List <linux-mm@kvack.org>,
        kernel-hardening@lists.openwall.com,
        LKML <linux-kernel@vger.kernel.org>, notify@kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Aug 15, 2020 at 6:52 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Thu, Aug 13, 2020 at 06:19:21PM +0300, Alexander Popov wrote:
> > Heap spraying is an exploitation technique that aims to put controlled
> > bytes at a predetermined memory location on the heap. Heap spraying for
> > exploiting use-after-free in the Linux kernel relies on the fact that on
> > kmalloc(), the slab allocator returns the address of the memory that was
> > recently freed. Allocating a kernel object with the same size and
> > controlled contents allows overwriting the vulnerable freed object.
> >
> > Let's extract slab freelist quarantine from KASAN functionality and
> > call it CONFIG_SLAB_QUARANTINE. This feature breaks widespread heap
> > spraying technique used for exploiting use-after-free vulnerabilities
> > in the kernel code.
> >
> > If this feature is enabled, freed allocations are stored in the quarantine
> > and can't be instantly reallocated and overwritten by the exploit
> > performing heap spraying.

[...]

> In doing this extraction, I wonder if function naming should be changed?
> If it's going to live a new life outside of KASAN proper, maybe call
> these functions quarantine_cache_*()? But perhaps that's too much
> churn...

If quarantine is to be used without the rest of KASAN, I'd prefer for
it to be separated from KASAN completely: move to e.g. mm/quarantine.c
and don't mention KASAN in function/config names.