Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp62089pxk; Mon, 5 Oct 2020 17:50:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwfOWoRudxC5SiYj4X1/IVlgo1jWyRlD2STQX360NjHyEbd7a4m+NbRMIuBoJOiop631/Wb X-Received: by 2002:aa7:c259:: with SMTP id y25mr2514658edo.249.1601945457459; Mon, 05 Oct 2020 17:50:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601945457; cv=none; d=google.com; s=arc-20160816; b=MSsGguxe8RYLDDTOOx1/W1qIqakSviZXqYOH+qUr3zABX1wsgPHOGmS2j8rFG5eDXJ OeoBxdPh67d1ZeCW89V1QIOGyNldNVZ2RBv0JU+Yhb0vEbAIkUBtc64Sq9fmGPFd329A hmEeitzavblub5yV2aPLL24vCZekY5NVg6aGs3WmcTepskFcOZ5n+asco7y71Q62itFS oHgODo4/iC2Qe5vSgRz11Ov/Kt52fxivPFMBIbTXRWm1nGvbrryz7Gukzntu0tQTkW7a Kkvyg1kzRE6JWu7uaAOgmAEgCUjHtNp5nGLaLwzHHpYKVBwnZZjBQTkbfKxbEUQA/TMX VQyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=DSqKb3Tej8m7nFeWjbSYdo/k6NG+xT3qX97daJHfAaE=; b=yx4mrBBn6SnShMhF6zUPq3ugQjkbY31hZoasj3y4PE0l5mKxxUR1vbgVCBmm8+NIUf mJyQ93/dxMgVif6vb41di73f63dNHYTRv9B8u/2ZutNnPfPfVK9Qzk4WORccMUq4m7BV bRMsAEAyvT2SY3s7sgMj+ADgzEh14CGpKDesGvrqmcLE1GdWEwzDW4CqTaXafWocq48H PGhkE/TbrHA+6bjFiKjBoIzVGs+5E3O+Z1Cj14XWurPyUE7jHSQ2SkfrVCguOsBsNPK8 KaCs3iZAdBsO6L0ytHKqgFFlO40VP9N98eKjXkiSMcYqbHAX0B+4wRIEmEKfbdKaWMVY uuNw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=deEOQpGo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dk1si862093ejb.556.2020.10.05.17.50.34; Mon, 05 Oct 2020 17:50:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=deEOQpGo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726766AbgJFAt3 (ORCPT + 99 others); Mon, 5 Oct 2020 20:49:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725865AbgJFAt2 (ORCPT ); Mon, 5 Oct 2020 20:49:28 -0400 Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 82362C0613CE for ; Mon, 5 Oct 2020 17:49:28 -0700 (PDT) Received: by mail-ed1-x541.google.com with SMTP id g4so11556990edk.0 for ; Mon, 05 Oct 2020 17:49:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DSqKb3Tej8m7nFeWjbSYdo/k6NG+xT3qX97daJHfAaE=; b=deEOQpGoKw7XNYSPULzK/Fx+6FgNXN/khjYZmJenTlrPkh3dV8pR9GRMbNMshg3WBV mIhmaC0prowNnpBBfAOgciFl8Aodl0rSQD0jjxo98zbVcb/lVK/w4xzZ8RH7ut5R65D4 8in1ydpN21OQa+pm2/egla8YAjlb0ivT9qFVlicuCHeu1OSW7e91KAVeVD8rfu51aRDF qMQv329ZsWOgNyP21r8aTq6vFJInOWaztNfk0KHDhN4hKlc+rb6zcKrDeoSYKitO8zvC oTJCmeqSuf2Nyq1UbdDB7JdyBRZqPMuxwo7izVmribdAB7jmHG8WWxh41wYQuF3rNl4g AM2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DSqKb3Tej8m7nFeWjbSYdo/k6NG+xT3qX97daJHfAaE=; b=fHDJUrx432oux2k2hEh4eo/rxtaO15UzEPO29TOuszoz90vrwySu9GMMkzaCUCpxtk z8fP0vTHLeSAYOAnVVZCvrlDBKqCwNGyfXX1xEKcSqBmyraCY9pLHSPBvNAo023kcu2e 4PkioVOlaZATB8ySsdEIQcbeVDfLGviy9MwJmcqDWjyOs5wYGh1lbctoUXpUy7BvG518 1dB1nFc3CnFOH+fXUB6p8Emq/TZZL5x6hDnpTrJHfrkbi3WOXDW0CN1u1ZS/1Zc/8hZd RcaSsPwY1NavwCl/ntbd3WK52EdEcMSp1Oz8Hl9Bk53DWpXJrrbfQyIMWkLD0vZ3Pyge /8sg== X-Gm-Message-State: AOAM530wf49kUxsFH64xBR7ZAxICfal2p1K4x5go1X6LxW7B9Wpm+iUU 2cODR6NfAlGoOO/eKh0QtgMxPChKsu9c0F3nqUWtsA== X-Received: by 2002:a50:fe98:: with SMTP id d24mr2504183edt.223.1601945366080; Mon, 05 Oct 2020 17:49:26 -0700 (PDT) MIME-Version: 1.0 References: <20200929183513.380760-1-alex.popov@linux.com> <91d564a6-9000-b4c5-15fd-8774b06f5ab0@linux.com> <20201006004414.GP20115@casper.infradead.org> In-Reply-To: <20201006004414.GP20115@casper.infradead.org> From: Jann Horn Date: Tue, 6 Oct 2020 02:48:59 +0200 Message-ID: Subject: Re: [PATCH RFC v2 0/6] Break heap spraying needed for exploiting use-after-free To: Matthew Wilcox Cc: Alexander Popov , Kees Cook , Will Deacon , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Masahiro Yamada , Masami Hiramatsu , Steven Rostedt , Peter Zijlstra , Krzysztof Kozlowski , Patrick Bellasi , David Howells , Eric Biederman , Johannes Weiner , Laura Abbott , Arnd Bergmann , Greg Kroah-Hartman , Daniel Micay , Andrey Konovalov , Pavel Machek , Valentin Schneider , kasan-dev , Linux-MM , Kernel Hardening , kernel list , notify@kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 6, 2020 at 2:44 AM Matthew Wilcox wrote: > On Tue, Oct 06, 2020 at 12:56:33AM +0200, Jann Horn wrote: > > It seems to me like, if you want to make UAF exploitation harder at > > the heap allocator layer, you could do somewhat more effective things > > with a probably much smaller performance budget. Things like > > preventing the reallocation of virtual kernel addresses with different > > types, such that an attacker can only replace a UAF object with > > another object of the same type. (That is not an idea I like very much > > either, but I would like it more than this proposal.) (E.g. some > > browsers implement things along those lines, I believe.) > > The slab allocator already has that functionality. We call it > TYPESAFE_BY_RCU, but if forcing that on by default would enhance security > by a measurable amount, it wouldn't be a terribly hard sell ... TYPESAFE_BY_RCU just forces an RCU grace period before the reallocation; I'm thinking of something more drastic, like completely refusing to give back the memory, or using vmalloc for slabs where that's safe (reusing physical but not virtual addresses across types). And, to make it more effective, something like a compiler plugin to isolate kmalloc(sizeof()) allocations by type beyond just size classes.