Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp99408pxk; Mon, 5 Oct 2020 19:20:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxgcvY4on35fo5sROySxEO+252uQ298Jyt5jgr0iD+YfHDOJJOxUmrMoJUtLlK+2kPI3Hl3 X-Received: by 2002:a17:906:4bc4:: with SMTP id x4mr2910358ejv.240.1601950806932; Mon, 05 Oct 2020 19:20:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601950806; cv=none; d=google.com; s=arc-20160816; b=A43RWVdB6PbPdSW9y5TsKdXGt5SruM8r3t3G41m7xsxxsqx2+aFvtdjD6LANmtLGTe FOJmt/cMJ+jVNNAIRX9zdfK6BpwwHujFls4TdIhsSfLsKU/b+BQxngRt3YQpGJZx5wGp zzsZ8eiTuVZZ2CkAq7+3uuQJw5Jd5yX6RsPwUcMqYGA291WAGbGdVtpyvF4a1VKzAoTY AyzDfmNZFlK9KMt4M1wv1ylWq177b11u9160R8XfAaehhk/6ksTR+tQImMOyRtBCGbrH odGnVsgv1z+BE+0u7f8EZWgnuolSatvfnxyjjlEuYoT5wYzTeSvUh/+aUZ9UL4iGHfEM MQhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ifD/jW+MjbtS2EijgQAS4OITv0Z9zRA4cL1N04HQHu4=; b=W4zvI4nlR9a3K8hNbqgm09cMIiv3foU2AGQjdhnuuoNGcqJueZ5ssFeaZDd+KG5J8H up1z8iJQfmw6sjQNDyBxI/+uoHg9hcoRqZVu57+gl2FOI9S5LoXcOtoyyfG4VfgywZ// jMlbwBa/KzaGCfYN/MAgWWMlCn61ndeACPJ0IIVPXjVStq5gculUj1Z+3l4qAsjvqB+L 1FXuGOG7iVYRej7i6r7EjDgG5pdefRLXde3FLeWEsqsX0HpbApHoHNmptsBTx6/YreW6 JBMutKZyMJ7zHPwLjlfaEE1VuU4J0kjiqwGzWbHKBTdprFWI4bjGKjM0NAs5IoIAQ+Vy Y2MQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VSSaWD0W; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v25si961487ejf.560.2020.10.05.19.19.43; Mon, 05 Oct 2020 19:20:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VSSaWD0W; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725977AbgJFCQk (ORCPT + 99 others); Mon, 5 Oct 2020 22:16:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35700 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725870AbgJFCQk (ORCPT ); Mon, 5 Oct 2020 22:16:40 -0400 Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D558C0613CE for ; Mon, 5 Oct 2020 19:16:40 -0700 (PDT) Received: by mail-ej1-x643.google.com with SMTP id md26so15180114ejb.10 for ; Mon, 05 Oct 2020 19:16:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ifD/jW+MjbtS2EijgQAS4OITv0Z9zRA4cL1N04HQHu4=; b=VSSaWD0WAT8lHVeaIEU8br+ZuZLpGvG3RSgyTiKVEHpRLj5caJa8VuxrOzMMZmi4/I +jc18B7Thyp3/FetZnGQgiu+3jGf71BUbdlYdfQ/sXkO4yIffJZxsNlUT3OTfTYc+V53 s/rD9zQmzH7e/+nYz+ii0l6JB/cgE0XhGNA8YvQrzBYVVZv+tfs+QQFQOzjgU6l2HxUK XgMhDW8lxfC88/jHL1K9CxVfkjKO7y42/ifl50NEIctn5atANq4PIvf9c4TvRkLRtmhv tnJm3J56L+FQTruYZN7URj8QELVaRv71JNVB9HeCWh34hlHaMpNzgxJKGO/gMn3MIfVk OgKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ifD/jW+MjbtS2EijgQAS4OITv0Z9zRA4cL1N04HQHu4=; b=LR63pMov0uDCeK1FK9/6D3MSBbxk2un/uhH3XGFKfRoggUqMCgCG80DRR0TvVwL6+1 5/zcMHQLCEUDf4NzAKY/k6WkGU+9S4ByVrjaHXWQ+2VOi+XDsoPhFSHZkA6im3z8+gml 57Fryk2Z1qqha+ZSCgRuZDc8nilbMsGuP6m9j5NuURYTpmch7VX7Yy59AdnlEB4gjal2 E8d79Xt0OwThhJge0tHym6+etdQLXq2PLsnOXiqdSU3XMmjJ+IUj6s4HhxtPWINBc6i6 LSyy0taBs4qCh+ah01AhtJi3WwfBXrwhfHpfToemnfyM1Kqb1jSiiaK28pshyZLuso9c k6JA== X-Gm-Message-State: AOAM5314Gml8NN3Q7TLvnw3aBMBYZsC0NeMO8r6f996OHqG/hqeGbGs3 5FJXWHye11Vfpphr573u1OQ/b8ktAbmlE+I2x765Eg== X-Received: by 2002:a17:906:fcae:: with SMTP id qw14mr2849150ejb.537.1601950598646; Mon, 05 Oct 2020 19:16:38 -0700 (PDT) MIME-Version: 1.0 References: <20200929183513.380760-1-alex.popov@linux.com> <91d564a6-9000-b4c5-15fd-8774b06f5ab0@linux.com> <20201006004414.GP20115@casper.infradead.org> <202010051905.62D79560@keescook> In-Reply-To: <202010051905.62D79560@keescook> From: Jann Horn Date: Tue, 6 Oct 2020 04:16:12 +0200 Message-ID: Subject: Re: [PATCH RFC v2 0/6] Break heap spraying needed for exploiting use-after-free To: Kees Cook Cc: Matthew Wilcox , Alexander Popov , Will Deacon , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Masahiro Yamada , Masami Hiramatsu , Steven Rostedt , Peter Zijlstra , Krzysztof Kozlowski , Patrick Bellasi , David Howells , Eric Biederman , Johannes Weiner , Laura Abbott , Arnd Bergmann , Greg Kroah-Hartman , Daniel Micay , Andrey Konovalov , Pavel Machek , Valentin Schneider , kasan-dev , Linux-MM , Kernel Hardening , kernel list , notify@kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 6, 2020 at 4:09 AM Kees Cook wrote: > On Tue, Oct 06, 2020 at 01:44:14AM +0100, Matthew Wilcox wrote: > > On Tue, Oct 06, 2020 at 12:56:33AM +0200, Jann Horn wrote: > > > It seems to me like, if you want to make UAF exploitation harder at > > > the heap allocator layer, you could do somewhat more effective things > > > with a probably much smaller performance budget. Things like > > > preventing the reallocation of virtual kernel addresses with different > > > types, such that an attacker can only replace a UAF object with > > > another object of the same type. (That is not an idea I like very much > > > either, but I would like it more than this proposal.) (E.g. some > > > browsers implement things along those lines, I believe.) > > > > The slab allocator already has that functionality. We call it > > TYPESAFE_BY_RCU, but if forcing that on by default would enhance security > > by a measurable amount, it wouldn't be a terribly hard sell ... > > Isn't the "easy" version of this already controlled by slab_merge? (i.e. > do not share same-sized/flagged kmem_caches between different caches) Yes, but slab_merge still normally frees slab pages to the page allocator. > The large trouble are the kmalloc caches, which don't have types > associated with them. Having implicit kmem caches based on the type > being allocated there would need some pretty extensive plumbing, I > think? Well, a bit of plumbing, at least. You'd need to teach the compiler frontend to grab type names from sizeof() and stuff that type information somewhere, e.g. by generating an extra function argument referring to the type, or something like that. Could be as simple as a reference to a bss section variable that encodes the type in the name, and the linker already has the logic to automatically deduplicate those across compilation units - that way, on the compiler side, a pure frontend plugin might do the job?