Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp99408pxk;
        Mon, 5 Oct 2020 19:20:07 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxgcvY4on35fo5sROySxEO+252uQ298Jyt5jgr0iD+YfHDOJJOxUmrMoJUtLlK+2kPI3Hl3
X-Received: by 2002:a17:906:4bc4:: with SMTP id x4mr2910358ejv.240.1601950806932;
        Mon, 05 Oct 2020 19:20:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1601950806; cv=none;
        d=google.com; s=arc-20160816;
        b=A43RWVdB6PbPdSW9y5TsKdXGt5SruM8r3t3G41m7xsxxsqx2+aFvtdjD6LANmtLGTe
         FOJmt/cMJ+jVNNAIRX9zdfK6BpwwHujFls4TdIhsSfLsKU/b+BQxngRt3YQpGJZx5wGp
         zzsZ8eiTuVZZ2CkAq7+3uuQJw5Jd5yX6RsPwUcMqYGA291WAGbGdVtpyvF4a1VKzAoTY
         AyzDfmNZFlK9KMt4M1wv1ylWq177b11u9160R8XfAaehhk/6ksTR+tQImMOyRtBCGbrH
         odGnVsgv1z+BE+0u7f8EZWgnuolSatvfnxyjjlEuYoT5wYzTeSvUh/+aUZ9UL4iGHfEM
         MQhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=ifD/jW+MjbtS2EijgQAS4OITv0Z9zRA4cL1N04HQHu4=;
        b=W4zvI4nlR9a3K8hNbqgm09cMIiv3foU2AGQjdhnuuoNGcqJueZ5ssFeaZDd+KG5J8H
         up1z8iJQfmw6sjQNDyBxI/+uoHg9hcoRqZVu57+gl2FOI9S5LoXcOtoyyfG4VfgywZ//
         jMlbwBa/KzaGCfYN/MAgWWMlCn61ndeACPJ0IIVPXjVStq5gculUj1Z+3l4qAsjvqB+L
         1FXuGOG7iVYRej7i6r7EjDgG5pdefRLXde3FLeWEsqsX0HpbApHoHNmptsBTx6/YreW6
         JBMutKZyMJ7zHPwLjlfaEE1VuU4J0kjiqwGzWbHKBTdprFWI4bjGKjM0NAs5IoIAQ+Vy
         Y2MQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=VSSaWD0W;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v25si961487ejf.560.2020.10.05.19.19.43;
        Mon, 05 Oct 2020 19:20:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=VSSaWD0W;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725977AbgJFCQk (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Mon, 5 Oct 2020 22:16:40 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35700 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725870AbgJFCQk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 5 Oct 2020 22:16:40 -0400
Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D558C0613CE
        for <linux-kernel@vger.kernel.org>; Mon,  5 Oct 2020 19:16:40 -0700 (PDT)
Received: by mail-ej1-x643.google.com with SMTP id md26so15180114ejb.10
        for <linux-kernel@vger.kernel.org>; Mon, 05 Oct 2020 19:16:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=ifD/jW+MjbtS2EijgQAS4OITv0Z9zRA4cL1N04HQHu4=;
        b=VSSaWD0WAT8lHVeaIEU8br+ZuZLpGvG3RSgyTiKVEHpRLj5caJa8VuxrOzMMZmi4/I
         +jc18B7Thyp3/FetZnGQgiu+3jGf71BUbdlYdfQ/sXkO4yIffJZxsNlUT3OTfTYc+V53
         s/rD9zQmzH7e/+nYz+ii0l6JB/cgE0XhGNA8YvQrzBYVVZv+tfs+QQFQOzjgU6l2HxUK
         XgMhDW8lxfC88/jHL1K9CxVfkjKO7y42/ifl50NEIctn5atANq4PIvf9c4TvRkLRtmhv
         tnJm3J56L+FQTruYZN7URj8QELVaRv71JNVB9HeCWh34hlHaMpNzgxJKGO/gMn3MIfVk
         OgKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ifD/jW+MjbtS2EijgQAS4OITv0Z9zRA4cL1N04HQHu4=;
        b=LR63pMov0uDCeK1FK9/6D3MSBbxk2un/uhH3XGFKfRoggUqMCgCG80DRR0TvVwL6+1
         5/zcMHQLCEUDf4NzAKY/k6WkGU+9S4ByVrjaHXWQ+2VOi+XDsoPhFSHZkA6im3z8+gml
         57Fryk2Z1qqha+ZSCgRuZDc8nilbMsGuP6m9j5NuURYTpmch7VX7Yy59AdnlEB4gjal2
         E8d79Xt0OwThhJge0tHym6+etdQLXq2PLsnOXiqdSU3XMmjJ+IUj6s4HhxtPWINBc6i6
         LSyy0taBs4qCh+ah01AhtJi3WwfBXrwhfHpfToemnfyM1Kqb1jSiiaK28pshyZLuso9c
         k6JA==
X-Gm-Message-State: AOAM5314Gml8NN3Q7TLvnw3aBMBYZsC0NeMO8r6f996OHqG/hqeGbGs3
        5FJXWHye11Vfpphr573u1OQ/b8ktAbmlE+I2x765Eg==
X-Received: by 2002:a17:906:fcae:: with SMTP id qw14mr2849150ejb.537.1601950598646;
 Mon, 05 Oct 2020 19:16:38 -0700 (PDT)
MIME-Version: 1.0
References: <20200929183513.380760-1-alex.popov@linux.com> <91d564a6-9000-b4c5-15fd-8774b06f5ab0@linux.com>
 <CAG48ez1tNU_7n8qtnxTYZ5qt-upJ81Fcb0P2rZe38ARK=iyBkA@mail.gmail.com>
 <20201006004414.GP20115@casper.infradead.org> <202010051905.62D79560@keescook>
In-Reply-To: <202010051905.62D79560@keescook>
From:   Jann Horn <jannh@google.com>
Date:   Tue, 6 Oct 2020 04:16:12 +0200
Message-ID: <CAG48ez19ecXyqz+GZVsqqM73WZo7tNL4F7Q1vTTP6QG75NaWKw@mail.gmail.com>
Subject: Re: [PATCH RFC v2 0/6] Break heap spraying needed for exploiting use-after-free
To:     Kees Cook <keescook@chromium.org>
Cc:     Matthew Wilcox <willy@infradead.org>,
        Alexander Popov <alex.popov@linux.com>,
        Will Deacon <will@kernel.org>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Alexander Potapenko <glider@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Christoph Lameter <cl@linux.com>,
        Pekka Enberg <penberg@kernel.org>,
        David Rientjes <rientjes@google.com>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masahiro Yamada <masahiroy@kernel.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Steven Rostedt <rostedt@goodmis.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Krzysztof Kozlowski <krzk@kernel.org>,
        Patrick Bellasi <patrick.bellasi@arm.com>,
        David Howells <dhowells@redhat.com>,
        Eric Biederman <ebiederm@xmission.com>,
        Johannes Weiner <hannes@cmpxchg.org>,
        Laura Abbott <labbott@redhat.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Daniel Micay <danielmicay@gmail.com>,
        Andrey Konovalov <andreyknvl@google.com>,
        Pavel Machek <pavel@denx.de>,
        Valentin Schneider <valentin.schneider@arm.com>,
        kasan-dev <kasan-dev@googlegroups.com>,
        Linux-MM <linux-mm@kvack.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        kernel list <linux-kernel@vger.kernel.org>, notify@kernel.org
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Oct 6, 2020 at 4:09 AM Kees Cook <keescook@chromium.org> wrote:
> On Tue, Oct 06, 2020 at 01:44:14AM +0100, Matthew Wilcox wrote:
> > On Tue, Oct 06, 2020 at 12:56:33AM +0200, Jann Horn wrote:
> > > It seems to me like, if you want to make UAF exploitation harder at
> > > the heap allocator layer, you could do somewhat more effective things
> > > with a probably much smaller performance budget. Things like
> > > preventing the reallocation of virtual kernel addresses with different
> > > types, such that an attacker can only replace a UAF object with
> > > another object of the same type. (That is not an idea I like very much
> > > either, but I would like it more than this proposal.) (E.g. some
> > > browsers implement things along those lines, I believe.)
> >
> > The slab allocator already has that functionality.  We call it
> > TYPESAFE_BY_RCU, but if forcing that on by default would enhance security
> > by a measurable amount, it wouldn't be a terribly hard sell ...
>
> Isn't the "easy" version of this already controlled by slab_merge? (i.e.
> do not share same-sized/flagged kmem_caches between different caches)

Yes, but slab_merge still normally frees slab pages to the page allocator.

> The large trouble are the kmalloc caches, which don't have types
> associated with them. Having implicit kmem caches based on the type
> being allocated there would need some pretty extensive plumbing, I
> think?

Well, a bit of plumbing, at least. You'd need to teach the compiler
frontend to grab type names from sizeof() and stuff that type
information somewhere, e.g. by generating an extra function argument
referring to the type, or something like that. Could be as simple as a
reference to a bss section variable that encodes the type in the name,
and the linker already has the logic to automatically deduplicate
those across compilation units - that way, on the compiler side, a
pure frontend plugin might do the job?