Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp630357pxu; Tue, 6 Oct 2020 15:12:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw2YK3cdYpf3Ob9Dpq+zRf9iYlOVfJk/+INO1fnBcWijooRGi1d9xPCNhofy7CrA4liyytm X-Received: by 2002:a05:6402:1fb:: with SMTP id i27mr238936edy.379.1602022321547; Tue, 06 Oct 2020 15:12:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602022321; cv=none; d=google.com; s=arc-20160816; b=r/ynloU9SJdsRWMXqktbz6ELt/fP5H0JEvVzoWV9oob857PT/N1vD4gAiDskm8PtrP jo6a02ih42rvQLE66Uc4Ou0g4j+my1oIzKcObdHtzcZphD1Xccc3Pdyw42KI2v9QvShv YjzYdy8tw5UvBZ43IwcALZAxZEERpx6SBgXThPWxwYXaTkR/do0xlWFD/3WpNPb/reok LskKQfuIlLvV4w/j6bbkAgqKAOQC5Pu0p6zMpYNeuRRTjrKkcetwJHdw85aM0Wuaane3 QJ0Az6bi2CdmOCHeQ/S/gLZ16HxQSm7hRZwuazX+n3mQC+R5rhp9+xJ3oo9fQO7OeR2g SgWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:autocrypt:from :references:cc:to:subject:reply-to; bh=wQQPlPmGgdUdZBsNOY2PgtEUxgnwRbZTYG95QR6U6Rc=; b=Db3l1+baoSjosUgi7nNj6X6Ve2uAblcLdIAuYe3KH5ja+jDa1hjYCldYWzVI2VKSWB A3RjQZYXpkwa4rXoPaTLIYbQkSGnhtrpupA3eTDa8+qzlopQG9NUVFC8E5fMNg61I7TY ublolT0hLywz23iXjbCJIK6OY+RXTA5eZHyvvzbjb2Z+mrB+5SkqwlgC5fYVh5V27VqT kxjuxBCisJXirCytpEZgeNCvOHurufCe/M0T4v3faNoFeoN8F/qtN/4dTjbxNfO6RnJf T1D9RVsCemskMgY79Afxmnqrwu6A8dj3FpwCnQsJ4SKg0nabjsc0rNLKXxKOFMLZ9ZQq eLiA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ml19si47743ejb.348.2020.10.06.15.11.37; Tue, 06 Oct 2020 15:12:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727106AbgJFT0B (ORCPT + 99 others); Tue, 6 Oct 2020 15:26:01 -0400 Received: from mail-wm1-f68.google.com ([209.85.128.68]:54728 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727013AbgJFT0B (ORCPT ); Tue, 6 Oct 2020 15:26:01 -0400 Received: by mail-wm1-f68.google.com with SMTP id p15so4046581wmi.4 for ; Tue, 06 Oct 2020 12:25:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=wQQPlPmGgdUdZBsNOY2PgtEUxgnwRbZTYG95QR6U6Rc=; b=sTr3ORz/ebfDYhzCu5XvxvAxsR+njkaucCLeM8+mB+zdQZxV935D7CY6Fj+gZlCF0z gR0LYXZAriJj4j/oAP/PQJqNj3TB+QjLXK7rhTreIBP/Aon1P3LYRgqn0CjoJ3gGcb+2 rFm7A0M64VTjutZN66qKmQlVxsHMykw9PvDPuSBpo3RzlcBiom+qrNYCcVzMArcYT+oP zEWRhISBuL5iEzM5i2LC3yCscaYa6P8VptZ3c930J5CAJ/FHJZ0KQdhOKAIrnOfYAxVv iFuYMD1+SCbcEvi7aLGHhJE3vAxN70fLGMeld0Zz3hy3ANhzYCNrNbw0RbtWJzbp+aZv ow3w== X-Gm-Message-State: AOAM532RSjPhkks5rmYbz6auF+udn2VP8IfXJgT3ZoPSxS3DWoqhIgyE tHYOfsqQksdtCuUhCbAxuag= X-Received: by 2002:a1c:b388:: with SMTP id c130mr6364936wmf.175.1602012358471; Tue, 06 Oct 2020 12:25:58 -0700 (PDT) Received: from [10.9.0.26] ([185.248.161.177]) by smtp.gmail.com with ESMTPSA id f14sm5610132wme.22.2020.10.06.12.25.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 06 Oct 2020 12:25:57 -0700 (PDT) Reply-To: alex.popov@linux.com Subject: Re: [PATCH RFC v2 0/6] Break heap spraying needed for exploiting use-after-free To: Jann Horn Cc: Kees Cook , Will Deacon , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Masahiro Yamada , Masami Hiramatsu , Steven Rostedt , Peter Zijlstra , Krzysztof Kozlowski , Patrick Bellasi , David Howells , Eric Biederman , Johannes Weiner , Laura Abbott , Arnd Bergmann , Greg Kroah-Hartman , Daniel Micay , Andrey Konovalov , Matthew Wilcox , Pavel Machek , Valentin Schneider , kasan-dev , Linux-MM , Kernel Hardening , kernel list , notify@kernel.org References: <20200929183513.380760-1-alex.popov@linux.com> <91d564a6-9000-b4c5-15fd-8774b06f5ab0@linux.com> <1b5cf312-f7bb-87ce-6658-5ca741c2e790@linux.com> From: Alexander Popov Autocrypt: addr=alex.popov@linux.com; prefer-encrypt=mutual; keydata= mQINBFX15q4BEADZartsIW3sQ9R+9TOuCFRIW+RDCoBWNHhqDLu+Tzf2mZevVSF0D5AMJW4f UB1QigxOuGIeSngfmgLspdYe2Kl8+P8qyfrnBcS4hLFyLGjaP7UVGtpUl7CUxz2Hct3yhsPz ID/rnCSd0Q+3thrJTq44b2kIKqM1swt/F2Er5Bl0B4o5WKx4J9k6Dz7bAMjKD8pHZJnScoP4 dzKPhrytN/iWM01eRZRc1TcIdVsRZC3hcVE6OtFoamaYmePDwWTRhmDtWYngbRDVGe3Tl8bT 7BYN7gv7Ikt7Nq2T2TOfXEQqr9CtidxBNsqFEaajbFvpLDpUPw692+4lUbQ7FL0B1WYLvWkG cVysClEyX3VBSMzIG5eTF0Dng9RqItUxpbD317ihKqYL95jk6eK6XyI8wVOCEa1V3MhtvzUo WGZVkwm9eMVZ05GbhzmT7KHBEBbCkihS+TpVxOgzvuV+heCEaaxIDWY/k8u4tgbrVVk+tIVG 99v1//kNLqd5KuwY1Y2/h2MhRrfxqGz+l/f/qghKh+1iptm6McN//1nNaIbzXQ2Ej34jeWDa xAN1C1OANOyV7mYuYPNDl5c9QrbcNGg3D6gOeGeGiMn11NjbjHae3ipH8MkX7/k8pH5q4Lhh Ra0vtJspeg77CS4b7+WC5jlK3UAKoUja3kGgkCrnfNkvKjrkEwARAQABtCZBbGV4YW5kZXIg UG9wb3YgPGFsZXgucG9wb3ZAbGludXguY29tPokCVwQTAQgAQQIbIwIeAQIXgAULCQgHAwUV CgkICwUWAgMBAAIZARYhBLl2JLAkAVM0bVvWTo4Oneu8fo+qBQJdehKcBQkLRpLuAAoJEI4O neu8fo+qrkgP/jS0EhDnWhIFBnWaUKYWeiwR69DPwCs/lNezOu63vg30O9BViEkWsWwXQA+c SVVTz5f9eB9K2me7G06A3U5AblOJKdoZeNX5GWMdrrGNLVISsa0geXNT95TRnFqE1HOZJiHT NFyw2nv+qQBUHBAKPlk3eL4/Yev/P8w990Aiiv6/RN3IoxqTfSu2tBKdQqdxTjEJ7KLBlQBm 5oMpm/P2Y/gtBiXRvBd7xgv7Y3nShPUDymjBnc+efHFqARw84VQPIG4nqVhIei8gSWps49DX kp6v4wUzUAqFo+eh/ErWmyBNETuufpxZnAljtnKpwmpFCcq9yfcMlyOO9/viKn14grabE7qE 4j3/E60wraHu8uiXJlfXmt0vG16vXb8g5a25Ck09UKkXRGkNTylXsAmRbrBrA3Moqf8QzIk9 p+aVu/vFUs4ywQrFNvn7Qwt2hWctastQJcH3jrrLk7oGLvue5KOThip0SNicnOxVhCqstjYx KEnzZxtna5+rYRg22Zbfg0sCAAEGOWFXjqg3hw400oRxTW7IhiE34Kz1wHQqNif0i5Eor+TS 22r9iF4jUSnk1jaVeRKOXY89KxzxWhnA06m8IvW1VySHoY1ZG6xEZLmbp3OuuFCbleaW07OU 9L8L1Gh1rkAz0Fc9eOR8a2HLVFnemmgAYTJqBks/sB/DD0SuuQINBFX15q4BEACtxRV/pF1P XiGSbTNPlM9z/cElzo/ICCFX+IKg+byRvOMoEgrzQ28ah0N5RXQydBtfjSOMV1IjSb3oc23z oW2J9DefC5b8G1Lx2Tz6VqRFXC5OAxuElaZeoowV1VEJuN3Ittlal0+KnRYY0PqnmLzTXGA9 GYjw/p7l7iME7gLHVOggXIk7MP+O+1tSEf23n+dopQZrkEP2BKSC6ihdU4W8928pApxrX1Lt tv2HOPJKHrcfiqVuFSsb/skaFf4uveAPC4AausUhXQVpXIg8ZnxTZ+MsqlwELv+Vkm/SNEWl n0KMd58gvG3s0bE8H2GTaIO3a0TqNKUY16WgNglRUi0WYb7+CLNrYqteYMQUqX7+bB+NEj/4 8dHw+xxaIHtLXOGxW6zcPGFszaYArjGaYfiTTA1+AKWHRKvD3MJTYIonphy5EuL9EACLKjEF v3CdK5BLkqTGhPfYtE3B/Ix3CUS1Aala0L+8EjXdclVpvHQ5qXHs229EJxfUVf2ucpWNIUdf lgnjyF4B3R3BFWbM4Yv8QbLBvVv1Dc4hZ70QUXy2ZZX8keza2EzPj3apMcDmmbklSwdC5kYG EFT4ap06R2QW+6Nw27jDtbK4QhMEUCHmoOIaS9j0VTU4fR9ZCpVT/ksc2LPMhg3YqNTrnb1v RVNUZvh78zQeCXC2VamSl9DMcwARAQABiQI8BBgBCAAmAhsMFiEEuXYksCQBUzRtW9ZOjg6d 67x+j6oFAl16ErcFCQtGkwkACgkQjg6d67x+j6q7zA/+IsjSKSJypgOImN9LYjeb++7wDjXp qvEpq56oAn21CvtbGus3OcC0hrRtyZ/rC5Qc+S5SPaMRFUaK8S3j1vYC0wZJ99rrmQbcbYMh C2o0k4pSejaINmgyCajVOhUhln4IuwvZke1CLfXe1i3ZtlaIUrxfXqfYpeijfM/JSmliPxwW BRnQRcgS85xpC1pBUMrraxajaVPwu7hCTke03v6bu8zSZlgA1rd9E6KHu2VNS46VzUPjbR77 kO7u6H5PgQPKcuJwQQ+d3qa+5ZeKmoVkc2SuHVrCd1yKtAMmKBoJtSku1evXPwyBzqHFOInk mLMtrWuUhj+wtcnOWxaP+n4ODgUwc/uvyuamo0L2Gp3V5ItdIUDO/7ZpZ/3JxvERF3Yc1md8 5kfflpLzpxyl2fKaRdvxr48ZLv9XLUQ4qNuADDmJArq/+foORAX4BBFWvqZQKe8a9ZMAvGSh uoGUVg4Ks0uC4IeG7iNtd+csmBj5dNf91C7zV4bsKt0JjiJ9a4D85dtCOPmOeNuusK7xaDZc gzBW8J8RW+nUJcTpudX4TC2SGeAOyxnM5O4XJ8yZyDUY334seDRJWtS4wRHxpfYcHKTewR96 IsP1USE+9ndu6lrMXQ3aFsd1n1m1pfa/y8hiqsSYHy7JQ9Iuo9DxysOj22UNOmOE+OYPK48D j3lCqPk= Message-ID: Date: Tue, 6 Oct 2020 22:25:48 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06.10.2020 21:37, Jann Horn wrote: > On Tue, Oct 6, 2020 at 7:56 PM Alexander Popov wrote: >> >> On 06.10.2020 01:56, Jann Horn wrote: >>> On Thu, Oct 1, 2020 at 9:43 PM Alexander Popov wrote: >>>> On 29.09.2020 21:35, Alexander Popov wrote: >>>>> This is the second version of the heap quarantine prototype for the Linux >>>>> kernel. I performed a deeper evaluation of its security properties and >>>>> developed new features like quarantine randomization and integration with >>>>> init_on_free. That is fun! See below for more details. >>>>> >>>>> >>>>> Rationale >>>>> ========= >>>>> >>>>> Use-after-free vulnerabilities in the Linux kernel are very popular for >>>>> exploitation. There are many examples, some of them: >>>>> https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html >> >> Hello Jann, thanks for your reply. >> >>> I don't think your proposed mitigation would work with much >>> reliability against this bug; the attacker has full control over the >>> timing of the original use and the following use, so an attacker >>> should be able to trigger the kmem_cache_free(), then spam enough new >>> VMAs and delete them to flush out the quarantine, and then do heap >>> spraying as normal, or something like that. >> >> The randomized quarantine will release the vulnerable object at an unpredictable >> moment (patch 4/6). >> >> So I think the control over the time of the use-after-free access doesn't help >> attackers, if they don't have an "infinite spray" -- unlimited ability to store >> controlled data in the kernelspace objects of the needed size without freeing them. >> >> "Unlimited", because the quarantine size is 1/32 of whole memory. >> "Without freeing", because freed objects are erased by init_on_free before going >> to randomized heap quarantine (patch 3/6). >> >> Would you agree? > > But you have a single quarantine (per CPU) for all objects, right? So > for a UAF on slab A, the attacker can just spam allocations and > deallocations on slab B to almost deterministically flush everything > in slab A back to the SLUB freelists? Aaaahh! Nice shot Jann, I see. Another slab cache can be used to flush the randomized quarantine, so eventually the vulnerable object returns into the allocator freelist in its cache, and original heap spraying can be used again. For now I think the idea of a global quarantine for all slab objects is dead. Thank you. Best regards, Alexander