Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp295547lqs; Tue, 5 Mar 2024 02:11:36 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCU0g2UGrirBP/jx6aFXwXHrpgjFlxnGtxztpYkTxFMTIGK9yisvuzMmNqd3pZ3qFciR7JW7y3nXaY+B57AYW/QSaI0tbnJLaL4ds47bSQ== X-Google-Smtp-Source: AGHT+IGPCQIGNeFr6h9eCEo43r0LH4w0qYfGD4Ey/YmY0EvTqWzDOEI4TLE6quY0+6yn+OXfH4HZ X-Received: by 2002:a05:6a20:d04a:b0:1a1:4a1e:52 with SMTP id hv10-20020a056a20d04a00b001a14a1e0052mr1565157pzb.35.1709633496566; Tue, 05 Mar 2024 02:11:36 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709633496; cv=pass; d=google.com; s=arc-20160816; b=Pww9quXERyT+F6t/Yww1m6tQCJCoPpKINUUZkI+sg44wUWP/3Lwg8WKdHhub18oK5k /XacomCtZVeY3fhkVf6V9G6hdX58HC7AOVQoSK/wDZkAxrzfFAtyDjWKhCm4sLIoyNJB 35d8IyAtHXQfQhnLi6P9BLsMEPwFoAykAHbt0gkws7FiWKxlOrFYGd1YtPvtsEEX3F2y jVGKH5pxa2GTBpnHVU2taj+u3asv9ADhH8Gv02BoLm/n2L/cN3E5FcOgV3LEreDyrjN8 WU+6SAFxUU4bt8+z3VxmQgpqTLboVKuoDXRIQzNdimma4brCaH32L/6WHmeXIKwL/olT eO9g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=qzpdpDEJllHVHW238bpdd9oiZXbWj3sBmoX33gVHYPg=; fh=ds3vLYBTxpS84ZCw6iR2/1QfPSXMN9/P5Lw8wgVJ3U8=; b=urhbXkQWgFF/CIqSeUjrjqQurEB3ZWLfaim/X0tvio5CIbOEOnS4BjJRBiN69obDoI akyisjy373xdGE4G7H5s7k1GFQM8ZWmC7s0/HR6HGf2mMz6T79SuJ5hBBsU18RW94jLd pDv5zaAG8eAG3jOiL1LMw0ZIA7lpqSMfNzB9KEjfd8uw3THO2PTi0/jqfIbCu8rFa3Ou HY+vVwgBQuSu9yKkpTsxbpq6h0umWl38Klmy6MLTy7YBMLH5TQwusWhpv9my8faCPbVO to+UdFc6oi8FRy1HbBRoIgsXmbNmIqbsSdkOli4LlLytD981WU900ubrR7a7PZ/2xGke B6aw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JIv+ryrM; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-92051-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92051-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id j13-20020aa78dcd000000b006e6116642b3si4031792pfr.331.2024.03.05.02.11.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 02:11:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-92051-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JIv+ryrM; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-92051-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92051-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 6874EB225DD for ; Tue, 5 Mar 2024 10:11:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2E12855C19; Tue, 5 Mar 2024 10:10:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="JIv+ryrM" Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD5D65490E for ; Tue, 5 Mar 2024 10:10:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.170 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709633431; cv=none; b=MGWLEb1aqZMrgwqBtUdzcgvBVDgBcsOQQ2FvIUTDUUEi8bcRJ4YXqpo3dy2p06vf7bs4slqVl/l/Xt86YCfs/IGR5KUMMRfT6GpWpPTMboA0h1B05+v3hsnUQRd9qcc59/1enXiEFRm2Y8YYAppos6u4VZw4AflsAwxmoPmS7SM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709633431; c=relaxed/simple; bh=edWPsSNhLUgYV01JFEWzJeLACWZPsISNNEUjPT6beEY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=edT6cTkR2Eduic+qXkf5o3vNFVgxLtDjrHFENE79YiWy18pM2jwiA7s80v6vOcTcmxOxzv7xRydGoFBox55lfSp/nRUtVBOMk7P0JkcNFBZnquVyYg1N8W0g/tFHE1a/obsNtlcF7c5+4ghU6B2AWPYfPwspCYyDm2a/ag6Zrhs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=JIv+ryrM; arc=none smtp.client-ip=209.85.214.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1dca3951ad9so52542925ad.3 for ; Tue, 05 Mar 2024 02:10:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709633428; x=1710238228; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qzpdpDEJllHVHW238bpdd9oiZXbWj3sBmoX33gVHYPg=; b=JIv+ryrMWLpfE02llpYj2oksvSjElgimSP8Md/V8iFNhz+FSl/umKXrz2EfTyhv1+s CR4zZ8/TlvWQgi8+7odm0eABT33Py3CUy5pRH7yVpG6k7cLpb/PZys98StKIOaPWchPd +zxNsCyf5r4vmh1D8Tf9G4DNuep/bcy6Pc0FE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709633428; x=1710238228; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qzpdpDEJllHVHW238bpdd9oiZXbWj3sBmoX33gVHYPg=; b=NQiHRLpt1vGc4iRDGEOsy4fEKNIPbT2QZcSYD0lVPHmRrVu8Ce54kQNMGjbusYQ9fB iArx9LBpEz8E+xwomRHznz++Z1Q1uUYBRIbAdhW3mO8RlW+eiYM5jAVqnKTZ9efd83iB f2j+jDjoXzZVKLrL8S22/IVJaOV25JX3YVD/xRPIkfOZWA42txK2FXJJ2WZC4IZrN0ev +rIzvqTEVsfhVKZ4/ygv7n+Vk3mj9ifBvDmQjtE/V5PgvACZQpFENV7E5SW85NgYbacX i/XtN7l2RbMmVkCkRbyRp8yVsPody9uN9nczWvXijrc5hkf5Th8B4sA+1NYBo6fSmWV+ 1QlQ== X-Forwarded-Encrypted: i=1; AJvYcCU53mUtGUXXnZgCajGBb/o1XEQLM3F7dedtQ49cFH8Q4qK66yvpkzqherpPYIh2axMgaVWeC+4YSRwnF0k0upwjxWf0WnMngwUrRUey X-Gm-Message-State: AOJu0YxN/l4ZjmU8D4PzXsHtoLD238N/YU5Uw3NPpkLAyaqFfrYFEV6f kfPMvhJFKHKpI7Ejez9AGHvHmCDV5xHjpOA3d6jliMPrC7MS7byF3CNW3bGERA== X-Received: by 2002:a17:902:c951:b0:1dc:673:1932 with SMTP id i17-20020a170902c95100b001dc06731932mr1799892pla.38.1709633428204; Tue, 05 Mar 2024 02:10:28 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id p4-20020a170902780400b001dd2b9ed407sm1124556pll.213.2024.03.05.02.10.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 02:10:27 -0800 (PST) From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: [PATCH v2 0/9] slab: Introduce dedicated bucket allocator Date: Tue, 5 Mar 2024 02:10:16 -0800 Message-Id: <20240305100933.it.923-kees@kernel.org> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3660; i=keescook@chromium.org; h=from:subject:message-id; bh=edWPsSNhLUgYV01JFEWzJeLACWZPsISNNEUjPT6beEY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBl5u+QN2e7WFyXuymiV+m02giXTmHe/hI5tR0+A 6PRup3N4OaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZebvkAAKCRCJcvTf3G3A Jo14EACeZ3xWd6gW/b5hjqMeZ55W6EyPP6VoUB67J6zJ2PdYd8Gzy9EWRFtQVTdR5Z19nH0w9fD mBFL1sDyKQktxuNO36ylzQLo4OCN/I4vYgwsPblfZ5B/MW/inL/WaDQoXo598aporgDtOgmRFLO MB4M3LTyYa68aJgD94dQNbcMzn2501HtvR6SBWqNiYm9h2B74D40BNNbMPClXGSuVfmfbg/aCd2 t2DwUY0YSDIRDK/fvmUc+XAuC2MrktCSvSptBgZKkP5c7iTk+Se1z3Enn4l9UUqvTH5utSiuLDw +Bht0qxCTk5l2+LbakA1p2FFCzUnGg2lfIsCwyPr98FhaOw38eFoOluQnPv9Up7pcxW/JUAUYO8 X5sTPv2Wx5R3ZbGABQ9vf2Ms2iva5WmflzdKvmPm3cOqvzJWn4HRWNfMZGbCrke4ZGvYcfMC7vC 6v/FsPuSCrN5jYwU5O5IDmBbai5BLiBaydRhA5PO4OF63vKkiGuJNnAjti/vV8XsHU1d7RalfLv AwanRdWj9ObRQ8NhB53I5EzVgzPQiirraBFtktNTU10znDXg3hmlG6mi+EVQSY2UtJ8c/+0Yass SSWa9u6GFsB4FA/mnLKybDeRqPOvRyOuA13CZJE6xWPhGmpBhq27s70SA9E5mentgD4dh15OReO t8rAp2K KqXW0Zxw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit Hi, Repeating the commit logs for patch 4 here: Dedicated caches are available For fixed size allocations via kmem_cache_alloc(), but for dynamically sized allocations there is only the global kmalloc API's set of buckets available. This means it isn't possible to separate specific sets of dynamically sized allocations into a separate collection of caches. This leads to a use-after-free exploitation weakness in the Linux kernel since many heap memory spraying/grooming attacks depend on using userspace-controllable dynamically sized allocations to collide with fixed size allocations that end up in same cache. While CONFIG_RANDOM_KMALLOC_CACHES provides a probabilistic defense against these kinds of "type confusion" attacks, including for fixed same-size heap objects, we can create a complementary deterministic defense for dynamically sized allocations. In order to isolate user-controllable sized allocations from system allocations, introduce kmem_buckets_create(), which behaves like kmem_cache_create(). (The next patch will introduce kmem_buckets_alloc(), which behaves like kmem_cache_alloc().) Allows for confining allocations to a dedicated set of sized caches (which have the same layout as the kmalloc caches). This can also be used in the future once codetag allocation annotations exist to implement per-caller allocation cache isolation[0] even for dynamic allocations. Link: https://lore.kernel.org/lkml/202402211449.401382D2AF@keescook [0] After the implemetation are 2 example patches of how this could be used for some repeat "offenders" that get used in exploits. There are more to be isolated beyond just these. Repeating the commit log for patch 8 here: The msg subsystem is a common target for exploiting[1][2][3][4][5][6] use-after-free type confusion flaws in the kernel for both read and write primitives. Avoid having a user-controlled size cache share the global kmalloc allocator by using a separate set of kmalloc buckets. Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1] Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2] Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3] Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4] Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5] Link: https://zplin.me/papers/ELOISE.pdf [6] -Kees v2: significant rewrite, generalized the buckets type, added kvmalloc style v1: https://lore.kernel.org/lkml/20240304184252.work.496-kees@kernel.org/ Kees Cook (9): slab: Introduce kmem_buckets typedef slub: Plumb kmem_buckets into __do_kmalloc_node() util: Introduce __kvmalloc_node() that can take kmem_buckets argument slab: Introduce kmem_buckets_create() slab: Introduce kmem_buckets_alloc() slub: Introduce kmem_buckets_alloc_track_caller() slab: Introduce kmem_buckets_valloc() ipc, msg: Use dedicated slab buckets for alloc_msg() mm/util: Use dedicated slab buckets for memdup_user() include/linux/slab.h | 50 +++++++++++++++++++++------- ipc/msgutil.c | 13 +++++++- lib/fortify_kunit.c | 2 +- mm/slab.h | 6 ++-- mm/slab_common.c | 77 ++++++++++++++++++++++++++++++++++++++++++-- mm/slub.c | 14 ++++---- mm/util.c | 23 +++++++++---- 7 files changed, 154 insertions(+), 31 deletions(-) -- 2.34.1