Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp709420lqd; Wed, 24 Apr 2024 14:42:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXRXLe1WJk9Hi7LUi0wAxfewKQ8Qq2RWLpWCl1wiyfKPPi/GIcuiJFbzp5u2MR1mrvP7HNHL7raWtCbalG1iuPf4hwpVR3CItHF2jJTig== X-Google-Smtp-Source: AGHT+IF/hKhfB/XkCIpTg8D4+Z9dLse1dCfOh/CWKTYu3W78vlrE46sThmoI+LKEIYIdP7h001Cv X-Received: by 2002:a17:90a:4213:b0:2ab:b411:8cbc with SMTP id o19-20020a17090a421300b002abb4118cbcmr3643542pjg.31.1713994945697; Wed, 24 Apr 2024 14:42:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713994945; cv=pass; d=google.com; s=arc-20160816; b=TcnK3AlCaXI9Hiuns6YGrAFjxVXkGrJuik1WgIG3VEVCOf65+TmpEnZ9M22w5JU9vP jlzyTJ++SDfUOlZHCyxc4tWFvpFdBOQkcwQ0hfNCElxsS0kwa3FryvUqkU3eZZXIqZAW Z49S4/oOCQu17eQE5XLDfEIOUVZs/JbccdjKlk27NBqEq58SVJn++zxErNHD0dcCDqpA sl4NgI0LW6WRYdymhgBDqT1mz2NCHRusmIs0+Ln+4xi8Zrwxg7bvmBiGY6v8yWMU37en nYc0wqcduuA1gxJ0ZxMZn0T7aflmOjKS5JaufzIjihBsB50Ylv+mP98Hev5FIB+xnUFe H32A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=0dfA8VHRufYC0/a/WgaXWD6BvTAtlULzh1yIW0W2iCw=; fh=jGpYnVlUG256BxngTx2Kxvgp+lU7wbO+JE6CF4Wmx2c=; b=lIF/5ndk1eplqQgWP2MkTgLmoitjn7rA6j6WX9oJsdVKxmjJBsLExOghj/eHZAuRh0 2QGLAESr0999zJ1S8z382Mm3FJPyMUWbFstsNNar9+e/M31CiXZs9SkShZDh307fj+Qa jnBsYAa60JD33gwpZwylS8wo269rSN6MTi9oOikSLvKL+iuYPu2Gy/kC38Gz9gykDdJD eSRD4GUwR4LA70R+SQ4R8y2ElTTR74ks7XZ7eZoVptuJEhB3KrO+Laa7bKZEZ0tYejEY YOfnlg6eG/SXEYI7vjRW+7nBOor50kC3856lOWwSQztWX7vkYsE0jv1gE5+fVKFk55hz cYeA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=eTE5uaKS; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-157747-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157747-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id t2-20020a17090aba8200b002ab4afc5c39si13515015pjr.36.2024.04.24.14.42.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 14:42:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-157747-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=eTE5uaKS; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-157747-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157747-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6FF1F281293 for ; Wed, 24 Apr 2024 21:42:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E538216D9BC; Wed, 24 Apr 2024 21:41:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="eTE5uaKS" Received: from mail-oi1-f174.google.com (mail-oi1-f174.google.com [209.85.167.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA8711581F4 for ; Wed, 24 Apr 2024 21:41:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713994873; cv=none; b=TcBnVD5005N3HGx8U3lIrn4tEUHjeWiHCNs/Sh1HfHK9jQ8/BaX61ZZkgsB0T0d21JO5RsgI4jK9khm+CyzZX4vznCsw7EtEUduXbwt2JLeJ/PPxJY5fpK4G/7tyUmtmfeMs8NmBhGMrghJ1IjHcBGoMV3Nja0dAjxmgiNntEi4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713994873; c=relaxed/simple; bh=KdH6ME94d/1vtX6KQzOA990YXFPl16sDmJgA9NILnME=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=PWCOvnhGf0sxdTNl6SiI4rTAUOR/a7B3lkepXnSSgZWT694nCRnvGjKtflUY19jBENgjepgij4NnhNl6kXfPKLygO3pO/tvm8S/dhyTw1mB0aoMNrSXDOGN9JBaWZIPcLPgUorRVYPfT9/lD6EGwhwcfTFDm1HurJO+N2zF9RX4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=eTE5uaKS; arc=none smtp.client-ip=209.85.167.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-oi1-f174.google.com with SMTP id 5614622812f47-3c74a75d9adso293177b6e.0 for ; Wed, 24 Apr 2024 14:41:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1713994871; x=1714599671; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0dfA8VHRufYC0/a/WgaXWD6BvTAtlULzh1yIW0W2iCw=; b=eTE5uaKS8LT5j5pIRKvyfttIciUVapurJU4czi1dKOIZHXySSmzs9ZJXjdp8Z6x31f SJg+rwrlPtc4VZc2Y2YFfr02cq9sSgz+BNHD0o/sh8AsRn/xGBQPIJT/gcxJA7hL2Da3 WRS8iBDuSs1i23ahPpr50g/cSOg9QoNzz04lY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713994871; x=1714599671; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0dfA8VHRufYC0/a/WgaXWD6BvTAtlULzh1yIW0W2iCw=; b=e0wDvQRsWn8U45F+w5T/MRsip6vFfyP/FDe8qChWV6MDpLz2hd0OVBHze/SoMSCcDU /PpxpqEH+XpdCY/OsVu1OApewf07W21PgtkeWdt1w3wnfpXiaebWL8zFv+ybtM/OrsFQ 8lTqKEUVF7MP5lf9JGzDNZhzvz54sMIzqOltjXgiQPpfBZjKbbp26bDn6lzlhDgAQo+c LGmkH/XRSVtu6sAMIoz67VLm6PPOOXzpBTyWLquPqXjoVUAmZvaRuQAvHl3iYkcAKlxq btJLvlJjkZiA3tC78gv9W1G5xYevwpYbRui49xI15L3kxi39PGtZd9QGU2+9fKLCL9W3 oCXw== X-Forwarded-Encrypted: i=1; AJvYcCUTkb5ro3R3NSLSdVQw0kPdxLChAgTVpPPrZKOE33Nhc3PYeOs/2YP4AfigljUUnLbU1isNTv/hKCGy+emKpDeFZobAmbgvn4DLgYqK X-Gm-Message-State: AOJu0YxClp/g1CH7aivT//nH4MkSJQgXdzeeNK+ZKcgqiVKIvFVOY9iP R2/i7dpcMdp7klcT5gjzVSuMSm3g1iSN/K5L0Uf/u6yPmZadunU+PIF5duOIig== X-Received: by 2002:aca:2201:0:b0:3c7:3b4b:a0c7 with SMTP id b1-20020aca2201000000b003c73b4ba0c7mr3979160oic.11.1713994870911; Wed, 24 Apr 2024 14:41:10 -0700 (PDT) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id a38-20020a631a26000000b005e4fa511505sm11445807pga.69.2024.04.24.14.41.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 14:41:09 -0700 (PDT) From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Thomas Graf , Herbert Xu , julien.voisin@dustri.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: [PATCH v3 5/6] ipc, msg: Use dedicated slab buckets for alloc_msg() Date: Wed, 24 Apr 2024 14:41:02 -0700 Message-Id: <20240424214104.3248214-5-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240424213019.make.366-kees@kernel.org> References: <20240424213019.make.366-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2189; i=keescook@chromium.org; h=from:subject; bh=KdH6ME94d/1vtX6KQzOA990YXFPl16sDmJgA9NILnME=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBmKXxufNt0iRDMEi0UPkW2GLKPPmjE/aN5Rd00e n0cfMEJ/H6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZil8bgAKCRCJcvTf3G3A JkdID/sHJNQORdFCM/cUq/ZcYZpyyvQIcnzDV0Z965jFp87JwowP6i4oI+FBo9uCykMh+11Rrlu NQNcUFmJmo6LQpfaqi0B05b1CRJ477vtFjlz2E7iovHNz3HYXXQS/vzGQ/VQH/Sv0F4EzoSOn1l UHfroyky4aryqJjcJX6ieL75C9QED2YiAGSVez2BD9J6JQGhA43blUULYTI434b7898CwOpbG46 patNilg7fBIku4FUOr2K59si/Pzdtj99qzMLg3XRQMJYclitl++HUzWC7Dxg32YdMfqNiX2aQQq svnMXyh8tO9LQ+fNnIm3P+frmSHbfPjtC4CDynsNU6cCbfvmxn0HIY1Wk+nYHcEB63BSmjNca+z lCmwiBUp8svDj9Xh6LO9/AWzHR8ag+sXmENKUaWLGO3Z41XoSWwFir9WU5GzjDKKl9t82MfijIy QevedZy6odm1fVxYoObyDu0WndH3xDKEKIPaz6I0Fun46Z0Itu+gz8v/gwFw5nYTDhFyTfXqucx UX0IAG/fElAHOxq2HNfmsTXeBXIFhtGjqJpBtFTojR1EeuQ6rsOhrJZl+x1KJAMztGf7xR/2lRm ZQ4a+ovdgDGs998x2Xl084sou5A9U0NffnvW9SXI5UKYquH4wK1z+qtZghjKn8ArTIPCB0gBzx+ fIU7zdwHzbc6QFw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit The msg subsystem is a common target for exploiting[1][2][3][4][5][6][7] use-after-free type confusion flaws in the kernel for both read and write primitives. Avoid having a user-controlled size cache share the global kmalloc allocator by using a separate set of kmalloc buckets. Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1] Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2] Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3] Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4] Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5] Link: https://zplin.me/papers/ELOISE.pdf [6] Link: https://syst3mfailure.io/wall-of-perdition/ [7] Signed-off-by: Kees Cook --- Cc: "GONG, Ruiqi" Cc: Xiu Jianfeng Cc: Suren Baghdasaryan Cc: Kent Overstreet Cc: Jann Horn Cc: Matteo Rizzo --- ipc/msgutil.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ipc/msgutil.c b/ipc/msgutil.c index d0a0e877cadd..f392f30a057a 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c @@ -42,6 +42,17 @@ struct msg_msgseg { #define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) #define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) +static kmem_buckets *msg_buckets __ro_after_init; + +static int __init init_msg_buckets(void) +{ + msg_buckets = kmem_buckets_create("msg_msg", 0, SLAB_ACCOUNT, + sizeof(struct msg_msg), + DATALEN_MSG, NULL); + + return 0; +} +subsys_initcall(init_msg_buckets); static struct msg_msg *alloc_msg(size_t len) { @@ -50,7 +61,7 @@ static struct msg_msg *alloc_msg(size_t len) size_t alen; alen = min(len, DATALEN_MSG); - msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL_ACCOUNT); + msg = kmem_buckets_alloc(msg_buckets, sizeof(*msg) + alen, GFP_KERNEL); if (msg == NULL) return NULL; -- 2.34.1