Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760275Ab1CDVoJ (ORCPT ); Fri, 4 Mar 2011 16:44:09 -0500 Received: from mx1.vsecurity.com ([209.67.252.12]:56711 "EHLO mx1.vsecurity.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1760219Ab1CDVoH (ORCPT ); Fri, 4 Mar 2011 16:44:07 -0500 Subject: Re: [PATCH] Make /proc/slabinfo 0400 From: Dan Rosenberg To: Pekka Enberg Cc: Matt Mackall , Linus Torvalds , Dave Hansen , Theodore Tso , cl@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Ingo Molnar , Andrew Morton In-Reply-To: References: <1299174652.2071.12.camel@dan> <1299185882.3062.233.camel@calx> <1299186986.2071.90.camel@dan> <1299188667.3062.259.camel@calx> <1299191400.2071.203.camel@dan> <2DD7330B-2FED-4E58-A76D-93794A877A00@mit.edu> <1299260164.8493.4071.camel@nimitz> <1299262495.3062.298.camel@calx> <1299270709.3062.313.camel@calx> <1299271377.2071.1406.camel@dan> <1299272907.2071.1415.camel@dan> Content-Type: text/plain; charset="UTF-8" Date: Fri, 04 Mar 2011 16:44:02 -0500 Message-ID: <1299275042.2071.1422.camel@dan> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1291 Lines: 29 On Fri, 2011-03-04 at 23:30 +0200, Pekka Enberg wrote: > Right. So you fill a slab with objects A that you want to overflow > (struct shmid_kernel in the example exploit) then free one of them, > allocate object B, smash it (and the next object), and find the > smashed object A. > > But doesn't that make the whole /slab/procinfo discussion moot? You > can always use brute force to allocate N objects (where N is larger > than max objects in a slab) and then just free nth object that's most > likely to land on the slab you have full control over (as explained by > Matt). > > Pekka This is a good point, and one that I've come to accept as a result of having this conversation. Consider the patch dropped, unless there are other reasons I've missed. I still think it's worth brainstorming techniques for hardening the kernel heap in ways that don't create performance impact, but I admit that the presence or absence of this debugging information isn't a crucial factor in successful exploitation. Thanks, Dan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/