Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752435Ab1CFAnV (ORCPT ); Sat, 5 Mar 2011 19:43:21 -0500 Received: from swampdragon.chaosbits.net ([90.184.90.115]:19201 "EHLO swampdragon.chaosbits.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751188Ab1CFAnU (ORCPT ); Sat, 5 Mar 2011 19:43:20 -0500 Date: Sun, 6 Mar 2011 01:42:46 +0100 (CET) From: Jesper Juhl To: Dan Rosenberg cc: Pekka Enberg , Matt Mackall , Linus Torvalds , Dave Hansen , Theodore Tso , cl@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Ingo Molnar , Andrew Morton Subject: Re: [PATCH] Make /proc/slabinfo 0400 In-Reply-To: <1299273034.2071.1417.camel@dan> Message-ID: References: <1299174652.2071.12.camel@dan> <1299185882.3062.233.camel@calx> <1299186986.2071.90.camel@dan> <1299188667.3062.259.camel@calx> <1299191400.2071.203.camel@dan> <2DD7330B-2FED-4E58-A76D-93794A877A00@mit.edu> <1299260164.8493.4071.camel@nimitz> <1299262495.3062.298.camel@calx> <1299271041.2071.1398.camel@dan> <1299273034.2071.1417.camel@dan> User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2270 Lines: 46 On Fri, 4 Mar 2011, Dan Rosenberg wrote: > On Fri, 2011-03-04 at 22:58 +0200, Pekka Enberg wrote: > > On Fri, Mar 4, 2011 at 10:37 PM, Dan Rosenberg wrote: > > > This patch makes these techniques more difficult by making it hard to > > > know whether the last attacker-allocated object resides before a free or > > > allocated object. Especially with vulnerabilities that only allow one > > > attempt at exploitation before recovery is needed to avoid trashing too > > > much heap state and causing a crash, this could go a long way. I'd > > > still argue in favor of removing the ability to know how many objects > > > are used in a given slab, since randomizing objects doesn't help if you > > > know every object is allocated. > > > > So if the attacker knows every object is allocated, how does that help > > if we're randomizing the initial freelist? > > If you know you've got a slab completely full of your objects, then it > doesn't matter that they happened to be allocated in a random fashion - > they're still all allocated, and by freeing one of them and > reallocating, you'll still be next to your target. > But still, if randomizing allocations makes life just a little harder for attackers in some scenarios, why not just do it? Same with making /proc/slabinfo 0400, if it just makes things a little harder in a few cases, why not do it? It's not like a admin who needs /proc/slabinfo to have other permissions can't arrange for that. Having been employed as a systems administrator for many years and having seen many a box cracked, my oppinion is that every little bit helps. The kernel is currently not a hard target and everything we can do to harden it is a good thing (within reason of course). Why not just do both randomization and 0400 as a start? We can always harden further later. -- Jesper Juhl http://www.chaosbits.net/ Plain text mails only, please. Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/