From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2826BC32771 for ; Mon, 26 Sep 2022 20:15:07 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 84B348E0082; Mon, 26 Sep 2022 16:15:06 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7FA3F8E0066; Mon, 26 Sep 2022 16:15:06 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6C2B88E0082; Mon, 26 Sep 2022 16:15:06 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 5ADD08E0066 for ; Mon, 26 Sep 2022 16:15:06 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 3372040525 for ; Mon, 26 Sep 2022 20:15:06 +0000 (UTC) X-FDA: 79955340612.19.5C21ED0 Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by imf01.hostedemail.com (Postfix) with ESMTP id AE2984000A for ; Mon, 26 Sep 2022 20:15:05 +0000 (UTC) Received: by mail-pj1-f50.google.com with SMTP id d64-20020a17090a6f4600b00202ce056566so13588657pjk.4 for ; Mon, 26 Sep 2022 13:15:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date; bh=5e0NMcxrM37hHf1SPYvwWiwpMePVnoGZG2QjiMvl9Vw=; b=U1taE2UKrJzmtLwN4Wrm15HUhdqUUQ4dmrV4U0Z4aBkmwLULhcCiHFhED/cifT5QVd 8G3733MWfeO8lhHI+FRhM/mulJElcP5dA6YADB58qF8ezcFV+vTLBinyC6qfkOTbHh7A GRQb/uc+waJoHSokInnmbjMzFr6ccVRHXNGBs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date; bh=5e0NMcxrM37hHf1SPYvwWiwpMePVnoGZG2QjiMvl9Vw=; b=2Okhvqk9om8L7wSDig0oZArc4aqaglNCfhVowNoa7OKohVBfC2wjCv8Q2WIB/Mx6J9 evCory9qLh6ERJ29nIUR5mP8AUnJGamHZVRFDfivk6P6TsyxGxmaxIMhDOyBEErByG0u kBJZ41GRC8cQBAemLeiO19aEvUrwDKGXBdBn4avNl2+A4RjLDdGEVucd9o1SNGSuMiFK P+AkGxKJ8AkpmPVES3fKGBAlcTt+F6kljIkZgLv+G8VpdO9nWYE4w0PscRJFFd652XZx QWtzZN7s03+cpsimuGwroIPYDcyOtPIIPLJilDCs2PB/ul1JighpEXHfulPL7ES312wa 9kmQ== X-Gm-Message-State: ACrzQf2HXE5+xVFPbhyNRXi+3npb7l6+DocQnG4W6hgBHgrZm7mlEMsP 6c5ERHbb0JrniNBr/Hio/RIwUg== X-Google-Smtp-Source: AMsMyM5aR3waEBGAC3kimDDDLLkXW+zo/61DYBSMbrRf9WE6ZMLLVXBhGikTzl6Ftq8lE1ueccxWMA== X-Received: by 2002:a17:902:8214:b0:178:95c9:bd5d with SMTP id x20-20020a170902821400b0017895c9bd5dmr24334550pln.106.1664223304468; Mon, 26 Sep 2022 13:15:04 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 9-20020a621409000000b0053e6eae9668sm12648188pfu.2.2022.09.26.13.15.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Sep 2022 13:15:03 -0700 (PDT) Date: Mon, 26 Sep 2022 13:15:02 -0700 From: Kees Cook To: Andrey Konovalov Cc: Feng Tang , Andrew Morton , Vlastimil Babka , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Dmitry Vyukov , Jonathan Corbet , Dave Hansen , Linux Memory Management List , LKML , kasan-dev Subject: Re: [PATCH v6 2/4] mm/slub: only zero the requested size of buffer for kzalloc Message-ID: <202209261305.CF6ED6EEC@keescook> References: <20220913065423.520159-1-feng.tang@intel.com> <20220913065423.520159-3-feng.tang@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1664223305; a=rsa-sha256; cv=none; b=GrFD+uYsX+aUa9Xynloxle4xp+Tlsq9m5p9PPZnnyHhDxDVoetsCLLlO0I2HcXNYGAln8q TcAODalni3r7a/t5SwT8OUlSg4SeJdz1OCoYvsbydXBieHgEW40XwCX4iBlnmLKDGa9Pxt 6FdupwJxXvEnHUkQykJne/3wGHQ3RS4= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=U1taE2UK; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf01.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.50 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1664223305; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=5e0NMcxrM37hHf1SPYvwWiwpMePVnoGZG2QjiMvl9Vw=; b=ZbZmvndYRa8qPTp5VBoSAac+k/EAaFOGbC3C5mzHUr8EO1A9+Krh6FudUh2R4cgfIKYluR GmeOIWl2fs0J4hpP9g1296qJzLHzUm2K7NjLZ+YLs2C2jMu7rk0Wb7SVql+s42AVyGKdSN WYs0WnAJni+Rl0blq/gXoErdlyA1tLc= X-Rspam-User: X-Rspamd-Queue-Id: AE2984000A X-Rspamd-Server: rspam08 X-Stat-Signature: prumtazjnhh3zintswcsccbizyjy8g76 Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=U1taE2UK; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf01.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.50 as permitted sender) smtp.mailfrom=keescook@chromium.org X-HE-Tag: 1664223305-205864 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Sep 26, 2022 at 09:11:24PM +0200, Andrey Konovalov wrote: > On Tue, Sep 13, 2022 at 8:54 AM Feng Tang wrote: > > > > Hi Feng, > > > kzalloc/kmalloc will round up the request size to a fixed size > > (mostly power of 2), so the allocated memory could be more than > > requested. Currently kzalloc family APIs will zero all the > > allocated memory. > > > > To detect out-of-bound usage of the extra allocated memory, only > > zero the requested part, so that sanity check could be added to > > the extra space later. > > I still don't like the idea of only zeroing the requested memory and > not the whole object. Considering potential info-leak vulnerabilities. I really really do not like reducing the zeroing size. We're trying to be proactive against _flaws_, which means that when there's a memory over-read (or uninitialized use), suddenly the scope of the exposure (or control) is wider/looser. Imagine the (unfortunately very common) case of use-after-free attacks, which leverage type confusion: some object is located in kmalloc-128 because it's 126 bytes. That slot gets freed and reallocated to, say, a 97 byte object going through kzalloc() or zero-on-init. With this patch the bytes above the 97 don't get zeroed, and the stale data from the prior 126 byte object say there happily to be used again later through a dangling pointer, or whatever. Without the proposed patch, the entire 128 bytes is wiped, which makes stale data re-use more difficult. > > Performance wise, smaller zeroing length also brings shorter > > execution time, as shown from test data on various server/desktop > > platforms. For these cases, I think a much better solution is to provide those sensitive allocations their own dedicated kmem_cache. > > > > For kzalloc users who will call ksize() later and utilize this > > extra space, please be aware that the space is not zeroed any > > more. > > CC Kees Thanks! Well, the good news is that ksize() side-effects is hopefully going to vanish soon, but my objections about stale memory remain. -Kees -- Kees Cook