From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01E79EE6455 for ; Fri, 15 Sep 2023 10:59:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 873186B034A; Fri, 15 Sep 2023 06:59:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 84AB36B034C; Fri, 15 Sep 2023 06:59:39 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 762316B034D; Fri, 15 Sep 2023 06:59:39 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 6A9CD6B034A for ; Fri, 15 Sep 2023 06:59:39 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 43A9A1A0FE2 for ; Fri, 15 Sep 2023 10:59:39 +0000 (UTC) X-FDA: 81238536078.15.270D003 Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) by imf30.hostedemail.com (Postfix) with ESMTP id 9101680010 for ; Fri, 15 Sep 2023 10:59:37 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=C1Cn7u16; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf30.hostedemail.com: domain of 3GDkEZQsKCMk1p88t36xEE3v33v0t.r310x29C-11zAprz.36v@flex--matteorizzo.bounces.google.com designates 209.85.219.201 as permitted sender) smtp.mailfrom=3GDkEZQsKCMk1p88t36xEE3v33v0t.r310x29C-11zAprz.36v@flex--matteorizzo.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1694775577; a=rsa-sha256; cv=none; b=dKNYmODq6R8fJq+FEKqB2f3RvgVgRpckJzR95gZUjnuo3RuMnvP0fBy0ZlzJJk0msLAZMr kMdT3jH8K3DuzXWtBNBxynTx+wpT/KzvpL5dqREfmwBbVl8Nz6ux+SaUnz7WA4IsZVWiMZ v9I621jwEL08cSBA4oBfse/fQW8mamE= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=C1Cn7u16; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf30.hostedemail.com: domain of 3GDkEZQsKCMk1p88t36xEE3v33v0t.r310x29C-11zAprz.36v@flex--matteorizzo.bounces.google.com designates 209.85.219.201 as permitted sender) smtp.mailfrom=3GDkEZQsKCMk1p88t36xEE3v33v0t.r310x29C-11zAprz.36v@flex--matteorizzo.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1694775577; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=Q96e0kuVpLqyiXurRtzULT7V48+oh0KsDqb/+UWKHpA=; b=ny66nNsvG1IAa6EO/bk5uAxxUJkvbXDv1gFpKZfZk0AZTP2hYjpnKMG7zwA09xDvy5UfzS 4A4uaqqfX8eNkSMmdXlsuZttbUULcLGCWOxirxPjDT5plmng+kyt9cr0klXku86NVwQE/C 1kHlDLl1X4XZiPDmSrGzgKw6v8ZENuw= Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-d81a47e12b5so1636051276.0 for ; Fri, 15 Sep 2023 03:59:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1694775576; x=1695380376; darn=kvack.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=Q96e0kuVpLqyiXurRtzULT7V48+oh0KsDqb/+UWKHpA=; b=C1Cn7u16jFEtT9Vwi0KLpIHjpUGZGd/oLLUPl1ZOVU5YHxR1pbqNVrlgtSvPY6+XvA xgzs+qSsCPJPpGbHtf/Xh6jgRww1CncMqi6v0MpQPKcmNuAYNmtloq3YeCNEhRtCsu0D uPT/+ZfEypUs7nGZoz3GWAntAMx/AnTmyEI3EjPJwPXnYwr/AE5rFAuHETLWbhWFB+q+ kfJW/CvLmOIjlh1UtKRcWoihiBTB6njLtNDgSbuVMNmFzlav318bxIweQEgBBe9tvRVB tkdnfjo03R5KDITU4IkGBTxxs+VdhbAbpFgL1db3MMLFvPwwjBUACz+4ieFwGYE2T+F1 w6nA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694775576; x=1695380376; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Q96e0kuVpLqyiXurRtzULT7V48+oh0KsDqb/+UWKHpA=; b=JCKoEC/H/HKYsS8TZ1cVJXQtZHc+HXnUi9NJjXsrY2bGz+uybj6Ui3sBxvFDUKH+k4 GEw85XPw2rn+DhCShL58hKqTtPpX/nh0nz3PgO8rgqaa4rhp4j/uZu4RlMwJ82PaanuS NbGA1YmGmVgJrhpAunMs4aJXWZ1Ni1Uosy+Pa7dHGME/IRpiBXvNAdQW/bT+gr6quqIz 40QfVn+yWxVlCGi/oGaBpTKMEPADQU/CXNhp310sIhLYcogn+XHbYFAf4ykRRNB7AJTb D8rQHqiq6o5JQKSzoBHmibgLWY6GEi++texePAFS0JnhfD/N9ozrZwd2fcsmMvYlxhS1 piCA== X-Gm-Message-State: AOJu0YwmnBD3xUmxNW3v2cPfSSZksw6fd4f72km0UYao/oSLOH8PbIu0 swuTp2wtqySZftxPHG3p/68mj3cUdFyfvaEISg== X-Google-Smtp-Source: AGHT+IHAyZPRW+fz+wnC0QC2qAdXCfzyFvGgBvbmyG39sCaHUeo74IY504gFakd9PexJNIP9aoIzA1MrdwDX3eg0tA== X-Received: from mr-cloudtop2.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:2a6]) (user=matteorizzo job=sendgmr) by 2002:a25:aa6c:0:b0:d7e:a025:2672 with SMTP id s99-20020a25aa6c000000b00d7ea0252672mr23125ybi.9.1694775576481; Fri, 15 Sep 2023 03:59:36 -0700 (PDT) Date: Fri, 15 Sep 2023 10:59:19 +0000 Mime-Version: 1.0 X-Mailer: git-send-email 2.42.0.459.ge4e396fd5e-goog Message-ID: <20230915105933.495735-1-matteorizzo@google.com> Subject: [RFC PATCH 00/14] Prevent cross-cache attacks in the SLUB allocator From: Matteo Rizzo To: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, vbabka@suse.cz, roman.gushchin@linux.dev, 42.hyeyoo@gmail.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, corbet@lwn.net, luto@kernel.org, peterz@infradead.org Cc: jannh@google.com, matteorizzo@google.com, evn@google.com, poprdi@google.com, jordyzomer@google.com Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 9101680010 X-Stat-Signature: 5u5dd8yb441uw6bfrozktxz4s1esaiem X-HE-Tag: 1694775577-355346 X-HE-Meta: U2FsdGVkX1/xXCSQDVumSq1zx+YsSQUTQ7QtFVjpYb7XD+a8L7yJdHfpv4+jl+E3U01m98MUEIuPKrjNe/noSG37JlhNVI6R1bUycSMB8HrZs26zboCvSy4Wv0znF3Cy4DxYRFgXpul0cpxHy60Ceop0UVCSBK6mITeCosy/I6ZCRxVG0PXdc446eidiSS5UIzNmHFcdn4+fjizqrxukVmwQJ6TPFs4z3+0ix6SYSbHmVVxrx5IuSugzcYf3/tm4kmo3gf/iwraWxyHQ5GnLt8V7Aad2B+RFos8h7TFFPQupoJkB4SIBFzBgx4R6+NTj9CLAheUMshgu/K4Dt1A5tKPdzO8gqdooog0R1VZyGmnVMO4XPc9F9v/+cMAJC++sgrc2Q0fed/tp8Z+BGtwM0Li6ah77n67sio1RFMQQ8vx/DJskHKCo6y/at9lfEgrhX29+CTo8ILeIHyUlP1j/ROv8ZAwRbYgufyNbVrvHJQP9RIK+EZnqIzxYv/gcKuz9QPh/3FRpHOLxzqwEM8GKHW1wZ67EQSJnRKmKxguqz9EAtp+VdQIAzXHulKW6rfvCdoFysDJDJ/a5FwXuinbHyYCt4vrz+BbInACYZOPS2NaGSi6K4A9GxlWpTWLUJkh0zx3hnBpy7Lgyqs6h0Tn/wVQwsfC/OGbot9mDf4HQxc6zlaa6e4V0uJVS2c1xiZkEL2aMm3H6kPzYCZm7qRIqaTe9S96rxLMfX7MctDBY4DWnD1hMXf5M2iSqEsRWghjL4IBB+Zpbxkh5uRXv1QqWBesFWP/BbVpaxDQ4EIRW1tcHYApG4nEXdY2PwvZbh0+AUYZusZb8uINuyI2VDAE2NMmwtk3debQGNK1WcN5a72ENBaNDpkrM9eXXHyr+6EvlVNxu2RBoG2oaYJa8AAUdNMhyDDoK40S9sQFzXGrqjkWxIlQpAvnX0cnKteClBO6uf/hrZS6+JtoUqglquiz TWPoE+Ic jvQUaxkAHM4XCU20EMAYew+5wOoNrDxY4/VjGQLIX74qToNbOA47CRZoHFVSDt7aug+eFSY/SIZaVjnp0jM0faWlO6dRxKWu5vUS+Wv6OW/mBU/jyBXxTNNAnUyoNLimH57KAUu/QZCzT7t85QZ3H3RPeOPltZxO7HEo25Kb6oGF5R+eYXKyyHRjeStdWPFN1N0Xgz210LkNdyY1gDuEyJFnjhy34bf0lG4m0KB6LtPiZ+fBr+WOOVwyIRdNWfH4m2cw756Kv5qhOzga0WenwubCtEBlpbulmn6GW+vpShWjIRHkfceVzxyIS+L8W2BPpSUR8bjwjRUbLjEVca81SM2CUbzA52K7K4DD8Tv2aGacB+l3ClKuSGt3hbpMb2Kk8YJpj3l8jh7Ogo+odB5vhzq/fJqJBaNHeHxuhFRdL6lr/O1Fx0cgt1qX7EzGqMVATC9BEB2gE6BzuJzqE+2Qm2kULAJFbu0aoxXu6JjYx1PEKQQrXxWxdDZfna55b+pNGgk/jHJpAANy1AhfyYIG0kD4uROIhNr4eBeDL8Gx9TcbSVg3YZOY0bJd00hn7qX/j6ohy44x8/SEDDqXXN0fcXMK5swmZcJL4QX+MU4W1R3Ea2k5ErniwplXUoAvgUWMNoFRzxqaX6T2kYEgiV0S+dcfigIJiI5Z8OToG3hRHy1/uTCl9RhbbHMwg/zLro4MD6oJ7 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The goal of this patch series is to deterministically prevent cross-cache attacks in the SLUB allocator. Use-after-free bugs are normally exploited by making the memory allocator reuse the victim object's memory for an object with a different type. This creates a type confusion which is a very powerful attack primitive. There are generally two ways to create such type confusions in the kernel: one way is to make SLUB reuse the freed object's address for another object of a different type which lives in the same slab cache. This only works in slab caches that can contain objects of different types (i.e. the kmalloc caches) and the attacker is limited to objects that belong to the same size class as the victim object. The other way is to use a "cross-cache attack": make SLUB return the page containing the victim object to the page allocator and then make it use the same page for a different slab cache or other objects that contain attacker-controlled data. This gives attackers access to all objects rather than just the ones in the same size class as the target and lets attackers target objects allocated from dedicated caches such as struct file. This patch prevents cross-cache attacks by making sure that once a virtual address is used for a slab cache it's never reused for anything except for other slabs in that cache. Jann Horn (13): mm/slub: add is_slab_addr/is_slab_page helpers mm/slub: move kmem_cache_order_objects to slab.h mm: use virt_to_slab instead of folio_slab mm/slub: create folio_set/clear_slab helpers mm/slub: pass additional args to alloc_slab_page mm/slub: pass slab pointer to the freeptr decode helper security: introduce CONFIG_SLAB_VIRTUAL mm/slub: add the slab freelists to kmem_cache x86: Create virtual memory region for SLUB mm/slub: allocate slabs from virtual memory mm/slub: introduce the deallocated_pages sysfs attribute mm/slub: sanity-check freepointers security: add documentation for SLAB_VIRTUAL Matteo Rizzo (1): mm/slub: don't try to dereference invalid freepointers Documentation/arch/x86/x86_64/mm.rst | 4 +- Documentation/security/self-protection.rst | 102 ++++ arch/x86/include/asm/page_64.h | 10 + arch/x86/include/asm/pgtable_64_types.h | 21 + arch/x86/mm/init_64.c | 19 +- arch/x86/mm/kaslr.c | 9 + arch/x86/mm/mm_internal.h | 4 + arch/x86/mm/physaddr.c | 10 + include/linux/slab.h | 8 + include/linux/slub_def.h | 25 +- init/main.c | 1 + kernel/resource.c | 2 +- lib/slub_kunit.c | 4 + mm/memcontrol.c | 2 +- mm/slab.h | 145 +++++ mm/slab_common.c | 21 +- mm/slub.c | 641 +++++++++++++++++++-- mm/usercopy.c | 12 +- security/Kconfig.hardening | 16 + 19 files changed, 977 insertions(+), 79 deletions(-) base-commit: 46a9ea6681907a3be6b6b0d43776dccc62cad6cf -- 2.42.0.459.ge4e396fd5e-goog