From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8053FCD37AA for ; Fri, 15 Sep 2023 21:07:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1BE328D0030; Fri, 15 Sep 2023 17:07:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 148428D0005; Fri, 15 Sep 2023 17:07:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F2C7E8D0030; Fri, 15 Sep 2023 17:07:13 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id DFE768D0005 for ; Fri, 15 Sep 2023 17:07:13 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id BC4A3B4327 for ; Fri, 15 Sep 2023 21:07:13 +0000 (UTC) X-FDA: 81240067146.05.172F956 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by imf29.hostedemail.com (Postfix) with ESMTP id 00D2212000E for ; Fri, 15 Sep 2023 21:07:11 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=kn1gsagn; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.179 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1694812032; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Gpm6l2zbYEP+V6IdYZx55UZQF+is/o4lwglBKgVrZz0=; b=WpkXkT88lPV/MZw7Nzj7AkuVE98w7Fs4irrvcrXATAqLAO61x2vvOQ5tqWdBSGBn0ML0iA pObwLEFA48ozIDtlLErF2L6C4cX78P0WBNLOazHJ4ZWxl3a5opEfQGV3DXAe18N9yl3thK Np0wmClaOoiuLBKYvI913KsLdHDHTho= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=kn1gsagn; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.179 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1694812032; a=rsa-sha256; cv=none; b=MijNVZGoPYl8qeeCS3plVh29qKxC5YtVyN7p1fFvzFJykZ2rXzn25oAcLToV/EUQD7UNBq uPeuEK4JmxFOdEsjvyx1LJqWIE96wIBfbg1mpy65I/HHFvyN++V4tJwgfqCooZFpPtDW5i R6+8Xvy2ZGjcD2GbXcMD/86RrkT+Ui4= Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1c0db66af1bso20393995ad.2 for ; Fri, 15 Sep 2023 14:07:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1694812031; x=1695416831; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Gpm6l2zbYEP+V6IdYZx55UZQF+is/o4lwglBKgVrZz0=; b=kn1gsagn7wjvAhEpM+MlaOPR3ox/h+qCzlX2ih/hCl6EGdPttu+2NZzerWzhM9MMyx Gp3G+elMBUZHjJFgKCeIDWgDq1FOwghBYhasjiSDv0UqWISZj/9Hhipg656yITQwpqjx HJAsKwrDxZFybL6AApS4eaYH6Dv+h+PJQjb68= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694812031; x=1695416831; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Gpm6l2zbYEP+V6IdYZx55UZQF+is/o4lwglBKgVrZz0=; b=CZki6HjG2dfzw6eX4khRe3c0M1Qr8znkytKMztDC1X5jlJuGDvHpeSAkZaMeOPsIB2 XOnw/L/E5ayagiZzoLjZHBVoiP6bse4+ztZJtbWTUIzXKFujARB8ruyjfhqG3R/hgxK8 4kFphfYH8LLPhnqdtwyCabpQUOQePCFvPWMVwK6RCFdPkowDDnG6OO+regc01uha3H8j 5K8ZJeVQulC08LRX4HEEty216gETeGkvmS+zNSOR+pnVkUkTjrVz/PoS5rJLNJAVjlKw G18+TAL5P0uovjxXOKskdL12iiDc2EkMy3K2Z+hFjvxbSiVZXDVpYKvh6cdO4Vy9Hmz0 4Hjg== X-Gm-Message-State: AOJu0Yy2eR0mj5eMFxUHwP2bFIMoPhNCwwK4KUWDQKilbTuQNgl2Vjd8 OK1wNZwR+rYuKH854GcqsgH8xQ== X-Google-Smtp-Source: AGHT+IEG2bCBbADESOrcfwhEKDiH90vpRH4uBGBmGx+GTX8gOEqkcnRXiWFTKwkpE3Lhi3WQISqwLg== X-Received: by 2002:a17:903:2783:b0:1b8:b382:f6c3 with SMTP id jw3-20020a170903278300b001b8b382f6c3mr2890153plb.13.1694812030972; Fri, 15 Sep 2023 14:07:10 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id 5-20020a170902c24500b001bdc208ab82sm3788343plg.97.2023.09.15.14.07.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Sep 2023 14:07:10 -0700 (PDT) Date: Fri, 15 Sep 2023 14:07:10 -0700 From: Kees Cook To: Matteo Rizzo Cc: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, vbabka@suse.cz, roman.gushchin@linux.dev, 42.hyeyoo@gmail.com, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, corbet@lwn.net, luto@kernel.org, peterz@infradead.org, jannh@google.com, evn@google.com, poprdi@google.com, jordyzomer@google.com Subject: Re: [RFC PATCH 08/14] security: introduce CONFIG_SLAB_VIRTUAL Message-ID: <202309151407.2FD7F80B@keescook> References: <20230915105933.495735-1-matteorizzo@google.com> <20230915105933.495735-9-matteorizzo@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230915105933.495735-9-matteorizzo@google.com> X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 00D2212000E X-Stat-Signature: txs7zuxbm6gxfq4me56aqy31mepsu9cj X-HE-Tag: 1694812031-588740 X-HE-Meta: U2FsdGVkX18yELRlTX044njZrkbvoIHojm8EG4dwSzQiMdEEjH/T/g28RPo3ztZIUVVUQKtJdlCsk2yOwXvBKAJ3l5xla3qcZ8UTagygDH0OGAMtFv4Ll2p3Aw4eQzdkbj8zdevbi4zh5qi2gUw4guEN1IOb5rUe++frhldxvxS64VeOF5S+XiQJa10Krm3eW0tOmoyGio5DONGa9fGfpyXhTHSwxUGJeh72HUSQjFv+kQhxf9cr96twLlhqkNyAA0etXO15zh+SXBWOQ/RHXE4wEmkftpw826QauUML0m/esibHA5S3732v4g+i4UUdrd2GtXrSeS2stZRpcXlBeNH8pvVxkRJ3rJrCaco0UzzMLHRSeZ7PyAkqWdKIqoelUyLxyjgb0aXFeaPJn9L8O3x/ZDyEtlofGJ/E0ghnXf24OZ/mi7m0ldbhIDaJVPlseow0Z5LO527WTPQvDPhCZUzsJP/cWLkMw5eUYbCFZ6My+8yEr/mW3DQ/Z+Jyxd9zuRjSo27X/EvEJeviT9onOTAGRzxk+dQ6ZJIlvPEgmaBVOxfyZuJVo4SIH+oCkeK+41zhzp2dhc9alF9pJ0IMjUlRFWbzNPEGPgSo1blQI9v1c2cd0+MnXR4SEkfD5/hzu9RF7H22VCbhpzZ3fIIlRMExut+t0peGWqb/58DQs/iLxdbFgiy32Dx2Ag1MfJGGETlbG5mEeSpeYOxMDWTb+CRjamPk7WGYO2gEnXREh+sbOaMsUarVBy7NWnhkNj7GLBeQsngnL9mhKTRtMPNqMBf1G05rp1Stfz71vfoa3qJGjI4dQuk0dj0pE3v4eflNDZHMpXRZXi/RgJsvrugqjM1ZQRzhZ6HBgdnreTMiEkvln0AaM/Dh94hPNsnq3YuTVby378TgdBVuNtGK4StX0tmtEzIPGJ1R3AWY0G4BWm4WWdR+DwHxJ+82BPrfZk3fFz1ULe6vnxdbpQZbclG gbx3DZj7 vuk9TDAEMNgY/Cvvjt5Q6jMpM+uwLZzMvIyHWARmtInGsZn0SLHB/ll2WrppQBLVKMYKkL0DS2r6Q34aRYL7UXPUqngJBy3M0DwtnnaQ774Q9llfd3/pFKPPfdw5mPup20yYzXeCeJZYtN7c4N93IcOppo3PUPHXH4aCI58me6wzXp/nYKXawxem7QIorXUapUOH3E8V0iaKr3rPuZeOM5UO6/jqkwZT5ugWDGo+7nvDqxHloc+ma2MyCChyZDbo681722/DyOXXdgUQCBwrzisGd82nN6y4Rh2i7w2FxIM2UTAq2/dGozz0fTFsf0o1CpE/Qi4F3YJmH4XnB7HSTKhoVB+2Feaw47bT/JcEfI3RqqjJe6uLboy3i/CE3wvRFMFy07u4JyQkG4zorm1Q1c0LFG4bes6PwdC7wJwPUIem0v2k8+RMD3OnDUX2ayTnQ42/5f2bCMGjE/LR8XN0DsRXQqwWBueTaxyk7ZOeQ/bgmP940e+fLsfDN7gJX4OdPAx365ERjDdkd/bMQMTwzYPPwQ9gjJt9wd9TTUupm+KXZQbc= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Sep 15, 2023 at 10:59:27AM +0000, Matteo Rizzo wrote: > From: Jann Horn > > SLAB_VIRTUAL is a mitigation for the SLUB allocator which prevents reuse > of virtual addresses across different slab caches and therefore makes > some types of use-after-free bugs unexploitable. > > SLAB_VIRTUAL is incompatible with KASAN and we believe it's not worth > adding support for it. This is because SLAB_VIRTUAL and KASAN are aimed > at two different use cases: KASAN is meant for catching bugs as early as > possible in debug/fuzz/testing builds, and it's not meant to be used in > production. SLAB_VIRTUAL on the other hand is an exploit mitigation that > doesn't attempt to highlight bugs but instead tries to make them > unexploitable. It doesn't make sense to enable it in debugging builds or > during fuzzing, and instead we expect that it will be enabled in > production kernels. > > SLAB_VIRTUAL is not currently compatible with KFENCE, removing this > limitation is future work. > > Signed-off-by: Jann Horn Reviewed-by: Kees Cook -- Kees Cook