From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 462B9C54798 for ; Thu, 7 Mar 2024 20:31:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C82596B02A3; Thu, 7 Mar 2024 15:31:22 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C32C56B02A4; Thu, 7 Mar 2024 15:31:22 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AFA3D6B02A5; Thu, 7 Mar 2024 15:31:22 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id A174A6B02A3 for ; Thu, 7 Mar 2024 15:31:22 -0500 (EST) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 59E314126B for ; Thu, 7 Mar 2024 20:31:22 +0000 (UTC) X-FDA: 81871388004.05.A93F190 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by imf07.hostedemail.com (Postfix) with ESMTP id 1EF674001B for ; Thu, 7 Mar 2024 20:31:18 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=kvwRUTD3; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf07.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.179 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709843480; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=td/qc1v+LcJcAxN8xi3WFcUXSnLHGt1lHwkmw1ZD0As=; b=NEDctvmHnbU8VvsCHe2RY+rF1t+3Cw8A4ertHzKEtMlzFEJVZIqKTvO5dTLEuSB76FX6OK qCVQR3vwRT38J0tv4sAn2n1CO7Dye3y0KG7E2egoR4/323eBso26r7kIGX9M6xr0x5IIDt QG5EaFZUn6SpmkCh0cjCjCNjWIfN4HU= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=kvwRUTD3; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf07.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.179 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709843480; a=rsa-sha256; cv=none; b=Q0WUFHoCr0eP1ehCHpV0+xHVh74KYICFrx7O949RqBlZFQCEdLC/y9WxuE3OVAOEiPtdZT GtbBl7cklRg7Vojb5zvvQoD/dxRJnZIPLgevpFeniR9t98L5YAbB0jLsr54ADk9UhAMmqH uPSnn7Irlja+UcQhg5Qfh6V7xZSz5Nc= Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1dd5df90170so6253025ad.0 for ; Thu, 07 Mar 2024 12:31:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709843479; x=1710448279; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=td/qc1v+LcJcAxN8xi3WFcUXSnLHGt1lHwkmw1ZD0As=; b=kvwRUTD3e6iSctjVhC23l72GAInfWaXqmJDHoX4YnmDxgaGoiX4k1tbPMApsjp3RE/ 0eeyogolOsdgmoHsSOWdAYr/vnZ/Nazdn3tKgz0tmh+V6ogIa+WCNY65QfIyslt5vWqf FaeepX/2ORQJQgsrBPewfwIerke4TCPFi2cDA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709843479; x=1710448279; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=td/qc1v+LcJcAxN8xi3WFcUXSnLHGt1lHwkmw1ZD0As=; b=TJ2k1IgZ/lq6U964Bsa/n6cuRnjgRSnPH71iF6OxkEnpE8tsuDUb43FJP8hrZdsZUH 56XYwe17/0qqomOpA/i7YU4hknaV7Na1lCeBGjUtS1BoKQ5rXxBL4UFL5PSX0pt+JAy0 OkIDjRFEBNRZ1QqcDbeZl7zC3jT48rZM6cV7PjvUYcLbYMbkMGtjwazQfkUt6jA1B5SR nIJGdroXrsB+WOR5QjisX7ozDsOAcPlsNlh84k0BkbIp0SSVm7xyog0R4otMboY8VK4u +c95QwpBEv3ILztDX8V7lrmmZiBeQJfjWzozEvA0CBovnQClx2TTKk/HVVf44V/vtyqT f9Mg== X-Forwarded-Encrypted: i=1; AJvYcCXUXP7+iFH3h5rzIRuAWYJ6vynuSgIhzJIr9YAqTJEBe+JnrzNQzXXiDomONojzOTr62XaTBvdGlE3r3vPvH2bYzZ4= X-Gm-Message-State: AOJu0Yx9n3ImcXgRqDlXfYhIcLUvp0SqPLQs97MLmdlU9lBboAR4obXy 7qBuQvQY5bNCxjSzLDvKbr2UlQ2EbLdtu3lO9zAZaE18n096IEBJvjyC106hbw== X-Google-Smtp-Source: AGHT+IHhycg/pXareFKjHDwHXtqmeBe85lRVxuPqPrSPkJ5nHJkgXlFDDbM6P1CA4nS+KS/ufBK3GA== X-Received: by 2002:a17:903:22cf:b0:1db:9ff1:b59b with SMTP id y15-20020a17090322cf00b001db9ff1b59bmr3493970plg.23.1709843479184; Thu, 07 Mar 2024 12:31:19 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id i9-20020a170902c94900b001dcc09487e8sm15044171pla.50.2024.03.07.12.31.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Mar 2024 12:31:18 -0800 (PST) Date: Thu, 7 Mar 2024 12:31:17 -0800 From: Kees Cook To: "GONG, Ruiqi" Cc: Vlastimil Babka , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v2 0/9] slab: Introduce dedicated bucket allocator Message-ID: <202403071227.D29DE5F8C4@keescook> References: <20240305100933.it.923-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 1EF674001B X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: st5jegriyk7nhu13qt3q7sw3hkweyxet X-HE-Tag: 1709843478-158716 X-HE-Meta: U2FsdGVkX1+TApBZHQlM3MI0f/CCg0Fxyx/5BVb8Lq6Qpjg0Gp5r5+Li9K/TDUCdbkwxV6DxTyO+OCwE22y+o8ZR0j/BBgC6fi4dVv2lDcq+9cYPgEvthG+A1eid0nrOhIKRQdCikaypKei9YFf6WSZATKF7N86RmEwr7ObSFHYgtcl49vfcy1fHZeKOB+A9uiof8L2pqZ9IocDBa8MMEj+TAGcUinV1Mk5zSjSIyNF5IUrU6tk8R4j+vy0qwwfR7eZHFarwj3DT7shoFYa8K48ElTWqg1QQ05axhLonjaVy96VNY6Z/Qm7K5x1YjUKmlCdMqYTS8FJ7NXi1cAnR7JTmUzkOl1zFVeT8FbyhY/U6gl41ZMsXBBdWqdwC5tAos6ENCa6GLUN5ZN0k+sZtTE88mOb8badARIuAvS7I8pzBJlbJz3w+boIUzlyYSBElF1hYI7ZI7UAusDVPFkSAWdrIJBDWlEYtS+daNRV6tZg85q4LLELFLlZOY1rHCRrcjBlcLp+9fsdyrpCzfYm3HApUc13BcG2miiEb4x+3T5sOc9gJ0ouPTH7zomqAPzhzKhazyGbEf1goKXA2xUm6TUrOmmo0NV6+XaONS6ntf5H/yEHoh/GGMw50GDQl8CTT9o/DZIZYbfDCNYB+zThtLiEfth9Lm7Ox63QdAHtSt+HifIbmzyqbLQtEF3ZJ9c4l/22a6TTnWd1I3f5/8oZcup6s+mHTvnG/RseqJnWh5hHdvCq9QEef8Xl+m3ZjWAzJ1+8yRjAOD18XLmkFhMhYgkoFPwi7RoG6UyJji/SUObBgsVVhFHAQ/TzvW41ixqGZaW9YRcMtAP4kVqbnxaKgceo6O7lH2R0pYYK5eSzNHNQf0uAB9j70n2ptEYL2Qu0UDoKFUGQXCppg0G7g0eE5mtuBlmfo/8g0Odhn5m8BbYjqs91Ey8N0c/bKiJGQNdZ4MNu3D51ovC+FXQXNbTR 2VWMmY4Y unC3U1swATOwwSu4BNoQezTM57LG1qtOEjAZWE7W/9Ja4g5C8VtEEhdV6Gxor0/0PQE4/NEcco6upU6K++at0e5qKwIh4KwgAuR031e1M0z7+UOp1QsM4XIrcEteNzz8UsC6u584hrJCCEHdGtvOY2/5GtcrPkWvn+nf/25P/d2pZ0wpOENLTUw7jMsMk7/IhXa3dnfEgPChpeQeC9zgckWlJ9VZi5FNS34gRIgcmzEpue1QamLUql54NQN37ENYyO9+jhgHdsk3bUcB6CdpmpzpAB3Bx6wXUNgDBUzCtU5SDT7JtTvcLyf+4AjKhz66MlgMiB1YQhd79OZ8R/ppR/owh1gNSSS1UhwKp+QMJBnLamsYrxn41Ba3iSLeQ/8jKJMuMfFf0EhgaVGGAHHWSI80h0FrGJDUGsoepETBgI6NZzOs= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Mar 06, 2024 at 09:47:36AM +0800, GONG, Ruiqi wrote: > > > On 2024/03/05 18:10, Kees Cook wrote: > > Hi, > > > > Repeating the commit logs for patch 4 here: > > > > Dedicated caches are available For fixed size allocations via > > kmem_cache_alloc(), but for dynamically sized allocations there is only > > the global kmalloc API's set of buckets available. This means it isn't > > possible to separate specific sets of dynamically sized allocations into > > a separate collection of caches. > > > > This leads to a use-after-free exploitation weakness in the Linux > > kernel since many heap memory spraying/grooming attacks depend on using > > userspace-controllable dynamically sized allocations to collide with > > fixed size allocations that end up in same cache. > > > > While CONFIG_RANDOM_KMALLOC_CACHES provides a probabilistic defense > > against these kinds of "type confusion" attacks, including for fixed > > same-size heap objects, we can create a complementary deterministic > > defense for dynamically sized allocations. > > > > In order to isolate user-controllable sized allocations from system > > allocations, introduce kmem_buckets_create(), which behaves like > > kmem_cache_create(). (The next patch will introduce kmem_buckets_alloc(), > > which behaves like kmem_cache_alloc().) > > So can I say the vision here would be to make all the kernel interfaces > that handles user space input to use separated caches? Which looks like > creating a "grey zone" in the middle of kernel space (trusted) and user > space (untrusted) memory. I've also thought that maybe hardening on the > "border" could be more efficient and targeted than a mitigation that > affects globally, e.g. CONFIG_RANDOM_KMALLOC_CACHES. I think it ends up having a similar effect, yes. The more copies that move to memdup_user(), the more coverage is created. The main point is to just not share caches between different kinds of allocations. The most abused version of this is the userspace size-controllable allocations, which this targets. The existing caches (which could still be used for type confusion attacks when the sizes are sufficiently similar) have a good chance of being mitigated by CONFIG_RANDOM_KMALLOC_CACHES already, so this proposed change is just complementary, IMO. -Kees -- Kees Cook