From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2050BC25B7E for ; Fri, 31 May 2024 16:37:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AA40D6B0088; Fri, 31 May 2024 12:37:53 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A54556B00A4; Fri, 31 May 2024 12:37:53 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 943216B00A5; Fri, 31 May 2024 12:37:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 70C9F6B00A4 for ; Fri, 31 May 2024 12:37:53 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 20813C0CAB for ; Fri, 31 May 2024 16:37:53 +0000 (UTC) X-FDA: 82179247626.21.928E3CC Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf02.hostedemail.com (Postfix) with ESMTP id 6C05B8000C for ; Fri, 31 May 2024 16:37:51 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=pbx5tB6E; spf=pass (imf02.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1717173471; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=33MHHLTJREug+TTI0KZHUd38g5DKZGNzZ4g1aOsrLK8=; b=qH/wJSRy/qHncJWR7RLs6RpK82JgcufTgGZneJesQ+wwJwQ+/PyRD2G309G4j8FyRhJsFf GyVfu9PPUxbj2J7GdVNmUBPWjvzRDSUZiZ5QJsXPkYr2d3FfvIxdgxOV+y2cJniInS+QsJ p2nsYVPcer3ftiVbFz9UIJS5O5nhYxs= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1717173471; a=rsa-sha256; cv=none; b=M8sQYoZ8/T8l6ZO86NH10DIldUaXFXdiXy61s3lPaUsfhxGGZiXx7r8SH24MpzPA3HeuOS TgqfcZBo0Y/sFngAKRZtV55sN21nsIxsEPRckYaAHF//rFXC5cPSA0iyE0f2UfTxH1YxyN qIen+/Mbl9LNzNmlTt66DdfAYqM0RJE= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=pbx5tB6E; spf=pass (imf02.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 4BD3662AF8; Fri, 31 May 2024 16:37:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EB5EAC116B1; Fri, 31 May 2024 16:37:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1717173470; bh=yJj+uTKHabFp9ExqWi8oH1v5GAHx4lefIOwY+fHlkHM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=pbx5tB6EjU8+CQhUNFFeLFjkG6M4wf7N1ZqBBfLq34zjyuW3Q9dzlO310MNFIqwdW BVI0NbqZQBJeT7JNfabPA9WPA0ssc377p6MAh54bu75FD6S2zbqla569thgaFQ5ZGG RT/LWTZU+podZE/cBP+kBG+/Ne1q/Zga+E5AAtUk8m2UpcxN7umEYpZyWpvIz3+OeB BJZ1+fk9pAF6gs5E9k9hIOY+fqMSRCWXz5/7ctlKHYxt0E0L1o7wSzq9juCJgOjrcL 4j52ZL+o/Fudtohd6jUmHask27nHWgPyjXlu8oTQJPjfq7F+pExslZ8UaIZMWOjBrH bX/3M+xxfgaCw== Date: Fri, 31 May 2024 09:37:49 -0700 From: Kees Cook To: Vlastimil Babka Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-mm@kvack.org, "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , Thomas Graf , Herbert Xu , julien.voisin@dustri.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v3 4/6] mm/slab: Introduce kmem_buckets_create() and family Message-ID: <202405310932.B47B632@keescook> References: <20240424213019.make.366-kees@kernel.org> <20240424214104.3248214-4-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 6C05B8000C X-Rspam-User: X-Stat-Signature: btztm7cpya1ks5dkm5eeqwm8a59fdh5k X-HE-Tag: 1717173471-121513 X-HE-Meta: U2FsdGVkX1+enR0xbPPYHeZgTBY1Gpl33AyQPKyhIg1IcZtpDSzyLRYZIKDcTXXuBcEbVfNz9aDKI6kPsc3A7ST8pXySEUVZcEPknloaYT6mXziel3LZoc63qze3J66Wfj1smeNhnxJliCAco+kDJiJXObjVIISae7wgEdH0qPv+H+aHuRHx+mUmOVF8bR2B9fHFpLJYUhBmTM4gbKyHKCGhpxMB80kS1eKGesr4H19uFrg//rxFMhvO5nPmFXHdwGu6Mncssi6M2pBjitzPGMoPQVxGmO0N+EMO2Iw7jkMcvzMvqviqcudB3tgOePGSi/nte2GVLNan/utUO+cyhAeRIjWnCgjkzOW1MWqCiXrskEsWtFw1qX9HTspm5ASqSlHZJgqfwkgRz2yiKCBuSI6+9DhPKje/2pSG42i9y7heB/kjYUVNjSjU0Jav3AQsL7pHFWlnO2B9rAMoiD23ZigD+Ibdqj3ZQMiKP1IURCEJKosF65iS42uRj4f5zddxkOLw8ugxgOlCISRHpqDCm6zbJvWQR/54Qt6Qo6qknqp3g3A9cOOaF2I6WtL8vZ7Re2MKndpR/0jNhuuVsB9J6pZxz90XQvyLnpa/jMZZF7kPL4dgmUXHVyZMhvaOqxJc7BK+mTGOJ5vcUiF4sXyjx1pzazAlnvAQDZRtbZCqr729wL8YUsXniZhEHENOkY+N4HzD28vi5L7D9bgT9hxWX4c29U3jY2678+oOAzVd+l0HeBIVEgW+vpwXRxWfTv4t38rIPFOeBI8mEoyNV8OIUz3eLmgxcNScs9PQQYVWZBKbRsdCnrtDirWUoQ1uBvPPzoyVHX0fhwOJ2rKEj0zRV+l7S7iVfkcfXony95JlJJNYHum+QwtREXaMjUJmBKr24hWGgBso1A/q6iNG8xRAZLRVqXwYH3opqDCkXA1sfEMdHiamS5Ahj/GnjMrG6/LNnfBzSFnIDNNX419orFk LfjVbYll WNIR7hBA5loqpAHjSqokemzMnVP0ma4k2a9djNLbv5cDN044bJ5HX9xjMOOxLRxkZFnfYUeFyxGTLGLHXxBE4k52JEvGRqUo+GoxzmyRvEBXTauDzeeY57+yk/BxLqP8x7vhoeDKx5kX4fNmk/g8AV7jE4mRRbRPpGBWdeRhg9ivNJJBXTRrQlEsMFykGEXmlQ2dSLgtrJ4yvY+b5kXUsrJ9lSD+dC7Yy8g2B9a93i8BZBR9QIhgBqhFb+MDZmTpfvNH7MSNI6MZKBysWDHARcDQPnlV31QtfRTvmSmBRwVszE5QTsN4scNuacok2duTSq8ck6xCAI6UXIvKPMOJYH5wJwXvoc+xzecYRIPHpQvjbPG47ZEFsXjeHp18Lk9Dd/XpS9cU1UciYMG23ELB8kCJKRoXwN/4pC46vcD2WI/mtbMhBqkpLgekkqoBWk6lW9pHOaUDq3IQS+xVC7AqsnnK/bjKnZHEKbDtrqxZxR6qIXXhrC/yq7Ituq81xu9yyOHXR2I9xIitSGKTaOmhd79tH1A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, May 24, 2024 at 03:43:33PM +0200, Vlastimil Babka wrote: > On 4/24/24 11:41 PM, Kees Cook wrote: > > Dedicated caches are available for fixed size allocations via > > kmem_cache_alloc(), but for dynamically sized allocations there is only > > the global kmalloc API's set of buckets available. This means it isn't > > possible to separate specific sets of dynamically sized allocations into > > a separate collection of caches. > > > > This leads to a use-after-free exploitation weakness in the Linux > > kernel since many heap memory spraying/grooming attacks depend on using > > userspace-controllable dynamically sized allocations to collide with > > fixed size allocations that end up in same cache. > > > > While CONFIG_RANDOM_KMALLOC_CACHES provides a probabilistic defense > > against these kinds of "type confusion" attacks, including for fixed > > same-size heap objects, we can create a complementary deterministic > > defense for dynamically sized allocations that are directly user > > controlled. Addressing these cases is limited in scope, so isolation these > > kinds of interfaces will not become an unbounded game of whack-a-mole. For > > example, pass through memdup_user(), making isolation there very > > effective. > > > > In order to isolate user-controllable sized allocations from system > > allocations, introduce kmem_buckets_create(), which behaves like > > kmem_cache_create(). Introduce kmem_buckets_alloc(), which behaves like > > kmem_cache_alloc(). Introduce kmem_buckets_alloc_track_caller() for > > where caller tracking is needed. Introduce kmem_buckets_valloc() for > > cases where vmalloc callback is needed. > > > > Allows for confining allocations to a dedicated set of sized caches > > (which have the same layout as the kmalloc caches). > > > > This can also be used in the future to extend codetag allocation > > annotations to implement per-caller allocation cache isolation[1] even > > for dynamic allocations. > > > > Memory allocation pinning[2] is still needed to plug the Use-After-Free > > cross-allocator weakness, but that is an existing and separate issue > > which is complementary to this improvement. Development continues for > > that feature via the SLAB_VIRTUAL[3] series (which could also provide > > guard pages -- another complementary improvement). > > > > Link: https://lore.kernel.org/lkml/202402211449.401382D2AF@keescook [1] > > Link: https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html [2] > > Link: https://lore.kernel.org/lkml/20230915105933.495735-1-matteorizzo@google.com/ [3] > > Signed-off-by: Kees Cook > > So this seems like it's all unconditional and not depending on a config > option? I'd rather see one, as has been done for all similar functionality > before, as not everyone will want this trade-off. Okay, sure, I can do that. Since it was changing some of the core APIs to pass in the target buckets (instead of using the global buckets), it seemed less complex to me to just make the simple changes unconditional. > Also AFAIU every new user (patches 5, 6) will add new bunch of lines to > /proc/slabinfo? And when you integrate alloc tagging, do you expect every Yes, that's true, but that's the goal: they want to live in a separate bucket collection. At present, it's only two, and arguable almost everything that the manual isolation provides should be using the mem_from_user() interface anyway. > callsite will do that as well? Any idea how many there would be and what > kind of memory overhead it will have in the end? I haven't measured the per-codetag-site overhead, but I don't expect it to have giant overhead. If the buckets are created on demand, it should be small. But one step at a time. This provides the infrastructure needed to immediately solve the low-hanging exploitable fruit and to pave the way for the per-codetag-site automation. -Kees -- Kees Cook