From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0395C2BA1A for ; Thu, 20 Jun 2024 18:54:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 64ED08D00D7; Thu, 20 Jun 2024 14:54:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5FF8B8D00D5; Thu, 20 Jun 2024 14:54:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 478158D00D7; Thu, 20 Jun 2024 14:54:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 2B93A8D00D5 for ; Thu, 20 Jun 2024 14:54:34 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id C693CC0514 for ; Thu, 20 Jun 2024 18:54:33 +0000 (UTC) X-FDA: 82252168026.26.B34953E Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf19.hostedemail.com (Postfix) with ESMTP id 1E4061A0015 for ; Thu, 20 Jun 2024 18:54:31 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=Gp6eNAqI; spf=pass (imf19.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718909663; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fDMBjNdkhjuhlm/R2b8F4oKEqA4BvcFXTHaXzlfXms4=; b=nLx9IEF1l3OG+noR0Zt4xh5QwTFqBqmJzY2ZKldStEZIOS47oiBAKil2XcYFhk1UfzN+Gr A3+gWXj+fic9MlTYzwwt3UwXRaYTEkeCfjO0DDDbCXKLlkCqODY6lXZX2PUJXyUHQULPWT C4uLhXGsMGMUxSp9ha2GsKLrKWgAhj8= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718909663; a=rsa-sha256; cv=none; b=NO8pDdxXGdZCHQfn15MwqRnRqBS732PBGa7YYj2ogNW4aHZw6LeoWoaSgDB978PhEC5ET3 JfqszO9pxJDMj28VCaYfE4ccLzAe8nHSiu8i46GjEmrRPqqi6htiTgncJbpnHHpCDPKz6l 97ATbCu1JN9tqs9BQnDXu/tk4fgvjqo= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=Gp6eNAqI; spf=pass (imf19.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 3F05262287; Thu, 20 Jun 2024 18:54:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DC2D7C32786; Thu, 20 Jun 2024 18:54:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1718909670; bh=irInUIXYcnVbTI7ZN+P72B/uLw4QMucaS01AdF/42Eg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Gp6eNAqIPyGLiPbiV0Qu6r4RvLzCvXDfeHg1l5u6Lj4fqtpVlopL4Wo/Tw3gTVhp2 c1WUHBMwKI1oqSfGKEI5k86f0alIltlVgu22U34GIPD6OvhpklgaONTjuHKiJY/u2p SpvL/g+/zSYsKOnbS2FiVkBbohNE+/W+C/sTc68FGqDY7wNIWoUrUn2xAFkZof4hN7 GOdJA8+hRTgIf8VX50MsQ8d91l7S5N58nyR1k932gRhNcHx0tBCyVY25mJm3D2iliu Xnuz3P5/gBez+6LWP0Nt8UFYr1octCbPQwL/Z1malrMErf/VaholdctTl/xtow5SaI pzlxFCLAb3uhw== Date: Thu, 20 Jun 2024 11:54:30 -0700 From: Kees Cook To: Vlastimil Babka Cc: "GONG, Ruiqi" , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , jvoisin , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , Thomas Graf , Herbert Xu , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH v5 4/6] mm/slab: Introduce kmem_buckets_create() and family Message-ID: <202406201147.8152CECFF@keescook> References: <20240619192131.do.115-kees@kernel.org> <20240619193357.1333772-4-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 1E4061A0015 X-Stat-Signature: h6za1heoe5edbpbjdjpk3tn3fqdkmyjd X-HE-Tag: 1718909671-497910 X-HE-Meta: U2FsdGVkX1+mFYsvNHgzeEShCtOSacwEHKQYaB994XaRYkLkFMOzjqdst8dAJwsBwpcKloCplNpk7iAaLl2t5OIQ7TBbxNMvgtG9E/HHvyBfGRS7zb6SDyriYHr7zwTI/NjtuNx7BkoEFPrRUvWUeHDbjqVFGNreE9fpnHqNbvOTDmtyN/+mQkGOhJ24S/EhRjxUMQifEe7gjXGbH6VeEp6vlTHgynOTkE4bXk4oiuwwjesW8paOKUHA1skubQWAhvEM+JRGLVR9sBtPpV20druXA1JXNuAb50am2qPC0zpR7V6h6Tt33unZyIikmY1JLq/CfVvjHc1yENRGLQ/YSp+4CI05ztu43136BhGSQ879InA9hGXpuLA++rondaC+H+TC+q9v3qDBfEPCJr8pxfcxGa129HsZeyKz8G9yCX8eGSk6wyA1kRT8yFUR+C+2WQqL6OtbpzTmsnsdsuVoXR4kQucTYkDC24WGnDOLtwBEUxilNmCbVMmJ2DVNUxmR1rcnLpYm/7YqTff5XqnLfJRsb3QSP4SH5h4oq0MpVNDb5eUyvsPNzzHq6JhVqF8+bI2XLXCo/6Cho6+YvRYG0pIestPzG5Lk+kuFHz1Rwk3FT+Jjl4VYRipmaOs5RS9W6IYnc6/KulxapJ/BvUJN5xqtNkSzOJ6bVCw4ZshmdlqW5f/D8tm4EL7j1+wINQ4wZ9Y//x4ByASCqPhpeALDHCLIhArE2q9wE7tgcNhYvYkRWWa6tQPrw99zpMOpqQnDppBV/Ux2Ft6F7AIz5qtvOtMUM7gyUc8h/2hH+pWcBjaZu161YcLrlwJ/WHEo7fKjKYbDZ9+0zhqqi6U7liM/NigtXlyYK70181f9/xiSExGrW9ZiB3bG44YIEqKVvE1R+rsFVSDDmvxN6AymBXR8uNvdAmyLWNnwcHs+QTEY9ndgp8CsbTEAhY2mwZSz7kAEI430p4+CqPW2F7SQRYa ufXCQpyO CE5E4WFh2qa9mfyGx/zHUqMG3ouA3WQBZZ45KJbdz+HTw0drS0ZR7Gj4AC2BOg4vGBRGJ0YZlgm2Av0EkL7wxIMVpWVYfFBQkQELZpH6CT4pzSSNyRUPVCTwCuo93N9hZ8Ic5rtQ52+0+miy/b+mJrYgulm431fezguZtn9JsVvexkD6zwFkOPmh2WUt/FouJnxmUkUogtE0TixfIGSpK0M7MF95FPdl14Pyi5vXPAc4z25qDOZNmg7FBLj99ntXsT6X1TPLRQOOOaW3w4ROUmA/LRcsjIXSw/2SjHFHV2rrAGjP1UbLrjKf93WWOM/kjLoDKDpNZ8d2abImDw48Mclh9lGuI1u/DM5FO0vpESIbmg3FoDfpUUYhHeBiTtn6EcDM49bVsECEAuQN71ldtfTzIieBph0+i0rE8IVnFUgcGZtge5k+FZ9pMK/+17NJsNcCrJ3h3j/EmZVbRqirGzS7x24MIKrpbNqdBt8BnrCEomvFdFTuOdFQjPbyCS4UJhsDB X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jun 20, 2024 at 03:56:27PM +0200, Vlastimil Babka wrote: > On 6/19/24 9:33 PM, Kees Cook wrote: > > Dedicated caches are available for fixed size allocations via > > kmem_cache_alloc(), but for dynamically sized allocations there is only > > the global kmalloc API's set of buckets available. This means it isn't > > possible to separate specific sets of dynamically sized allocations into > > a separate collection of caches. > > > > This leads to a use-after-free exploitation weakness in the Linux > > kernel since many heap memory spraying/grooming attacks depend on using > > userspace-controllable dynamically sized allocations to collide with > > fixed size allocations that end up in same cache. > > > > While CONFIG_RANDOM_KMALLOC_CACHES provides a probabilistic defense > > against these kinds of "type confusion" attacks, including for fixed > > same-size heap objects, we can create a complementary deterministic > > defense for dynamically sized allocations that are directly user > > controlled. Addressing these cases is limited in scope, so isolating these > > kinds of interfaces will not become an unbounded game of whack-a-mole. For > > example, many pass through memdup_user(), making isolation there very > > effective. > > > > In order to isolate user-controllable dynamically-sized > > allocations from the common system kmalloc allocations, introduce > > kmem_buckets_create(), which behaves like kmem_cache_create(). Introduce > > kmem_buckets_alloc(), which behaves like kmem_cache_alloc(). Introduce > > kmem_buckets_alloc_track_caller() for where caller tracking is > > needed. Introduce kmem_buckets_valloc() for cases where vmalloc fallback > > is needed. > > > > This can also be used in the future to extend allocation profiling's use > > of code tagging to implement per-caller allocation cache isolation[1] > > even for dynamic allocations. > > > > Memory allocation pinning[2] is still needed to plug the Use-After-Free > > cross-allocator weakness, but that is an existing and separate issue > > which is complementary to this improvement. Development continues for > > that feature via the SLAB_VIRTUAL[3] series (which could also provide > > guard pages -- another complementary improvement). > > > > Link: https://lore.kernel.org/lkml/202402211449.401382D2AF@keescook [1] > > Link: https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html [2] > > Link: https://lore.kernel.org/lkml/20230915105933.495735-1-matteorizzo@google.com/ [3] > > Signed-off-by: Kees Cook > > --- > > include/linux/slab.h | 13 ++++++++ > > mm/slab_common.c | 78 ++++++++++++++++++++++++++++++++++++++++++++ > > 2 files changed, 91 insertions(+) > > > > diff --git a/include/linux/slab.h b/include/linux/slab.h > > index 8d0800c7579a..3698b15b6138 100644 > > --- a/include/linux/slab.h > > +++ b/include/linux/slab.h > > @@ -549,6 +549,11 @@ void *kmem_cache_alloc_lru_noprof(struct kmem_cache *s, struct list_lru *lru, > > > > void kmem_cache_free(struct kmem_cache *s, void *objp); > > > > +kmem_buckets *kmem_buckets_create(const char *name, unsigned int align, > > + slab_flags_t flags, > > + unsigned int useroffset, unsigned int usersize, > > + void (*ctor)(void *)); > > I'd drop the ctor, I can't imagine how it would be used with variable-sized > allocations. I've kept it because for "kmalloc wrapper" APIs, e.g. devm_kmalloc(), there is some "housekeeping" that gets done explicitly right now that I think would be better served by using a ctor in the future. These APIs are variable-sized, but have a fixed size header, so they have a "minimum size" that the ctor can still operate on, etc. > Probably also "align" doesn't make much sense since we're just > copying the kmalloc cache sizes and its implicit alignment of any > power-of-two allocations. Yeah, that's probably true. I kept it since I wanted to mirror kmem_cache_create() to make this API more familiar looking. > I don't think any current kmalloc user would > suddenly need either of those as you convert it to buckets, and definitely > not any user converted automatically by the code tagging. Right, it's not needed for either the explicit users nor the future automatic users. But since these arguments are available internally, there seems to be future utility, it's not fast path, and it made things feel like the existing API, I'd kind of like to keep it. But all that said, if you really don't want it, then sure I can drop those arguments. Adding them back in the future shouldn't be too much churn. -- Kees Cook