From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACC01EE49AB for ; Fri, 25 Aug 2023 21:22:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 219F72800E7; Fri, 25 Aug 2023 17:22:44 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1A34C2800E5; Fri, 25 Aug 2023 17:22:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 06B732800E7; Fri, 25 Aug 2023 17:22:44 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id E817D2800E5 for ; Fri, 25 Aug 2023 17:22:43 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id B9C088083F for ; Fri, 25 Aug 2023 21:22:43 +0000 (UTC) X-FDA: 81163901406.11.337155A Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by imf05.hostedemail.com (Postfix) with ESMTP id 1C29A100003 for ; Fri, 25 Aug 2023 21:22:40 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=qIHg1Hid; spf=pass (imf05.hostedemail.com: domain of jannh@google.com designates 209.85.128.50 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1692998562; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=sY4XdT0afbZqJDMtqEzLCUjgr5ro7J2PA8+3Z9sf64I=; b=uzV2gkbDZUjiN431MOEHYpTfM/oAFHpO/D+qsuNp/Ub+RJGlamGgpA0U6kskwiKvAI0GFg BBGCKedRpMkjtul4BcNQoLdWwLZw2LhqSBmcexBZwvZlJU+s6fz7quaaOqrzft6nKNIvqK JrS5D3Kg7JIUopaUjCzSdzSp6iQQ49k= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1692998562; a=rsa-sha256; cv=none; b=KNdRipMTRCSxgwlHeicjgYo+G/yvVSU1pF0Oubyj71x1L46v+4bKjwqsyirtCdI7Os24Pa gpa9Mha9iFit12jdK1qss9ta7fzpaBardT0SwwDuKwbL71AjiCuXwaEVJeTtD39rzwwRch vsESCl9OYxtnuw3yZinoUOrFmJMTbU0= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=qIHg1Hid; spf=pass (imf05.hostedemail.com: domain of jannh@google.com designates 209.85.128.50 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-3fef2fafee2so24225e9.0 for ; Fri, 25 Aug 2023 14:22:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1692998560; x=1693603360; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=sY4XdT0afbZqJDMtqEzLCUjgr5ro7J2PA8+3Z9sf64I=; b=qIHg1HidkaTIhRd8xQHdVOu8ScwKPw3VQ0LDbAmZTeJL3vzTBh/Vm3FF4+XwYtREZg cVMG5HU+cz5gBeJTf3b2xC5iOmQpeCaXoDa764BPSWQcSGNxrhXcHgmK/y8wATYQyTNK ZLrNkIcVef0m4BbcDjrSOg8Byq8QtTRE6Eh4oO69kzyxH20nrrDQhgDyGmIAR/uMEEC3 q8EXYXmBWdK7OTpgiWzyNnZ5dIXgNQwRPu3axv35SFcIfO+PeqLZgeIUiw2KZQaBPPgH notJMP304iiRjPs61AGqH7LSh8iazDo0TMBE70rb3v4xjFa/Vi+j2KYZBkrXPx4DZpm4 j4Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692998560; x=1693603360; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sY4XdT0afbZqJDMtqEzLCUjgr5ro7J2PA8+3Z9sf64I=; b=cKlCE6VawzrJWHittJ6bnCuDKku2o7ZxgHY7ocnIZ73Rqwet7UIwMwi8Nbguqw5O7e 3fb/Fuso6ikQ7Cr1xMvQgeblTbkUcupWMFiHnTTQVOyzcw/ay1sP/sdttpQ61ga3+Ocs Lawcn71jQr86MOCN5gSMI/p3awW+1IxNvndkNXsguix7x6RUEuHv75NpTF3K1XFn7bQv SZGXqhnxFhe0nkY1JjaqqUqzATq3MDqMyzqyhs+rLvhoVA3ckMqhnCCbU30ew1N5BgmP lVZBo+D6+6CewowjwqwcuQAPpEj0tX082+toiCEcQ1q6BdWwtjAWpIlx8eN3K3a4KyD9 EQcQ== X-Gm-Message-State: AOJu0Yw+hrKmtlV/fGxXWReOVCoF4Ycru/ns6qD206KXbr4f93MlSKN4 UbTergTH8j3HwsDHgLN/dnuqpoIAzlSnlSmulbh83Q== X-Google-Smtp-Source: AGHT+IFJruxQz4dZ8s1YN87YFSZH1HJJv9ClNQAtgrsrR7NPxgGWX8sDMrakERqU/v4Mp0WagK0Cdzy2mUsDVdjLNBw= X-Received: by 2002:a05:600c:3b8f:b0:400:46db:1bf2 with SMTP id n15-20020a05600c3b8f00b0040046db1bf2mr83152wms.2.1692998560041; Fri, 25 Aug 2023 14:22:40 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jann Horn Date: Fri, 25 Aug 2023 23:22:03 +0200 Message-ID: Subject: Re: Kernel hardening project suggestion: Normalizing ->ctor slabs and TYPESAFE_BY_RCU slabs To: Kernel Hardening Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , Andrey Konovalov , Dmitry Vyukov , Will Deacon , kasan-dev , Kees Cook , Alexander Potapenko , Marco Elver Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 1C29A100003 X-Rspam-User: X-Stat-Signature: diimxqpkm6h6x3tynr8941coz9ys4jmd X-Rspamd-Server: rspam03 X-HE-Tag: 1692998560-58550 X-HE-Meta: U2FsdGVkX18kpk/unH60cQmVt6H0nXs1gtkBkiHl4EDRENMMouwAxNPekAInKBZTN/X/Jy9nFUYkbxFHviHDlONWyqHWJUAGi2zg0rVKuNvrOvjeLddiC98DBPANd+SsosIWdTaLVVS6TjkIMj20Nsup/axTtpdGlVcEuDGd5xQqERKLcd4kmcSEAvqglCTWze37RR4E0FuGBx3NNl2CpsWJPeEImG43X8PEEkapjt08uWFkJu+m1/ttKEWU3z3lWMS2603mdZJkG5UhHty1SrPjQnTIywV0siBHgYPPVjK3YleC9jXgP+S9Yh7mjYXfXqVgBO/B/dwd4zqOEPQwhx/7SB3x4W+he3ceef/dLvbmQra11MFoL0973M/8vWMykuGpUTNdFFn9OuB1lZV50kFe7ZQIzZSRFgbQ9su6W3lTMfTPCvKYILLxEfi7G4ihdZ/HjrH7ErOsNhLIgqdZK6PpDVuCwcQGr0JtHCn/PrMoN3qB6/SYvo7G/HhRhMRxX5sXfz+uSeVP2NKV6JGxCXEXtxquk+8zM6SOf8w0gZB2TA6rI93zE0qkG3Hpvj3ZuaKT5dy5t2lhUdpFDxXZmqEqblEgSB5VwGA5uTxKf8pMru8fKd3BoC7kCaNG2ASpIbBTQVNiZSfbR72EZyNrhXu21/DkqOMUbloMNYVkITlUqhWjdGBcrjnsLsW/7SKonyhXl3+bVOSpq+kTKEep2+jpgSSWJX2SQY3Ddpmest9v5gZ7B/hMdIssIf8fSUol9/7j0+oZUPfpzEzrJHyoX9cxLLXzjmaf2tQTXJapAM6C4MXM/fPtgptJ3AAnr5DMZQ1p7Cwi0pFmBrjb2Onm988BO1qG0QPrz/glNH/JktMG1WKjF9JM5oJsOGCKBdXMLSb+rUD5YLPUOpOBSICClZusgKw/p7h713hiKxWwvmB256W0oYS51NR4z9JJbttue11Rg5r/VPL9rNzEtaz J+qUKz1z KljjMm3eLcvPLf9YhgFH4YX/rcMPRHYbdTfM9ss9fQldr/g8ZXWhhIwtMpuEcqBgg7CPxGceyjIG00Fx50Un08nTXfRS2jjkfDWAfMQKAJPNFx10izXu0m9lvOoHNkK92yhptCBKArV9l87J00MTjDW4x1guSiXWw+xs5lc9f3yydKmbUGlp6XDvHgwJwPx1hz70Kcyllt0rD+fbUnme7c8vep/iOGq6JOz4k94o8aQ+oj9YDeYQwh12I4NmPFaNi9cswrZOOHT/aULLSLeU0I1oCUro7V3PlRXrIR0wSi2iBCNbLa0ok/bxpwRwLFm35xYbba+LKqnIm99xRY7enLW9fgL5dX4LDuC1lYOYtWk5B/rdJqO3lMA+1jWj009/zAT8Rixw5eifMGClnUibJAhOI3w== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Jun 23, 2020 at 8:26=E2=80=AFAM Jann Horn wrote: > Here's a project idea for the kernel-hardening folks: > > The slab allocator interface has two features that are problematic for > security testing and/or hardening: > > - constructor slabs: These things come with an object constructor > that doesn't run when an object is allocated, but instead when the > slab allocator grabs a new page from the page allocator. This is > problematic for use-after-free detection mechanisms such as HWASAN and > Memory Tagging, which can only do their job properly if the address of > an object is allowed to change every time the object is > freed/reallocated. (You can't change the address of an object without > reinitializing the entire object because e.g. an empty list_head > points to itself.) > > - RCU slabs: These things basically permit use-after-frees by design, > and stuff like ASAN/HWASAN/Memory Tagging essentially doesn't work on > them. > > > It would be nice to have a config flag or so that changes the SLUB > allocator's behavior such that these slabs can be instrumented > properly. Something like: > > - Let calculate_sizes() reserve space for an rcu_head on each object > in TYPESAFE_BY_RCU slabs, make kmem_cache_free() redirect to > call_rcu() for these slabs, and remove most of the other > special-casing, so that KASAN can instrument these slabs. I've implemented this first part now and sent it out for review: https://lore.kernel.org/lkml/20230825211426.3798691-1-jannh@google.com/T/ > - For all constructor slabs, let slab_post_alloc_hook() call the > ->ctor() function on each allocated object, so that Memory Tagging and > HWASAN will work on them.