From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AD62C433E0 for ; Tue, 23 Jun 2020 06:26:35 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 392F820771 for ; Tue, 23 Jun 2020 06:26:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ldl0tBRP" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 392F820771 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 903176B0002; Tue, 23 Jun 2020 02:26:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8B2A66B0005; Tue, 23 Jun 2020 02:26:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7A0B06B0006; Tue, 23 Jun 2020 02:26:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0018.hostedemail.com [216.40.44.18]) by kanga.kvack.org (Postfix) with ESMTP id 5A6CC6B0002 for ; Tue, 23 Jun 2020 02:26:34 -0400 (EDT) Received: from smtpin08.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 18BD62C8B for ; Tue, 23 Jun 2020 06:26:34 +0000 (UTC) X-FDA: 76959492708.08.word97_43086e926e39 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin08.hostedemail.com (Postfix) with ESMTP id EDDE41819E764 for ; Tue, 23 Jun 2020 06:26:33 +0000 (UTC) X-HE-Tag: word97_43086e926e39 X-Filterd-Recvd-Size: 4158 Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) by imf42.hostedemail.com (Postfix) with ESMTP for ; Tue, 23 Jun 2020 06:26:33 +0000 (UTC) Received: by mail-lf1-f45.google.com with SMTP id y13so11017747lfe.9 for ; Mon, 22 Jun 2020 23:26:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=AsNRALeJxIUkEC8oYa+n4aueY7MnLHPOpm0Ghly9IZo=; b=ldl0tBRPkMJe4OOLQtpIosTh/6Ob4Jn9s/EVh6LSzff0fP5H31D4yjrRj2ee+sBunO 0DRBiEW/kyirdT1/pOjcoZ/5qzTm6L0v22Y5yK9cZlfL+GEGIk5t+RBGizPLEwsXPkUB VtysDDaCBwi5ORwk70ZWS9YMK8lzCipN4OzMWwkoHCvnL2hwgrPPNFybTMFpEmxMW/JD cmDVBapZXHne88gc5JKR3KtAW1OVD7sM1ouCMBaB+gXZ0Z9XQRJAUlg+77fBFKJCBA/Q Y0VsC4eVVaf93bb20t6wwRPtFJvkiAP4+GJ6s9xTCYMpsMqgvIrd4FdYeIK6hZau6HMS cJZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=AsNRALeJxIUkEC8oYa+n4aueY7MnLHPOpm0Ghly9IZo=; b=asSbsiCUh30bjN8hJz6ssq8FiWltEyx2H5TToOYwlCn0E/TgXaux8PzKR8YBl8Lo3F Mu+VQWVSlCtVGbTmAirzPs5mJNmmdGozqdaZehKxNn3eycjzr6N7SmTfvVpelN9LNThu B2V2mcJuxZaSKlyCj8PJGqXAnl2qB1OH/LLBVzAG2uzL9IAwO5aydDcTNPrIhgAzaFB0 kkvtxT+kaJWuwsTMkwo8HZs8inAhWKafbk3eIjhxx7RYOLa6c/KtFuXd6rPBjqwDroUF bI6F+ayJBN6XTZ/J8fnnzdDjLvKDCEyy4VIi+RVts2YMrcTCCtndKO/gFygiuBaRr06d 9Kew== X-Gm-Message-State: AOAM533SfjX1ioj7RgQE3Ak5Gw4T38KgA9l4Pw8dAlaowA91wXy7zsMh ZfoDBUAYfOREoQBFDP1goX2KPdYjw7Yhuns7H0LxlA== X-Google-Smtp-Source: ABdhPJy24Cl5WiPlliv15Ov+noFUgDy0dvkG5wjtud+Rwrb/FXC8SIewoVl7LLbNYVHEz0ZlTcIHOLflZvN99iQx26g= X-Received: by 2002:a19:be4b:: with SMTP id o72mr11645822lff.141.1592893591731; Mon, 22 Jun 2020 23:26:31 -0700 (PDT) MIME-Version: 1.0 From: Jann Horn Date: Tue, 23 Jun 2020 08:26:05 +0200 Message-ID: Subject: Kernel hardening project suggestion: Normalizing ->ctor slabs and TYPESAFE_BY_RCU slabs To: Kernel Hardening Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , Andrey Konovalov , Dmitry Vyukov , Will Deacon Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: EDDE41819E764 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam04 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi! Here's a project idea for the kernel-hardening folks: The slab allocator interface has two features that are problematic for security testing and/or hardening: - constructor slabs: These things come with an object constructor that doesn't run when an object is allocated, but instead when the slab allocator grabs a new page from the page allocator. This is problematic for use-after-free detection mechanisms such as HWASAN and Memory Tagging, which can only do their job properly if the address of an object is allowed to change every time the object is freed/reallocated. (You can't change the address of an object without reinitializing the entire object because e.g. an empty list_head points to itself.) - RCU slabs: These things basically permit use-after-frees by design, and stuff like ASAN/HWASAN/Memory Tagging essentially doesn't work on them. It would be nice to have a config flag or so that changes the SLUB allocator's behavior such that these slabs can be instrumented properly. Something like: - Let calculate_sizes() reserve space for an rcu_head on each object in TYPESAFE_BY_RCU slabs, make kmem_cache_free() redirect to call_rcu() for these slabs, and remove most of the other special-casing, so that KASAN can instrument these slabs. - For all constructor slabs, let slab_post_alloc_hook() call the ->ctor() function on each allocated object, so that Memory Tagging and HWASAN will work on them.