From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9BA7C54E41 for ; Mon, 4 Mar 2024 21:16:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 75B456B0083; Mon, 4 Mar 2024 16:16:39 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6E33E6B0088; Mon, 4 Mar 2024 16:16:39 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 55DC46B008A; Mon, 4 Mar 2024 16:16:39 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 3D4F26B0083 for ; Mon, 4 Mar 2024 16:16:39 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 12E98A038A for ; Mon, 4 Mar 2024 21:16:39 +0000 (UTC) X-FDA: 81860615718.20.B5F11F7 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by imf15.hostedemail.com (Postfix) with ESMTP id 2C371A001B for ; Mon, 4 Mar 2024 21:16:35 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=fromorbit-com.20230601.gappssmtp.com header.s=20230601 header.b=FzMdDHdC; dmarc=pass (policy=quarantine) header.from=fromorbit.com; spf=pass (imf15.hostedemail.com: domain of david@fromorbit.com designates 209.85.214.170 as permitted sender) smtp.mailfrom=david@fromorbit.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709586996; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Ht77Rh9chZwrT9wMUxlqK6jHiux3/iT7+lTeKLVMP6A=; b=eMy5/bHk97c5Q0P/H6S1ikDwpCu7nnL+kzzOM8E+fiNVW8z/emkX9Lv9tSbRJ7tRXO9Tg8 HR5EJVolI/8FC2I+o4azvotAe6o1BooeaDK99/1NvooW8sT6VqG+X+SsyqEQ7mVphmNcy5 XwdfFXK1qqpiBKX9uOddNxnlmBjgYSQ= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=fromorbit-com.20230601.gappssmtp.com header.s=20230601 header.b=FzMdDHdC; dmarc=pass (policy=quarantine) header.from=fromorbit.com; spf=pass (imf15.hostedemail.com: domain of david@fromorbit.com designates 209.85.214.170 as permitted sender) smtp.mailfrom=david@fromorbit.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709586996; a=rsa-sha256; cv=none; b=wQ1prKBieWWeHbwJUSQhYNyq2AyKeJUChZKq46DoVz0+XSb5/coVJneVz3v/0y6i9uZCK2 Z/LsMqhN6St2Np7e5yqdNGq1Nf+B2EqA9/Oqv0EUwDdOmV//DAvWirqvzmURXwfBCwipAa T6Ba1jlcOudQrIFTwuviTVUaKdI1i8g= Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1dc49afb495so46927865ad.2 for ; Mon, 04 Mar 2024 13:16:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fromorbit-com.20230601.gappssmtp.com; s=20230601; t=1709586995; x=1710191795; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Ht77Rh9chZwrT9wMUxlqK6jHiux3/iT7+lTeKLVMP6A=; b=FzMdDHdCJI9qEk/QCmi69d7GXBirRILcAZVUuJmYCN6Q4jdTnMVWoSyXFtc23OF58m INoZ08q098BVDgMe8QCPPiOUtv2sDnsW2iTZKbUlYQ8wZljnFv6BDwHJVD24Lf3fbChC hHvFpaPd8yPsl09X0xu8AFzSysvoPBzt6DCLpqR95tB3z/pmW6phwBusMS3p3DjKMUPE AuKEjAbQ/oqQLdSZ8BSbG1X258iNTn/LrTwDOzUfmanRBHmxab2m9zMKKCLVY9SpfUkK uw3o26hSq/L23GpnWd7DB5aZ31aPvFJRol5FewkJAYtOsCP3E35q2iD7okXz0L9zn4Jk QtNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709586995; x=1710191795; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Ht77Rh9chZwrT9wMUxlqK6jHiux3/iT7+lTeKLVMP6A=; b=sAwjdVTrZSSoA0KnQskdBGQQPNCEewc90UQgMYijQreLSsXfKS8QStyhxKHgeDJkC+ 4k1myj9uNQo51HYtKGZn9boFwKIm6lYRfA+8IDhJmirAwqVeYqYbPTdso8niwVJ8Y9wM Ora7mSCjpRxqHb+6PC3aIEUwCxc7r5pFK82XutxUmy5gtt6o140aTlB2UrOKuej3A5gb KfjUC2pcyhRvALPe3Mcq2khrPWU8jgW6tCMKmmS5uzE41hfIAkzOVboDj9NICbzXJakR dRPctXYNJtzjuC6ewBNPPgJukyXBtyX7Zs0CngMt9wsTobflHNN/ulce2/Q3DvCc0mB5 anWg== X-Forwarded-Encrypted: i=1; AJvYcCUb4dBlhvQaq1Lpuu7iDT8QW5VOxSsZPO1Qxsmlg6nEYsJMLAvZE2VsGIcXQKs2OonvREqsBUXioTy6Fo+2bfeAds0= X-Gm-Message-State: AOJu0YzPGm0AjEJoWoNxE38BZJjmZo+YkGwqA/TNdHJjlNSsxAhGUtQh I+75yfwF1Kkkn7NbjVVCVvRYsiWuZvacRhv7sOKqe8soHdkTQJk1Hkv6UrHytdA= X-Google-Smtp-Source: AGHT+IFtDdeII6LXDpO349Taby8wKoqZ7HHSL+QvN62Uu9JmHDBN1LAtjB0yvQGqN54fIdfCkUYpGA== X-Received: by 2002:a17:903:246:b0:1db:fa72:25eb with SMTP id j6-20020a170903024600b001dbfa7225ebmr11770883plh.52.1709586994977; Mon, 04 Mar 2024 13:16:34 -0800 (PST) Received: from dread.disaster.area (pa49-181-192-230.pa.nsw.optusnet.com.au. [49.181.192.230]) by smtp.gmail.com with ESMTPSA id e5-20020a17090301c500b001dc11f90512sm8953929plh.126.2024.03.04.13.16.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Mar 2024 13:16:34 -0800 (PST) Received: from dave by dread.disaster.area with local (Exim 4.96) (envelope-from ) id 1rhFfi-00F4GR-3C; Tue, 05 Mar 2024 08:16:31 +1100 Date: Tue, 5 Mar 2024 08:16:30 +1100 From: Dave Chinner To: Kees Cook Cc: Vlastimil Babka , Christian Brauner , Alexander Viro , Jan Kara , linux-fsdevel@vger.kernel.org, "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH 3/4] xattr: Use dedicated slab buckets for setxattr() Message-ID: References: <20240304184252.work.496-kees@kernel.org> <20240304184933.3672759-3-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240304184933.3672759-3-keescook@chromium.org> X-Rspam-User: X-Stat-Signature: 6t16d59rc46t4qiaroyfxg4easr6w6fo X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 2C371A001B X-HE-Tag: 1709586995-725127 X-HE-Meta: U2FsdGVkX1+avubwvrx+YGT/LiNT3npwn1sguqIr9ydu17K6UxGlHYVMKt0DGFVz60vZsZbMSiPS3aUhdJAS+kqfmbf4Wwz6+yAKbN5lb9jgTje5winenQIyXA14at0hnlssNc1SMVLoEkYB1Rq3gLQhFxv+R4dfOl2xUKI8/pnLfud07pPrBDqzRku+eN9VzeHNWK+suoxk8b4GAaVqP4YUuJxuDfQf5x7d2iFbeZ9mLY4JSqEaj9wJRAaYgBNPSHqCaJjQBNghFuG3w3+ndGC/rRjJ3kZKfnClCkd9tz0CSgb1WorEni478bDQ7IOW5B3vq5e4fr02RccOZgmLM2uimrsnJ7MTf0reX8XdHiPSSFH4EI42+hxo33tgefwM0Ux8hY8Y06kriLovgzSLL26Jb/Xl3jmOg06O5IsK8mpigk5tr51WDV8q9f2NE+UPTpINfEFT5qiqQ/N8n5AniVTRQ3+rBEAt1UpGanD/7zwv5usRnZzYvtnc+8wNVbWj9DTPuHhkwoymWPI8jIlxdbh5Rl/gZXDb+bYQGD9TXYPiMeES0Zy2EVUZ6gSwh21xO9gSACX0ySHnFt9EnvE9BHuoKzN4b8VFi6jvl1F9WdXUTs5CKp381j4TM3P7Hc3qaxo7LKazz111ARsPItPQZA8UShER0rwdEiiRANLn8RH7y9M/ACKlpky8H/V1FWnJDCmNO7hK8mdcLuA3Bbx4at9AQ4vJNNn4eY8ANcTWIpPaGE7/nVfD1884XUMsU2d0xVYyltVYxaTlcU/SGExQCbgFHDjfHBSQo7EwqnLj2ADd2ifrwXR7xksWvoCT/yQ9LaWq3EtROV6EWYA6gzwMTtuF07O8ZPEXqrsBGSJ5ykhArZDf6IZGURl9x6Tj7COJp3z4oW9oXJXpYgrIWklAtopDhz1T+Dl1WHeMp51MH2/Tbo/t7zWS41Yd9Ljd5qWVKfEFk7lUvo+bYCf3Smh ADCl8GGy YN7klTcPD8mr1QuDJlucvAVTiZY4B8NarCBFp2OExe/ho8NhwjYNjnYBwyK1FQ97shqK8i05mTT5UOKu7qEKkpeS6p2Wv133fwt9Oke3C/EUTCQAq8R5XoGS6BjJnxZWnnUVcxAsoKWckJk6rMG5cdGzixpo+8Tm2jNYK4fn6WlG6dPvvobuODia+axXRYjUmzvt2PX+9Wy6bWEOGa8QKuqZ/EpbWRdLWyucwKvbcKKzbdP3f1oe6OalOaviYhzEz4MXFn4d8j/vJDFvAigzb6LF1qY8fiJ/nIwONGK26xeDnlJP0LlNNLovkDAnt2F2ARIKwn4oq2wuh/ONhKgDP7VLCejkxpRYhqatOuqr2X8dLPNA8I/KbWDuSWSmOKNvpXDrDB90peZG1WM2hSKiUwl5tFO2f6y7YGRVJBYMJeulIa7hDL3OhuZO/QzJo96/60o9H2e4ugulPWYRPriajm/ZXD29WdzzWtl/peKfXRmxN3OREC4buDEpkKw0Xm3cOElV++JOB4XbpkDOg8i0DIQ6GW1ws5tJbIMsJG8z85VqFRFJP3kt68pqr8EzLsCHPJBLNTg8uBm3qoAOBG+7ptwJ76a7WgT5GojRf/EOkfGWWP30BwMZOx9i//EFZwdFQRZ8FXQsyViIeifzxyRCK5hJ5kBAp9wz60U6tD83G16z/QVF6jKRyxKSiPEjBTGQ/PyVRO5kHS2tV7zakUugBrgSFlY7QFu2NsNvWjVV7GrTZgv3NbhyCqudLei+z3EfI/xcrC645xpcsipgpu5oJCgxOPnFGkkbahhDixnEHjBU/O3mo1BvdwKgrhjWWdAnntyKlQh5NJDt95+LK9RwyZrOFkZMzjDMeORzayHa1YICnHk0DNTfQd0fHF9vcj5A6NMFX X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Mar 04, 2024 at 10:49:31AM -0800, Kees Cook wrote: > The setxattr() API can be used for exploiting[1][2][3] use-after-free > type confusion flaws in the kernel. Avoid having a user-controlled size > cache share the global kmalloc allocator by using a separate set of > kmalloc buckets. > > Link: https://duasynt.com/blog/linux-kernel-heap-spray [1] > Link: https://etenal.me/archives/1336 [2] > Link: https://github.com/a13xp0p0v/kernel-hack-drill/blob/master/drill_exploit_uaf.c [3] > Signed-off-by: Kees Cook > --- > Cc: Christian Brauner > Cc: Alexander Viro > Cc: Jan Kara > Cc: linux-fsdevel@vger.kernel.org > --- > fs/xattr.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/fs/xattr.c b/fs/xattr.c > index 09d927603433..2b06316f1d1f 100644 > --- a/fs/xattr.c > +++ b/fs/xattr.c > @@ -821,6 +821,16 @@ SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, > return error; > } > > +static struct kmem_buckets *xattr_buckets; > +static int __init init_xattr_buckets(void) > +{ > + xattr_buckets = kmem_buckets_create("xattr", 0, 0, 0, > + XATTR_LIST_MAX, NULL); > + > + return 0; > +} > +subsys_initcall(init_xattr_buckets); > + > /* > * Extended attribute LIST operations > */ > @@ -833,7 +843,7 @@ listxattr(struct dentry *d, char __user *list, size_t size) > if (size) { > if (size > XATTR_LIST_MAX) > size = XATTR_LIST_MAX; > - klist = kvmalloc(size, GFP_KERNEL); > + klist = kmem_buckets_alloc(xattr_buckets, size, GFP_KERNEL); There's a reason this uses kvmalloc() - allocations can be up to 64kB in size and it's not uncommon for large slab allocation to fail on long running machines. hence this needs to fall back to vmalloc() to ensure that large xattrs can always be read. Essentially, you're trading a heap spraying vector that almost no-one will ever see for a far more frequent -ENOMEM denial of service that will be seen on production systems where large xattrs are used. -Dave. -- Dave Chinner david@fromorbit.com