From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CEF2AC7619A for ; Wed, 5 Apr 2023 12:27:07 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3C7A56B0071; Wed, 5 Apr 2023 08:27:07 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 351106B0072; Wed, 5 Apr 2023 08:27:07 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1CBDF6B0074; Wed, 5 Apr 2023 08:27:07 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 0D45A6B0071 for ; Wed, 5 Apr 2023 08:27:07 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 7F78AAC6B9 for ; Wed, 5 Apr 2023 12:27:06 +0000 (UTC) X-FDA: 80647262052.16.3C30C06 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by imf05.hostedemail.com (Postfix) with ESMTP id 938E2100010 for ; Wed, 5 Apr 2023 12:27:04 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=fM4nuxkN; spf=pass (imf05.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.216.49 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1680697624; a=rsa-sha256; cv=none; b=gFn9h5XNotFm2Apib/508QAZ/kwTttSp+LZra3/NxB7aVWo7GKGtfBcbyQm/wTJ2NRtE6p Js0exH2edsCZU+2kLUY0izrnICJEnCMqdD7vfGbCOHD3dI8sUCBxMZFSBPFEqPT8LBIDHO 2NZ5LYlDa5P6kei7NMPnmi729AQw10s= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=fM4nuxkN; spf=pass (imf05.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.216.49 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1680697624; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=nSvnKg+6McgJprhw+if0EMirzUlxLZrKLELfH8kmkS0=; b=PBIZjEN1LYL659oNdGs9G+eCe+w0/zLTMqUiaQUMDtuTOR9K2vSI8CuVAaFSet3kO9j4gU oKKhCS6pDZktxSPlVogSx3zcs4rk6cl2qg0ytL//l9EPSlWaqHCPUzhRKJpaEUF3dDuCMZ hj3DQSvzurHuBgYmUi+i9v2kqOdB7+E= Received: by mail-pj1-f49.google.com with SMTP id qe8-20020a17090b4f8800b0023f07253a2cso37065108pjb.3 for ; Wed, 05 Apr 2023 05:27:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680697623; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=nSvnKg+6McgJprhw+if0EMirzUlxLZrKLELfH8kmkS0=; b=fM4nuxkN1Ei+BgN0LfgInD/FqvdDFyrcUJt6tJ9MGBcbHfDzOvDgdjMfDv1xwok/Aa 9RjaLwxsBr2IuiM89fnTkhckVTwYkS2yjfmKhfiwNcxjPH4ByAuC8n6iaFqACu1uL670 pxXkSSGIikzz/GeTjhj1sBDY5Spq7ZwhOVsjk92/0K4Kp2QZcn2z02Ocb3w3qkhfwtWq U9AysHle5TBRsinBVNCyhTa28PO84v+vV+OItmsQQZZgdYAmnhsmhuFAUMrg9s9tdJAY mN9taF/HO+BqEHwFP2OBMidoI8e+lQDL5cPUxlJ+UjygOvwR+YotbhUdGUwEFwN1KP1k GYHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680697623; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=nSvnKg+6McgJprhw+if0EMirzUlxLZrKLELfH8kmkS0=; b=RZvHq4rRbpFwlIL1OBdUzPr+B/mZESd6VZsdplfN+qHHI3jO43DPXFxlAVVb/Lelgc PwjYR+4UJUBQ5EoydohiS79tKzB8U26cC6DJuMKZ9D5S0akxmtySQ6MjwMXLx0elfAZR 2yxE2byEUxJ7Z2kC/tjiousxBpEGqoCOviMOw+3nXVNs78lBAM6w9AkPNGBy/txTu6C2 uW9YtA03ML8A8eJpN3BAHXtsUpzo7BOXRP8yHTE7gJXjuQ8qgfYuLWIO5iReRkN7PsO5 WIE4LJwdLm7AOk2N8XiwLtqqA4mUG+UtRd4+fHbll5XMazh7Xf8ezOxTfQ+6IwvGTArV +VmA== X-Gm-Message-State: AAQBX9c9skb4o+XqROEprHkWZS9b5YdjXtQ5e10V9g6caU1TIjc3/rc7 SOZziAiivAPV/MIi8npAkKg= X-Google-Smtp-Source: AKy350ZMkRxurclMd6nCYANZunIt1p5smgB/rGPfUYGFhir3yWVrLgE+h08qu9R7KxqBDQ43zijgbg== X-Received: by 2002:a17:90b:1c91:b0:23b:4388:7d8a with SMTP id oo17-20020a17090b1c9100b0023b43887d8amr6718995pjb.21.1680697623102; Wed, 05 Apr 2023 05:27:03 -0700 (PDT) Received: from [192.168.0.6] ([211.108.101.96]) by smtp.gmail.com with ESMTPSA id q23-20020a170902789700b0019ac7319ed1sm10055186pll.126.2023.04.05.05.26.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 05 Apr 2023 05:27:02 -0700 (PDT) Message-ID: Date: Wed, 5 Apr 2023 21:26:47 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: [PATCH RFC] Randomized slab caches for kmalloc() To: "GONG, Ruiqi" , Dennis Zhou , Tejun Heo , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Vlastimil Babka Cc: Roman Gushchin , Alexander Potapenko , Marco Elver , Dmitry Vyukov , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, Kees Cook , linux-hardening@vger.kernel.org, Paul Moore , linux-security-module@vger.kernel.org, James Morris , Wang Weiyang , Xiu Jianfeng References: <20230315095459.186113-1-gongruiqi1@huawei.com> Content-Language: en-US From: Hyeonggon Yoo <42.hyeyoo@gmail.com> In-Reply-To: <20230315095459.186113-1-gongruiqi1@huawei.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspam-User: X-Rspamd-Queue-Id: 938E2100010 X-Rspamd-Server: rspam01 X-Stat-Signature: 5wi988u8ed4uwanuro9pi379yhf8w6cn X-HE-Tag: 1680697624-124216 X-HE-Meta: U2FsdGVkX19diknUJD7IEc751QfxN6WhIGgKISrOWtQYVU2Roi8hzc/2VH6MCFUO4/I5q4H9htPbbceLMnWqhBNrK/UqlYd2W3McmUyREEq7kxJGY2CkF918KFd+KV4gTbJcm6cEDaVKQrOXAkBHcRnI9gll94T1fgoO6D0QXzMfF0KGCOD9JA8Q3tXG3WaFQaQNoO2wWLUUq8gp+Df/MvbkWhiJ72eExno+uQ7xUwvR7gHCO7pH+N4KZyFbiaxH+3DrpWToNOAf+rCVtXgHiqMD9jES4CXw8Ry3zWRRcmnCYyeQaDKAnAswIjhwlTdJBzAi0oj4o/w0apZjFR1e6TEFaLjyx6mGbEQlT9UazQ5t3cPvnDgK8gmCaLTMNxKA+26z8BchWt/Z2WVqK/swPBeMxMs5vscRZzDpB6Rz3bMMwichudn/NutiNZ6bmLfokoOveGz8n8biX95GUrj9N/1JiSEXlCZuoHExg5Q13+jmhav7e0mTVSMNBHEKGISspE1qRrPF3CaLY5BfvZNs3ru7qTNcEIJ7nGf94KNEcYqDmgXMRsih7l8MSnDfW3fP1wBrkVj3AnY0yboxbWTdF4b/jetkjl0CvTFDqz4/SvlGv7rGxbqkRKd6t7DzHxDpLfOwvzmUDXcZb2iQd2LBbxFOHSA548lpOoBXeRD3OvhiFP9ooFK8eiuD0zETD5X93tJmgQZMDiAz+knT08+yyzDIAvbCIqDoXdLbJ7AivyxFiieZx/azMh26+AZBNHMxy25497bGZENzghGIdgV02Ja1Q2F8bTghV4P1Dh08xGjVWgMLbSEQkNhP+Jn5VXIlJ0EJnGy3vYshd05btW6NHfDP82JucR8BclBBWvZYK33Chpm5X2BWGPGSZk4LiDH6veoDf9t83FQtObunKun1W1FjdYAKHosW/1WkcF1OW43+Vulv1lXeMTHJxrAllKw+QbHk2XqLtKFkMrdsu16 E+y069Rp yhjTH3m5WpJLWl5FRVL1iY0nukjHjxCtrSaz7V6tOXdVGbzX6qf25XIbrc1R0ES5HKarZG7JpP+yxLdpX7dAx5i+FB3xvC/BdfAI8gReV2aHMkdW3lVJYf4cQUXVIZJKQbxTUao+fGPiVlGkRhmAIlhUvVeYrpGd3Vrpd9YjVSrVC6hxPnM9vCOe+qEqM8OnvurNffCwGKXrbQ7PyIY/0gvwdQ2/Sr5iJ+998KgvZny+ZgbAuFr07i0zIxd6LuYe7H5H4I3ws4symzDtq/fVYXwzfvv5EJfd+CcCHrl3Y50bwl31JmffoQw/WfhUoBTlfJNScvTYm2cCqYfsUopLjSzhTKL7Qdf/ovLe75lo6kne/yHswLKF+iYEvJeeGcEo9OUpdV/vc1ATxHRK74hifs2blUme15yCgPfnBIm9IfonGByUSNi1opDtvgaWrAIv8SEZ7z9r8I3ij3CNr2Svio06XKmIN7Daj9alAEpGMfwxa8gj+vEIh9+rmx/gsq/o7KuySxo5AK6uTBAeUIFBzyAw+FJ0kqDvmk4Si99642CuWhDY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 3/15/2023 6:54 PM, GONG, Ruiqi wrote: > When exploiting memory vulnerabilities, "heap spraying" is a common > technique targeting those related to dynamic memory allocation (i.e. the > "heap"), and it plays an important role in a successful exploitation. > Basically, it is to overwrite the memory area of vulnerable object by > triggering allocation in other subsystems or modules and therefore > getting a reference to the targeted memory location. It's usable on > various types of vulnerablity including use after free (UAF), heap out- > of-bound write and etc. > > There are (at least) two reasons why the heap can be sprayed: 1) generic > slab caches are shared among different subsystems and modules, and > 2) dedicated slab caches could be merged with the generic ones. > Currently these two factors cannot be prevented at a low cost: the first > one is a widely used memory allocation mechanism, and shutting down slab > merging completely via `slub_nomerge` would be overkill. > > To efficiently prevent heap spraying, we propose the following approach: > to create multiple copies of generic slab caches that will never be > merged, and random one of them will be used at allocation. The random > selection is based on the location of code that calls `kmalloc()`, which > means it is static at runtime (rather than dynamically determined at > each time of allocation, which could be bypassed by repeatedly spraying > in brute force). In this way, the vulnerable object and memory allocated > in other subsystems and modules will (most probably) be on different > slab caches, which prevents the object from being sprayed. > > Signed-off-by: GONG, Ruiqi > --- I'm not yet sure if this feature is appropriate for mainline kernel. I have few questions: 1) What is cost of this configuration, in terms of memory overhead, or execution time? 2) The actual cache depends on caller which is static at build time, not runtime.     What about using (caller ^ (some subsystem-wide random sequence)),     which is static at runtime?