From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77EB2CF34A9 for ; Thu, 3 Oct 2024 14:27:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D4E174401C7; Thu, 3 Oct 2024 10:27:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CFE1C4401B5; Thu, 3 Oct 2024 10:27:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B9EB14401C7; Thu, 3 Oct 2024 10:27:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 9B4BC4401B5 for ; Thu, 3 Oct 2024 10:27:17 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 47DEC1C3F8A for ; Thu, 3 Oct 2024 14:27:17 +0000 (UTC) X-FDA: 82632518514.13.2BE5949 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf20.hostedemail.com (Postfix) with ESMTP id F2FF81C000B for ; Thu, 3 Oct 2024 14:27:14 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ViWFiJxZ; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VdpYedXW; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ViWFiJxZ; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VdpYedXW; spf=pass (imf20.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727965506; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=YXgl3Wq6QmrbusXxQoyp2NzGC/B954X+xZnrbqgBNXQ=; b=yx+66aDzJj/0DAmzbBW8H5b7xCv+gk81i24GrVRqmoiyFNUUrc4ZFR/Gd73+LiClGVXKcX AWNbRgI9rx9RPb269qZsHl7bDW6X2DEZuawuvVqmQsuVC9Dr45PIfdVTRZBx4+9PmJ5j0y kVQuc64fqB3pRzCRG6GxU3A+8wRCs8I= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727965506; a=rsa-sha256; cv=none; b=NkROM+/Ii0Bd9aCFGY+/MjYqAIKJX5Si2MAEKdYWVH/3VvSI/r4qFPIJvfbwS3BFyZYIsf c7OFcBuh7H8QBiuWmbZ5rXIIuJMnFu3GCqrcVpZs68e6089Kiis71K26N2WwvOD0vmi8Hx zM/HfgxAEOetwt03IgfX0MoRRn7nStM= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ViWFiJxZ; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VdpYedXW; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ViWFiJxZ; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VdpYedXW; spf=pass (imf20.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 1AAED21D82; Thu, 3 Oct 2024 14:27:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1727965633; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YXgl3Wq6QmrbusXxQoyp2NzGC/B954X+xZnrbqgBNXQ=; b=ViWFiJxZIcr+YusGxhhVh4wpY/hWifZA1Q9GlUGQDZHqI+GsFsj3glnZOURvP3APDAgotp QmO4grWVC7j2JvKCcv5M5eTZmtLyetpgz6NPatGrZZw2ruN2ImEf/O88zgMxFi1JJGEi/Q M1LZOD5f8dYbkEulz/4kBqF88XwqPRs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1727965633; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YXgl3Wq6QmrbusXxQoyp2NzGC/B954X+xZnrbqgBNXQ=; b=VdpYedXWVM2CD4GoYrEpbKPzeKybWKxw9QKvLerQUyA/porgvKgHMyjXuO6ELCjKU4N5qb eaGAsNcPLQKFLbCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1727965633; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YXgl3Wq6QmrbusXxQoyp2NzGC/B954X+xZnrbqgBNXQ=; b=ViWFiJxZIcr+YusGxhhVh4wpY/hWifZA1Q9GlUGQDZHqI+GsFsj3glnZOURvP3APDAgotp QmO4grWVC7j2JvKCcv5M5eTZmtLyetpgz6NPatGrZZw2ruN2ImEf/O88zgMxFi1JJGEi/Q M1LZOD5f8dYbkEulz/4kBqF88XwqPRs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1727965633; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YXgl3Wq6QmrbusXxQoyp2NzGC/B954X+xZnrbqgBNXQ=; b=VdpYedXWVM2CD4GoYrEpbKPzeKybWKxw9QKvLerQUyA/porgvKgHMyjXuO6ELCjKU4N5qb eaGAsNcPLQKFLbCw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 000C513882; Thu, 3 Oct 2024 14:27:12 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id zIk8O8Cp/mbGTQAAD6G6ig (envelope-from ); Thu, 03 Oct 2024 14:27:12 +0000 Message-ID: Date: Thu, 3 Oct 2024 16:27:12 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [DESIGN] Hardening page allocator against type confusion Content-Language: en-US To: Matthew Wilcox , linux-mm@kvack.org Cc: Kees Cook , Jann Horn References: From: Vlastimil Babka In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: F2FF81C000B X-Stat-Signature: pih9eusehpsi8xxkrd8pquzkbkq9s18h X-Rspamd-Server: rspam09 X-Rspam-User: X-HE-Tag: 1727965634-779248 X-HE-Meta: U2FsdGVkX1+WHc26y159VDDC3i+7EPBqnxWtVp37ymyXkUtT7livi+iWQSHHdNlDg/s8bQTs1DOPyOGqdXhXke3ef42vIrRqd0VdbK+vAaWrTh4hLrEGviDILDRlCzDv5iGOqUBnNF+JJ4CzTGobPsZpWv4eZTNbgmmFtUR0kTGXwYuJFCUyNFdS8gilkYTU/PYF2z5zvy6rPsE1xt+lEaFNX6oJmTGlgLkMaNGKeeLHqOlob2hAm+/SpMMq5dOhbsdZNwdEhvLiSYkKBmI97js2y5b2B1e2wc+/BB1csvNv/vT7EdhUcpEdaYMIibscv+JkUw7BxrOhSmp3vCLirbO0ZU3cnILgB8AY2uoziptCgUGl1PYJ0PLC2gd/vG6EbYOHpcNJ/E4dWN17Znzu6c3CKJRWeohx2m+ffm5Ud5rnIzpBvADXrVsu3YBBQT/kHq9gQGhfopXNYYok0SB940wcIepd+X+PBXnofEpXojzOu0O+mBaOFNkDzCZ/ZEqwH/BTu9p1b5PDeO3qVyWw2m5FfUuwftuTyCsYepDbTlzXE9kq8BIA/sd2RxoJdc7nclnt0biYGkPoV0hye7zZbuAVzoKPCVJOkVPntvMGPZx1BJ9yP0NMuquceyIlTtRHWukJ4Z3IiT83ixd8t1ZFk+fQ5KkZlVzVgNpiJ2fgOQZeTrc5HpSSbeUy4RXQMX9vHfwWu4CcicBPS1gUG6lfHZ4uZaPk/FXL9F0DIpmX2EFt2GfBJJDPvkUbx/oZNQA24qmpL+qgiCG1v3Cnxd6yOV/PS/hVXDY8Yxo9QTCDjlruGwWGKQ6Y8xnsu9HvjWLI62uy63IC2IoA1x97SrG6roLw2lVi8uzl0fHViygvNdaU4zxR/CZ0fePCEzvOUVKODJs+C5HZ2nTDo3tt6Kv2AKpyjMryFznHtgr+8RjPHIHrOj42cq+BYvxZwFb40vbr/hVnDFBPS+Tk3ihB6Th Yvu7HgVS kaXdg2l/f9z0vX/XVPuHF9uNkgSWJ/mQdHrxI0cB/6gQax99xESZ3iaqz2lH64L08Z5eH616pbfEA3qt51oMP3syV6QN6027vPYiFhXQYEprQJ2vgsW+EPR3bOvBKDqabKTrp79hs76i0067++fzR1jVhlZTJau5xOaFcafMsC8vei34PDWqTR+zeyohPIwME2ek0wTTmMSQWaJ5E/lsl3++Al0LNkfCMmARF+6mGAiRWEV8udCh5rWuRl0Nou/zRDO9XKKt4QBF01mX51Zx580exm5L9YrvJjnVClzEoIMo0aXUaw/yQsGkGeDHw9RMYKQcKUbx1zndHJpUBQ1eCsYCuYi9qK8xYwaWD X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 9/25/24 21:46, Matthew Wilcox wrote: > Kees and I had a fun discussion at Plumbers. > > We're trying to harden against type confusion, where we think we have > a pointer to one thing, but it turns out to be a pointer to a different > thing. There's various ways this can be harmful, which Kees has laid out > before when adding slab buckets. eg see https://lwn.net/Articles/978976/ > > Not all allocations come from slab though. If we free a slab object > and the slab it was in gets freed back to the page allocator, it can > turn into almost anything else _quickly_ as the page allocator fronts > the buddy allocator with a stack of recently-freed pages (called PCP, > not to be confused with percpu memory), so if the attacker can arrange > for a page table allocation to come in soon after a slab free, it is > very likely to be the memory they have access to. > > My proposal is that we resolve this "type confusion" by having separate > PCP lists for different types of pages. We'll need to have this for > memdescs anyway, so this is just shifting some of the work left. > > We'd reduce the exploitability of type confusion by using a per-CPU, > per-type stack of recently used pages. To turn a slab page into a page > table page, the attacker would have to cause a dozen slabs to be freed on > this CPU, pushing this one into the buddy allocator. Then they'd have > to cause the allocating task to empty its stack of page table pages, > causing the attackable slab to be pulled from the buddy. It's still > possible, but it's harder. > > Harder enough? I don't know, hence this email. We can get into the > API design (and then the implementation design) if we have agreement > that this is the right approach to be taking. Not a security expert but I doubt it's harder enough? I thought the robust mitigation here was SLAB_VIRTUAL