Re: [PATCH v2 2/2] slab: Achieve better kmalloc caches randomization in kvmalloc

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Vlastimil Babka <vbabka@suse.cz>
To: GONG Ruiqi <gongruiqi1@huawei.com>,
	Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Kees Cook <kees@kernel.org>
Cc: Tamas Koczka <poprdi@google.com>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Hyeonggon Yoo <42.hyeyoo@gmail.com>,
	Xiu Jianfeng <xiujianfeng@huawei.com>,
	linux-mm@kvack.org, linux-hardening@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 2/2] slab: Achieve better kmalloc caches randomization in kvmalloc
Date: Mon, 10 Feb 2025 11:05:35 +0100	[thread overview]
Message-ID: <d50c3fae-1c2c-42b1-b622-fcd89c6b2dd3@suse.cz> (raw)
In-Reply-To: <20250208014723.1514049-3-gongruiqi1@huawei.com>

On 2/8/25 02:47, GONG Ruiqi wrote:
> As revealed by this writeup[1], due to the fact that __kmalloc_node (now
> renamed to __kmalloc_node_noprof) is an exported symbol and will never
> get inlined, using it in kvmalloc_node (now is __kvmalloc_node_noprof)
> would make the RET_IP inside always point to the same address:
> 
>     upper_caller
>         kvmalloc
>         kvmalloc_node
>         kvmalloc_node_noprof
>         __kvmalloc_node_noprof	<-- all macros all the way down here
>             __kmalloc_node_noprof
>                 __do_kmalloc_node(.., _RET_IP_)
>             ...			<-- _RET_IP_ points to
> 
> That literally means all kmalloc invoked via kvmalloc would use the same
> seed for cache randomization (CONFIG_RANDOM_KMALLOC_CACHES), which makes
> this hardening unfunctional.

                 non-functional?

> The root cause of this problem, IMHO, is that using RET_IP only cannot
> identify the actual allocation site in case of kmalloc being called
> inside wrappers or helper functions.

inside non-inlined wrappers... ?

>  And I believe there could be
> similar cases in other functions. Nevertheless, I haven't thought of
> any good solution for this. So for now let's solve this specific case
> first.

Yeah it's the similar problem with shared allocation wrappers as what
allocation tagging has.

> For __kvmalloc_node_noprof, replace __kmalloc_node_noprof and call
> __do_kmalloc_node directly instead, so that RET_IP can take the return
> address of kvmalloc and differentiate each kvmalloc invocation:
> 
>     upper_caller
>         kvmalloc
>         kvmalloc_node
>         kvmalloc_node_noprof
>         __kvmalloc_node_noprof	<-- all macros all the way down here
>             __do_kmalloc_node(.., _RET_IP_)
>         ...			<-- _RET_IP_ points to
> 
> Thanks to Tamás Koczka for the report and discussion!
> 
> Link: https://github.com/google/security-research/pull/83/files#diff-1604319b55a48c39a210ee52034ed7ff5b9cdc3d704d2d9e34eb230d19fae235R200 [1]

This should be slightly better? A permalink for the file itself:
https://github.com/google/security-research/blob/908d59b573960dc0b90adda6f16f7017aca08609/pocs/linux/kernelctf/CVE-2024-27397_mitigation/docs/exploit.md

Thanks.

> Reported-by: Tamás Koczka <poprdi@google.com>
> Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com>
> ---
>  mm/slub.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/mm/slub.c b/mm/slub.c
> index 0830894bb92c..46e884b77dca 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -4903,9 +4903,9 @@ void *__kvmalloc_node_noprof(DECL_BUCKET_PARAMS(size, b), gfp_t flags, int node)
>  	 * It doesn't really make sense to fallback to vmalloc for sub page
>  	 * requests
>  	 */
> -	ret = __kmalloc_node_noprof(PASS_BUCKET_PARAMS(size, b),
> -				    kmalloc_gfp_adjust(flags, size),
> -				    node);
> +	ret = __do_kmalloc_node(size, PASS_BUCKET_PARAM(b),
> +				kmalloc_gfp_adjust(flags, size),
> +				node, _RET_IP_);
>  	if (ret || size <= PAGE_SIZE)
>  		return ret;
>

     prev parent reply	other threads:[~2025-02-10 10:05 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-08  1:47 [PATCH v2 0/2] Refine " GONG Ruiqi
2025-02-08  1:47 ` [PATCH v2 1/2] slab: Adjust placement of __kvmalloc_node_noprof GONG Ruiqi
2025-02-10  9:59   ` Vlastimil Babka
2025-02-08  1:47 ` [PATCH v2 2/2] slab: Achieve better kmalloc caches randomization in kvmalloc GONG Ruiqi
2025-02-10 10:05   ` Vlastimil Babka [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d50c3fae-1c2c-42b1-b622-fcd89c6b2dd3@suse.cz \
    --to=vbabka@suse.cz \
    --cc=42.hyeyoo@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=cl@linux.com \
    --cc=gongruiqi1@huawei.com \
    --cc=iamjoonsoo.kim@lge.com \
    --cc=kees@kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=penberg@kernel.org \
    --cc=poprdi@google.com \
    --cc=rientjes@google.com \
    --cc=roman.gushchin@linux.dev \
    --cc=xiujianfeng@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox