From: Kees Cook <keescook@chromium.org>
To: Sasha Levin <sashal@kernel.org>
Cc: gregkh@linuxfoundation.org, akpm@linux-foundation.org,
cl@linux.com, iamjoonsoo.kim@lge.com, penberg@kernel.org,
rientjes@google.com, silvio.cesare@gmail.com,
stable@vger.kernel.org, torvalds@linux-foundation.org
Subject: Re: FAILED: patch "[PATCH] slub: improve bit diffusion for freelist ptr obfuscation" failed to apply to 4.19-stable tree
Date: Mon, 13 Apr 2020 22:24:06 -0700 [thread overview]
Message-ID: <202004132221.B4CC36F@keescook> (raw)
In-Reply-To: <20200414024025.GC1068@sasha-vm>
On Mon, Apr 13, 2020 at 10:40:25PM -0400, Sasha Levin wrote:
> On Fri, Apr 10, 2020 at 10:09:02AM +0200, gregkh@linuxfoundation.org wrote:
> >
> > The patch below does not apply to the 4.19-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@vger.kernel.org>.
> >
> > thanks,
> >
> > greg k-h
> >
> > ------------------ original commit in Linus's tree ------------------
> >
> > From 1ad53d9fa3f6168ebcf48a50e08b170432da2257 Mon Sep 17 00:00:00 2001
> > From: Kees Cook <keescook@chromium.org>
> > Date: Wed, 1 Apr 2020 21:04:23 -0700
> > Subject: [PATCH] slub: improve bit diffusion for freelist ptr obfuscation
> >
> > Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak
> > in that the ptr and ptr address were usually so close that the first XOR
> > would result in an almost entirely 0-byte value[1], leaving most of the
> > "secret" number ultimately being stored after the third XOR. A single
> > blind memory content exposure of the freelist was generally sufficient to
> > learn the secret.
> >
> > Add a swab() call to mix bits a little more. This is a cheap way (1
> > cycle) to make attacks need more than a single exposure to learn the
> > secret (or to know _where_ the exposure is in memory).
> >
> > kmalloc-32 freelist walk, before:
> >
> > ptr ptr_addr stored value secret
> > ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d)
> > ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d)
> > ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d)
> > ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d)
> > ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d)
> > ...
> >
> > after:
> >
> > ptr ptr_addr stored value secret
> > ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
> > ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
> > ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
> > ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
> > ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)
> >
> > [1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
> >
> > Fixes: 2482ddec670f ("mm: add SLUB free list pointer obfuscation")
> > Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Christoph Lameter <cl@linux.com>
> > Cc: Pekka Enberg <penberg@kernel.org>
> > Cc: David Rientjes <rientjes@google.com>
> > Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
> > Cc: <stable@vger.kernel.org>
> > Link: http://lkml.kernel.org/r/202003051623.AF4F8CB@keescook
> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>
> As previously promised, I've grabbed d5767057c9a7 ("uapi: rename
> ext2_swab() to swab() and share globally in swab.h") so that we'll have
> swab() on 4.19 and 4.14, but it wasn't enough.
>
> There was another conflict with d36a63a943e3 ("kasan, slub: fix more
> conflicts with CONFIG_SLAB_FREELIST_HARDENED") which I've resolved by
> simply doing:
>
> diff --git a/mm/slub.c b/mm/slub.c
> index 958a8f7a3c253..d2db6bc5e788b 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -248,7 +248,7 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
> unsigned long ptr_addr)
> {
> #ifdef CONFIG_SLAB_FREELIST_HARDENED
> - return (void *)((unsigned long)ptr ^ s->random ^ ptr_addr);
> + return (void *)swab((unsigned long)ptr ^ s->random ^ ptr_addr);
Eeek, no, no. The swab() must be on ptr_addr. I already sent a backport
for this to stable, see:
https://lore.kernel.org/stable/202004131001.20346EB0E7@keescook
Please use that instead.
--
Kees Cook
next prev parent reply other threads:[~2020-04-14 5:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-10 8:09 FAILED: patch "[PATCH] slub: improve bit diffusion for freelist ptr obfuscation" failed to apply to 4.19-stable tree gregkh
2020-04-13 17:00 ` Kees Cook
2020-04-14 2:40 ` Sasha Levin
2020-04-14 5:24 ` Kees Cook [this message]
2020-04-14 8:09 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202004132221.B4CC36F@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=gregkh@linuxfoundation.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=sashal@kernel.org \
--cc=silvio.cesare@gmail.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.