All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Feng Tang <feng.tang@intel.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Vlastimil Babka <vbabka@suse.cz>,
	Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Hyeonggon Yoo <42.hyeyoo@gmail.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Dave Hansen <dave.hansen@intel.com>,
	Linux Memory Management List <linux-mm@kvack.org>,
	LKML <linux-kernel@vger.kernel.org>,
	kasan-dev <kasan-dev@googlegroups.com>
Subject: Re: [PATCH v6 2/4] mm/slub: only zero the requested size of buffer for kzalloc
Date: Mon, 26 Sep 2022 13:15:02 -0700	[thread overview]
Message-ID: <202209261305.CF6ED6EEC@keescook> (raw)
In-Reply-To: <CA+fCnZfSv98uvxop7YN_L-F=WNVkb5rcwa6Nmf5yN-59p8Sr4Q@mail.gmail.com>

On Mon, Sep 26, 2022 at 09:11:24PM +0200, Andrey Konovalov wrote:
> On Tue, Sep 13, 2022 at 8:54 AM Feng Tang <feng.tang@intel.com> wrote:
> >
> 
> Hi Feng,
> 
> > kzalloc/kmalloc will round up the request size to a fixed size
> > (mostly power of 2), so the allocated memory could be more than
> > requested. Currently kzalloc family APIs will zero all the
> > allocated memory.
> >
> > To detect out-of-bound usage of the extra allocated memory, only
> > zero the requested part, so that sanity check could be added to
> > the extra space later.
> 
> I still don't like the idea of only zeroing the requested memory and
> not the whole object. Considering potential info-leak vulnerabilities.

I really really do not like reducing the zeroing size. We're trying to
be proactive against _flaws_, which means that when there's a memory
over-read (or uninitialized use), suddenly the scope of the exposure (or
control) is wider/looser.

Imagine the (unfortunately very common) case of use-after-free attacks,
which leverage type confusion: some object is located in kmalloc-128
because it's 126 bytes. That slot gets freed and reallocated to, say, a
97 byte object going through kzalloc() or zero-on-init. With this patch
the bytes above the 97 don't get zeroed, and the stale data from the
prior 126 byte object say there happily to be used again later through
a dangling pointer, or whatever. Without the proposed patch, the entire
128 bytes is wiped, which makes stale data re-use more difficult.

> > Performance wise, smaller zeroing length also brings shorter
> > execution time, as shown from test data on various server/desktop
> > platforms.

For these cases, I think a much better solution is to provide those
sensitive allocations their own dedicated kmem_cache.

> >
> > For kzalloc users who will call ksize() later and utilize this
> > extra space, please be aware that the space is not zeroed any
> > more.
> 
> CC Kees

Thanks! Well, the good news is that ksize() side-effects is hopefully
going to vanish soon, but my objections about stale memory remain.

-Kees

-- 
Kees Cook


  reply	other threads:[~2022-09-26 20:15 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-13  6:54 [PATCH v6 0/4] mm/slub: some debug enhancements for kmalloc Feng Tang
2022-09-13  6:54 ` [PATCH v6 1/4] mm/slub: enable debugging memory wasting of kmalloc Feng Tang
2022-09-23 11:43   ` Vlastimil Babka
2022-09-24  7:08     ` Feng Tang
2022-10-30 19:23   ` John Thomson
2022-10-30 21:30     ` Vlastimil Babka
2022-10-31  2:36       ` Feng Tang
2022-10-31 10:05         ` John Thomson
2022-10-31 11:36           ` Hyeonggon Yoo
2022-10-31 11:42           ` Feng Tang
2022-11-01  0:18             ` John Thomson
2022-11-01  2:41               ` John Thomson
2022-11-01  7:57               ` Feng Tang
2022-11-01  9:20                 ` John Thomson
2022-11-01  9:31                   ` Hyeonggon Yoo
2022-11-01 10:33                     ` John Thomson
2022-11-01 10:42                       ` Hyeonggon Yoo
2022-11-01 13:55                         ` Feng Tang
2022-11-01 19:39                           ` John Thomson
2022-11-02  6:08                             ` Feng Tang
2022-11-02  7:16                               ` Hyeonggon Yoo
2022-11-03  7:18                                 ` Feng Tang
2022-11-03  7:45                                   ` John Thomson
2022-11-03  8:16                                     ` Feng Tang
2022-11-02  8:22                       ` Vlastimil Babka
2022-11-03  5:54                         ` Feng Tang
2022-11-03  8:33                           ` Vlastimil Babka
2022-11-03 14:16                             ` Feng Tang
2022-11-03 14:36                               ` Hyeonggon Yoo
2022-11-03 16:57                                 ` Vlastimil Babka
2022-11-03 17:35                                   ` Vlastimil Babka
2022-11-04  3:52                                     ` Feng Tang
2022-09-13  6:54 ` [PATCH v6 2/4] mm/slub: only zero the requested size of buffer for kzalloc Feng Tang
2022-09-26 19:11   ` Andrey Konovalov
2022-09-26 20:15     ` Kees Cook [this message]
2022-09-27  1:22       ` Feng Tang
2022-09-27  2:42     ` Feng Tang
2022-10-13 14:00       ` Andrey Konovalov
2022-10-14  5:59         ` Feng Tang
2022-09-13  6:54 ` [PATCH v6 3/4] mm: kasan: Add free_meta size info in struct kasan_cache Feng Tang
2022-09-20 19:20   ` Andrey Konovalov
2022-09-21 12:02     ` Feng Tang
2022-09-24 18:05       ` Andrey Konovalov
2022-09-25 11:26         ` Feng Tang
2022-09-25 16:31           ` Andrey Konovalov
2022-09-27  3:03             ` Feng Tang
2022-09-13  6:54 ` [PATCH v6 4/4] mm/slub: extend redzone check to extra allocated kmalloc space than requested Feng Tang
2022-09-13  8:53   ` Hyeonggon Yoo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202209261305.CF6ED6EEC@keescook \
    --to=keescook@chromium.org \
    --cc=42.hyeyoo@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@gmail.com \
    --cc=cl@linux.com \
    --cc=corbet@lwn.net \
    --cc=dave.hansen@intel.com \
    --cc=dvyukov@google.com \
    --cc=feng.tang@intel.com \
    --cc=iamjoonsoo.kim@lge.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=penberg@kernel.org \
    --cc=rientjes@google.com \
    --cc=roman.gushchin@linux.dev \
    --cc=vbabka@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.