From: Kees Cook <keescook@chromium.org>
To: zerons <zeronsaxm@gmail.com>
Cc: Alexander Popov <alex.popov@linux.com>,
Andrey Konovalov <andreyknvl@google.com>,
kernel-hardening@lists.openwall.com, Shawn <citypw@gmail.com>,
spender@grsecurity.net
Subject: Re: Maybe inappropriate use BUG_ON() in CONFIG_SLAB_FREELIST_HARDENED
Date: Mon, 17 Feb 2020 10:23:55 -0800 [thread overview]
Message-ID: <202002171019.A7B4679@keescook> (raw)
In-Reply-To: <CAAeHK+y-FdpH20Z7HsB0U+mgD9CK0gECCqShXFtFWpFp01jAmA@mail.gmail.com>
On Mon, Feb 17, 2020 at 04:15:44PM +0100, Andrey Konovalov wrote:
> On Thu, Feb 13, 2020 at 4:43 PM zerons <zeronsaxm@gmail.com> wrote:
> >
> > Hi,
> >
> > In slub.c(https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/mm/slub.c?h=v5.4.19#n305),
> > for SLAB_FREELIST_HARDENED, an extra detection of the double free bug has been added.
> >
> > This patch can (maybe only) detect something like this: kfree(a) kfree(a).
> > However, it does nothing when another process calls kfree(b) between the two kfree above.
> >
> > The problem is, if the panic_on_oops option is not set(Ubuntu 16.04/18.04 default option),
> > for a bug which kfree an object twice in a row, if another process can preempt the process
> > triggered this bug and then call kmalloc() to get the object, the patch doesn't work.
> >
> > Case 0: failure race
> > Process A:
> > kfree(a)
> > kfree(a)
> > the patch could terminate Process A.
> >
> > Case 1: race done
> > Process A:
> > kfree(a)
> > Process B:
> > kmalloc() -> a
> > Process A:
> > kfree(a)
> > the patch does nothing.
> >
> > The attacker can check the return status of process A to see if the race is done.
> >
> > Without this extra detection, the kernel could be unstable while the attacker
> > trying to do the race.
The check was just for the trivial case. It was an inexpensive check,
but was never designed to be a robust double-free defense.
> > In my opinion, this patch can somehow help attacker exploit this kind of bugs
> > more reliable.
Why do you think this makes races easier to win?
> +Alexander Popov, who is the author of the double free check in
> SLAB_FREELIST_HARDENED.
>
> Ah, so as long as the double free happens in a user process context,
> you can retry triggering it until you succeed in winning the race to
> reallocate the object (without causing slab freelist corruption, as it
> would have had happened before SLAB_FREELIST_HARDENED). Nice idea!
Do you see improvements that could be made here?
--
Kees Cook
next prev parent reply other threads:[~2020-02-17 18:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-13 15:16 Maybe inappropriate use BUG_ON() in CONFIG_SLAB_FREELIST_HARDENED zerons
2020-02-17 15:15 ` Andrey Konovalov
2020-02-17 18:23 ` Kees Cook [this message]
2020-02-18 2:21 ` zerons
2020-02-18 20:54 ` Alexander Popov
2020-02-19 13:43 ` zerons
2020-02-27 11:28 ` Alexander Popov
2020-03-08 0:44 ` zerons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202002171019.A7B4679@keescook \
--to=keescook@chromium.org \
--cc=alex.popov@linux.com \
--cc=andreyknvl@google.com \
--cc=citypw@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=spender@grsecurity.net \
--cc=zeronsaxm@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox