Re: [RFC PATCH 9/9] powerpc/configs/skiroot: Enable some more hardening options

[Michael Ellerman <mpe@ellerman.id.au>]

Joel Stanley <joel@jms.id.au> writes:
> On Thu, 16 Jan 2020 at 01:48, Michael Ellerman <mpe@ellerman.id.au> wrote:
>>
>> Enable more hardening options.
>>
>> Note BUG_ON_DATA_CORRUPTION selects DEBUG_LIST and is essentially just
>> a synonym for it.
>>
>> DEBUG_SG, DEBUG_NOTIFIERS, DEBUG_LIST, DEBUG_CREDENTIALS and
>> SCHED_STACK_END_CHECK should all be low overhead and just add a few
>> extra checks.
>>
>> Unselecting SLAB_MERGE_DEFAULT causes the SLAB to use more memory, but
>> the skiroot kernel shouldn't be memory constrained on any of our
>> systems, all it does is run a small bootloader.
>
> Why do we unselect it?

The help text pretty much explains it:

config SLAB_MERGE_DEFAULT
	bool "Allow slab caches to be merged"
	default y
	help
	  For reduced kernel memory fragmentation, slab caches can be
	  merged when they share the same size and other characteristics.
	  This carries a risk of kernel heap overflows being able to
	  overwrite objects from merged caches (and more easily control
	  cache layout), which makes such heap attacks easier to exploit
	  by attackers. By keeping caches unmerged, these kinds of exploits
	  can usually only damage objects in the same cache. To disable
	  merging at runtime, "slab_nomerge" can be passed on the kernel
	  command line.


So unselecting it uses a bit more memory but has some
security/robustness benefit.

I should probably also mention that it essentially has no effect because
we're also enabling SLUB_DEBUG_ON, and that causes some of the flags in
SLAB_NEVER_MERGE to be set, which also disables merging.

cheers