From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751101AbdFTEJy (ORCPT ); Tue, 20 Jun 2017 00:09:54 -0400 Received: from mail-it0-f65.google.com ([209.85.214.65]:33714 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750807AbdFTEJx (ORCPT ); Tue, 20 Jun 2017 00:09:53 -0400 Message-ID: <1497931790.11009.1.camel@gmail.com> Subject: Re: [kernel-hardening] [PATCH 23/23] mm: Allow slab_nomerge to be set at build time From: Daniel Micay To: Kees Cook , kernel-hardening@lists.openwall.com Cc: David Windsor , linux-mm@kvack.org, linux-kernel@vger.kernel.org Date: Tue, 20 Jun 2017 00:09:50 -0400 In-Reply-To: <1497915397-93805-24-git-send-email-keescook@chromium.org> References: <1497915397-93805-1-git-send-email-keescook@chromium.org> <1497915397-93805-24-git-send-email-keescook@chromium.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.24.3 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2017-06-19 at 16:36 -0700, Kees Cook wrote: > Some hardened environments want to build kernels with slab_nomerge > already set (so that they do not depend on remembering to set the > kernel > command line option). This is desired to reduce the risk of kernel > heap > overflows being able to overwrite objects from merged caches, > increasing > the difficulty of these attacks. By keeping caches unmerged, these > kinds > of exploits can usually only damage objects in the same cache (though > the > risk to metadata exploitation is unchanged). It also further fragments the ability to influence slab cache layout, i.e. primitives to do things like filling up slabs to set things up for an exploit might not be able to deal with the target slabs anymore. It doesn't need to be mentioned but it's something to think about too. In theory, disabling merging can make it *easier* to get the right layout too if there was some annoyance that's now split away. It's definitely a lot more good than bad for security though, but allocator changes have subtle impact on exploitation. This can make caches more deterministic.