From: Andi Kleen <ak@linux.intel.com>
To: Kees Cook <kees@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>,
"GONG, Ruiqi" <gongruiqi@huaweicloud.com>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
jvoisin <julien.voisin@dustri.org>,
Andrew Morton <akpm@linux-foundation.org>,
Roman Gushchin <roman.gushchin@linux.dev>,
Hyeonggon Yoo <42.hyeyoo@gmail.com>,
Xiu Jianfeng <xiujianfeng@huawei.com>,
Suren Baghdasaryan <surenb@google.com>,
Kent Overstreet <kent.overstreet@linux.dev>,
Jann Horn <jannh@google.com>,
Matteo Rizzo <matteorizzo@google.com>,
Thomas Graf <tgraf@suug.ch>,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-hardening@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH v5 4/6] mm/slab: Introduce kmem_buckets_create() and family
Date: Thu, 20 Jun 2024 15:48:24 -0700 [thread overview]
Message-ID: <87r0crut6v.fsf@linux.intel.com> (raw)
In-Reply-To: <20240619193357.1333772-4-kees@kernel.org> (Kees Cook's message of "Wed, 19 Jun 2024 12:33:52 -0700")
Kees Cook <kees@kernel.org> writes:
> Dedicated caches are available for fixed size allocations via
> kmem_cache_alloc(), but for dynamically sized allocations there is only
> the global kmalloc API's set of buckets available. This means it isn't
> possible to separate specific sets of dynamically sized allocations into
> a separate collection of caches.
>
> This leads to a use-after-free exploitation weakness in the Linux
> kernel since many heap memory spraying/grooming attacks depend on using
> userspace-controllable dynamically sized allocations to collide with
> fixed size allocations that end up in same cache.
>
> While CONFIG_RANDOM_KMALLOC_CACHES provides a probabilistic defense
> against these kinds of "type confusion" attacks, including for fixed
> same-size heap objects, we can create a complementary deterministic
> defense for dynamically sized allocations that are directly user
> controlled. Addressing these cases is limited in scope, so isolating these
> kinds of interfaces will not become an unbounded game of whack-a-mole. For
> example, many pass through memdup_user(), making isolation there very
> effective.
Isn't the attack still possible if the attacker can free the slab page
during the use-after-free period with enough memory pressure?
Someone else might grab the page that was in the bucket for another slab
and the type confusion could hurt again.
Or is there some other defense against that, other than
CONFIG_DEBUG_PAGEALLOC or full slab poisoning? And how expensive
does it get when any of those are enabled?
I remember reading some paper about a apple allocator trying similar
techniques and it tried very hard to never reuse memory (probably
not a good idea for Linux though)
I assume you thought about this, but it would be good to discuss such
limitations and interactions in the commit log.
-Andi
next prev parent reply other threads:[~2024-06-20 22:48 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-19 19:33 [PATCH v5 0/6] slab: Introduce dedicated bucket allocator Kees Cook
2024-06-19 19:33 ` [PATCH v5 1/6] mm/slab: Introduce kmem_buckets typedef Kees Cook
2024-06-19 19:33 ` [PATCH v5 2/6] mm/slab: Plumb kmem_buckets into __do_kmalloc_node() Kees Cook
2024-06-20 13:08 ` Vlastimil Babka
2024-06-20 13:37 ` Vlastimil Babka
2024-06-20 18:46 ` Kees Cook
2024-06-20 20:44 ` Vlastimil Babka
2024-06-20 18:41 ` Kees Cook
2024-06-19 19:33 ` [PATCH v5 3/6] mm/slab: Introduce kvmalloc_buckets_node() that can take kmem_buckets argument Kees Cook
2024-06-19 19:33 ` [PATCH v5 4/6] mm/slab: Introduce kmem_buckets_create() and family Kees Cook
2024-06-20 13:56 ` Vlastimil Babka
2024-06-20 18:54 ` Kees Cook
2024-06-20 20:43 ` Vlastimil Babka
2024-06-28 5:35 ` Boqun Feng
2024-06-28 8:40 ` Vlastimil Babka
2024-06-28 9:06 ` Alice Ryhl
2024-06-28 9:17 ` Vlastimil Babka
2024-06-28 9:34 ` Alice Ryhl
2024-06-28 15:47 ` Kees Cook
2024-06-28 16:53 ` Vlastimil Babka
2024-06-20 22:48 ` Andi Kleen [this message]
2024-06-20 23:29 ` Kees Cook
2024-06-19 19:33 ` [PATCH v5 5/6] ipc, msg: Use dedicated slab buckets for alloc_msg() Kees Cook
2024-06-19 19:33 ` [PATCH v5 6/6] mm/util: Use dedicated slab buckets for memdup_user() Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r0crut6v.fsf@linux.intel.com \
--to=ak@linux.intel.com \
--cc=42.hyeyoo@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=gongruiqi@huaweicloud.com \
--cc=herbert@gondor.apana.org.au \
--cc=iamjoonsoo.kim@lge.com \
--cc=jannh@google.com \
--cc=julien.voisin@dustri.org \
--cc=kees@kernel.org \
--cc=kent.overstreet@linux.dev \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=matteorizzo@google.com \
--cc=netdev@vger.kernel.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=surenb@google.com \
--cc=tgraf@suug.ch \
--cc=vbabka@suse.cz \
--cc=xiujianfeng@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).