FAILED: patch "[PATCH] slub: improve bit diffusion for freelist ptr obfuscation" failed to apply to 4.19-stable tree

FAILED: patch "[PATCH] slub: improve bit diffusion for freelist ptr obfuscation" failed to apply to 4.19-stable tree

[gregkh]

The patch below does not apply to the 4.19-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 1ad53d9fa3f6168ebcf48a50e08b170432da2257 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Wed, 1 Apr 2020 21:04:23 -0700
Subject: [PATCH] slub: improve bit diffusion for freelist ptr obfuscation

Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak
in that the ptr and ptr address were usually so close that the first XOR
would result in an almost entirely 0-byte value[1], leaving most of the
"secret" number ultimately being stored after the third XOR.  A single
blind memory content exposure of the freelist was generally sufficient to
learn the secret.

Add a swab() call to mix bits a little more.  This is a cheap way (1
cycle) to make attacks need more than a single exposure to learn the
secret (or to know _where_ the exposure is in memory).

kmalloc-32 freelist walk, before:

ptr              ptr_addr            stored value      secret
ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d)
ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d)
ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d)
ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d)
ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d)
...

after:

ptr              ptr_addr            stored value      secret
ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)

[1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html

Fixes: 2482ddec670f ("mm: add SLUB free list pointer obfuscation")
Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/202003051623.AF4F8CB@keescook
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/mm/slub.c b/mm/slub.c
index fc911c222b11..bc949e3428c9 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -259,7 +259,7 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
 	 * freepointer to be restored incorrectly.
 	 */
 	return (void *)((unsigned long)ptr ^ s->random ^
-			(unsigned long)kasan_reset_tag((void *)ptr_addr));
+			swab((unsigned long)kasan_reset_tag((void *)ptr_addr)));
 #else
 	return ptr;
 #endif

Re: FAILED: patch "[PATCH] slub: improve bit diffusion for freelist ptr obfuscation" failed to apply to 4.19-stable tree

[Kees Cook]

Hi!

I've backported this to v4.19 (and v4.14). Those backports require that
d5767057c9a76a29f073dad66b7fa12a90e8c748 is cherry-picked into stable
for v4.19 and v4.14 as well. I will send patches...

-Kees

On Fri, Apr 10, 2020 at 10:09:02AM +0200, gregkh@linuxfoundation.org wrote:
> 
> The patch below does not apply to the 4.19-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
> 
> thanks,
> 
> greg k-h
> 
> ------------------ original commit in Linus's tree ------------------
> 
> From 1ad53d9fa3f6168ebcf48a50e08b170432da2257 Mon Sep 17 00:00:00 2001
> From: Kees Cook <keescook@chromium.org>
> Date: Wed, 1 Apr 2020 21:04:23 -0700
> Subject: [PATCH] slub: improve bit diffusion for freelist ptr obfuscation
> 
> Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak
> in that the ptr and ptr address were usually so close that the first XOR
> would result in an almost entirely 0-byte value[1], leaving most of the
> "secret" number ultimately being stored after the third XOR.  A single
> blind memory content exposure of the freelist was generally sufficient to
> learn the secret.
> 
> Add a swab() call to mix bits a little more.  This is a cheap way (1
> cycle) to make attacks need more than a single exposure to learn the
> secret (or to know _where_ the exposure is in memory).
> 
> kmalloc-32 freelist walk, before:
> 
> ptr              ptr_addr            stored value      secret
> ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d)
> ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d)
> ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d)
> ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d)
> ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d)
> ...
> 
> after:
> 
> ptr              ptr_addr            stored value      secret
> ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
> ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
> ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
> ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
> ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)
> 
> [1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
> 
> Fixes: 2482ddec670f ("mm: add SLUB free list pointer obfuscation")
> Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Cc: Christoph Lameter <cl@linux.com>
> Cc: Pekka Enberg <penberg@kernel.org>
> Cc: David Rientjes <rientjes@google.com>
> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
> Cc: <stable@vger.kernel.org>
> Link: http://lkml.kernel.org/r/202003051623.AF4F8CB@keescook
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> diff --git a/mm/slub.c b/mm/slub.c
> index fc911c222b11..bc949e3428c9 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -259,7 +259,7 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
>  	 * freepointer to be restored incorrectly.
>  	 */
>  	return (void *)((unsigned long)ptr ^ s->random ^
> -			(unsigned long)kasan_reset_tag((void *)ptr_addr));
> +			swab((unsigned long)kasan_reset_tag((void *)ptr_addr)));
>  #else
>  	return ptr;
>  #endif
> 

-- 
Kees Cook

Re: FAILED: patch "[PATCH] slub: improve bit diffusion for freelist ptr obfuscation" failed to apply to 4.19-stable tree

[Sasha Levin]

On Fri, Apr 10, 2020 at 10:09:02AM +0200, gregkh@linuxfoundation.org wrote:
>
>The patch below does not apply to the 4.19-stable tree.
>If someone wants it applied there, or to any other stable or longterm
>tree, then please email the backport, including the original git commit
>id to <stable@vger.kernel.org>.
>
>thanks,
>
>greg k-h
>
>------------------ original commit in Linus's tree ------------------
>
>From 1ad53d9fa3f6168ebcf48a50e08b170432da2257 Mon Sep 17 00:00:00 2001
>From: Kees Cook <keescook@chromium.org>
>Date: Wed, 1 Apr 2020 21:04:23 -0700
>Subject: [PATCH] slub: improve bit diffusion for freelist ptr obfuscation
>
>Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak
>in that the ptr and ptr address were usually so close that the first XOR
>would result in an almost entirely 0-byte value[1], leaving most of the
>"secret" number ultimately being stored after the third XOR.  A single
>blind memory content exposure of the freelist was generally sufficient to
>learn the secret.
>
>Add a swab() call to mix bits a little more.  This is a cheap way (1
>cycle) to make attacks need more than a single exposure to learn the
>secret (or to know _where_ the exposure is in memory).
>
>kmalloc-32 freelist walk, before:
>
>ptr              ptr_addr            stored value      secret
>ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d)
>ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d)
>ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d)
>ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d)
>ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d)
>...
>
>after:
>
>ptr              ptr_addr            stored value      secret
>ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
>ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
>ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
>ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
>ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)
>
>[1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
>
>Fixes: 2482ddec670f ("mm: add SLUB free list pointer obfuscation")
>Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
>Signed-off-by: Kees Cook <keescook@chromium.org>
>Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>Cc: Christoph Lameter <cl@linux.com>
>Cc: Pekka Enberg <penberg@kernel.org>
>Cc: David Rientjes <rientjes@google.com>
>Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
>Cc: <stable@vger.kernel.org>
>Link: http://lkml.kernel.org/r/202003051623.AF4F8CB@keescook
>Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

As previously promised, I've grabbed d5767057c9a7 ("uapi: rename
ext2_swab() to swab() and share globally in swab.h") so that we'll have
swab() on 4.19 and 4.14, but it wasn't enough.

There was another conflict with d36a63a943e3 ("kasan, slub: fix more
conflicts with CONFIG_SLAB_FREELIST_HARDENED") which I've resolved by
simply doing:

diff --git a/mm/slub.c b/mm/slub.c
index 958a8f7a3c253..d2db6bc5e788b 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -248,7 +248,7 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
                                 unsigned long ptr_addr)
 {
 #ifdef CONFIG_SLAB_FREELIST_HARDENED
-       return (void *)((unsigned long)ptr ^ s->random ^ ptr_addr);
+       return (void *)swab((unsigned long)ptr ^ s->random ^ ptr_addr);
 #else
        return ptr;
 #endif

-- 
Thanks,
Sasha

Re: FAILED: patch "[PATCH] slub: improve bit diffusion for freelist ptr obfuscation" failed to apply to 4.19-stable tree

[Kees Cook]

On Mon, Apr 13, 2020 at 10:40:25PM -0400, Sasha Levin wrote:
> On Fri, Apr 10, 2020 at 10:09:02AM +0200, gregkh@linuxfoundation.org wrote:
> > 
> > The patch below does not apply to the 4.19-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@vger.kernel.org>.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> > ------------------ original commit in Linus's tree ------------------
> > 
> > From 1ad53d9fa3f6168ebcf48a50e08b170432da2257 Mon Sep 17 00:00:00 2001
> > From: Kees Cook <keescook@chromium.org>
> > Date: Wed, 1 Apr 2020 21:04:23 -0700
> > Subject: [PATCH] slub: improve bit diffusion for freelist ptr obfuscation
> > 
> > Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak
> > in that the ptr and ptr address were usually so close that the first XOR
> > would result in an almost entirely 0-byte value[1], leaving most of the
> > "secret" number ultimately being stored after the third XOR.  A single
> > blind memory content exposure of the freelist was generally sufficient to
> > learn the secret.
> > 
> > Add a swab() call to mix bits a little more.  This is a cheap way (1
> > cycle) to make attacks need more than a single exposure to learn the
> > secret (or to know _where_ the exposure is in memory).
> > 
> > kmalloc-32 freelist walk, before:
> > 
> > ptr              ptr_addr            stored value      secret
> > ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d)
> > ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d)
> > ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d)
> > ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d)
> > ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d)
> > ...
> > 
> > after:
> > 
> > ptr              ptr_addr            stored value      secret
> > ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
> > ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
> > ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
> > ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
> > ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)
> > 
> > [1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
> > 
> > Fixes: 2482ddec670f ("mm: add SLUB free list pointer obfuscation")
> > Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Christoph Lameter <cl@linux.com>
> > Cc: Pekka Enberg <penberg@kernel.org>
> > Cc: David Rientjes <rientjes@google.com>
> > Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
> > Cc: <stable@vger.kernel.org>
> > Link: http://lkml.kernel.org/r/202003051623.AF4F8CB@keescook
> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> As previously promised, I've grabbed d5767057c9a7 ("uapi: rename
> ext2_swab() to swab() and share globally in swab.h") so that we'll have
> swab() on 4.19 and 4.14, but it wasn't enough.
> 
> There was another conflict with d36a63a943e3 ("kasan, slub: fix more
> conflicts with CONFIG_SLAB_FREELIST_HARDENED") which I've resolved by
> simply doing:
> 
> diff --git a/mm/slub.c b/mm/slub.c
> index 958a8f7a3c253..d2db6bc5e788b 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -248,7 +248,7 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
>                                 unsigned long ptr_addr)
> {
> #ifdef CONFIG_SLAB_FREELIST_HARDENED
> -       return (void *)((unsigned long)ptr ^ s->random ^ ptr_addr);
> +       return (void *)swab((unsigned long)ptr ^ s->random ^ ptr_addr);

Eeek, no, no. The swab() must be on ptr_addr. I already sent a backport
for this to stable, see:
https://lore.kernel.org/stable/202004131001.20346EB0E7@keescook

Please use that instead.

-- 
Kees Cook

Re: FAILED: patch "[PATCH] slub: improve bit diffusion for freelist ptr obfuscation" failed to apply to 4.19-stable tree

[Greg KH]

On Mon, Apr 13, 2020 at 10:24:06PM -0700, Kees Cook wrote:
> On Mon, Apr 13, 2020 at 10:40:25PM -0400, Sasha Levin wrote:
> > On Fri, Apr 10, 2020 at 10:09:02AM +0200, gregkh@linuxfoundation.org wrote:
> > > 
> > > The patch below does not apply to the 4.19-stable tree.
> > > If someone wants it applied there, or to any other stable or longterm
> > > tree, then please email the backport, including the original git commit
> > > id to <stable@vger.kernel.org>.
> > > 
> > > thanks,
> > > 
> > > greg k-h
> > > 
> > > ------------------ original commit in Linus's tree ------------------
> > > 
> > > From 1ad53d9fa3f6168ebcf48a50e08b170432da2257 Mon Sep 17 00:00:00 2001
> > > From: Kees Cook <keescook@chromium.org>
> > > Date: Wed, 1 Apr 2020 21:04:23 -0700
> > > Subject: [PATCH] slub: improve bit diffusion for freelist ptr obfuscation
> > > 
> > > Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak
> > > in that the ptr and ptr address were usually so close that the first XOR
> > > would result in an almost entirely 0-byte value[1], leaving most of the
> > > "secret" number ultimately being stored after the third XOR.  A single
> > > blind memory content exposure of the freelist was generally sufficient to
> > > learn the secret.
> > > 
> > > Add a swab() call to mix bits a little more.  This is a cheap way (1
> > > cycle) to make attacks need more than a single exposure to learn the
> > > secret (or to know _where_ the exposure is in memory).
> > > 
> > > kmalloc-32 freelist walk, before:
> > > 
> > > ptr              ptr_addr            stored value      secret
> > > ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d)
> > > ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d)
> > > ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d)
> > > ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d)
> > > ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d)
> > > ...
> > > 
> > > after:
> > > 
> > > ptr              ptr_addr            stored value      secret
> > > ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
> > > ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
> > > ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
> > > ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
> > > ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)
> > > 
> > > [1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
> > > 
> > > Fixes: 2482ddec670f ("mm: add SLUB free list pointer obfuscation")
> > > Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > > Cc: Christoph Lameter <cl@linux.com>
> > > Cc: Pekka Enberg <penberg@kernel.org>
> > > Cc: David Rientjes <rientjes@google.com>
> > > Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
> > > Cc: <stable@vger.kernel.org>
> > > Link: http://lkml.kernel.org/r/202003051623.AF4F8CB@keescook
> > > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> > 
> > As previously promised, I've grabbed d5767057c9a7 ("uapi: rename
> > ext2_swab() to swab() and share globally in swab.h") so that we'll have
> > swab() on 4.19 and 4.14, but it wasn't enough.
> > 
> > There was another conflict with d36a63a943e3 ("kasan, slub: fix more
> > conflicts with CONFIG_SLAB_FREELIST_HARDENED") which I've resolved by
> > simply doing:
> > 
> > diff --git a/mm/slub.c b/mm/slub.c
> > index 958a8f7a3c253..d2db6bc5e788b 100644
> > --- a/mm/slub.c
> > +++ b/mm/slub.c
> > @@ -248,7 +248,7 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
> >                                 unsigned long ptr_addr)
> > {
> > #ifdef CONFIG_SLAB_FREELIST_HARDENED
> > -       return (void *)((unsigned long)ptr ^ s->random ^ ptr_addr);
> > +       return (void *)swab((unsigned long)ptr ^ s->random ^ ptr_addr);
> 
> Eeek, no, no. The swab() must be on ptr_addr. I already sent a backport
> for this to stable, see:
> https://lore.kernel.org/stable/202004131001.20346EB0E7@keescook
> 
> Please use that instead.

I've dropped Sasha's backport and grabbed yours instead, thanks.

greg k-h