From patchwork Mon Jun 19 23:36:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9798101 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9774D60381 for ; Mon, 19 Jun 2017 23:43:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 946171FFB9 for ; Mon, 19 Jun 2017 23:43:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 88DDB26C9B; Mon, 19 Jun 2017 23:43:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id F15A927F92 for ; Mon, 19 Jun 2017 23:43:45 +0000 (UTC) Received: (qmail 5869 invoked by uid 550); 19 Jun 2017 23:43:36 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 5394 invoked from network); 19 Jun 2017 23:43:29 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=33A1adXtDptbdgWfi2GD+/+strPCVzmM1lNdgNUbUIs=; b=MhlB9rMP02IMCNSQYGlEV8ki86H2T6Xw5ajkVvBTSb+6T+J2/tdsrGC6ChUuYpOOlH Ke/jjcD3vH/R6TO3niuQ/POiUSsqq6i5AWqmfSGlwxZFmnIZhkjQG+jTPWUr3bh+5SNY KmtFrkhghJaiWoUjCfbENBG2KDz963LXw+dm0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=33A1adXtDptbdgWfi2GD+/+strPCVzmM1lNdgNUbUIs=; b=HWC2rt5ySGksAesQxXlDdupmVYIkrImhajXThIXAPTOIPqdpNiMCBFWiqAea3QT+oc zI35z79yKYgqACtKZ9+ZfjrDBrNk/NHUiNs58nMlFZXn5hE66Ox02jIXjybHqL6dMtI+ taWzMnRuJ+lnSckY9M/jOhAeOiALPQIUFfXvEKlRbAohwPTllkMYB1mHwWrXH3OAqM2e P0uq6T4uOL3tk0DED65fcTEJQjKioYPiPkHnj06+KrIHyUYbp1mUHdOJ962U5Qe4fHbl B01Fko1Yi+NfErY/o7AXwIfaRIjKwvOc3UGOhKUQxo29UrM77/+0Ku2rJU+ndICoL/UW CkfA== X-Gm-Message-State: AKS2vOyJ8SPibUf4lh3kmfbTL9ignM9+2U9mRUAbSLa31QhpeMqxfvLT zzPE/lSe0BrJWDNH74xDLQ== X-Received: by 10.84.176.195 with SMTP id v61mr32007366plb.101.1497915797788; Mon, 19 Jun 2017 16:43:17 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , David Windsor , linux-mm@kvack.org, linux-kernel@vger.kernel.org Date: Mon, 19 Jun 2017 16:36:37 -0700 Message-Id: <1497915397-93805-24-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1497915397-93805-1-git-send-email-keescook@chromium.org> References: <1497915397-93805-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH 23/23] mm: Allow slab_nomerge to be set at build time X-Virus-Scanned: ClamAV using ClamSMTP Some hardened environments want to build kernels with slab_nomerge already set (so that they do not depend on remembering to set the kernel command line option). This is desired to reduce the risk of kernel heap overflows being able to overwrite objects from merged caches, increasing the difficulty of these attacks. By keeping caches unmerged, these kinds of exploits can usually only damage objects in the same cache (though the risk to metadata exploitation is unchanged). Signed-off-by: Kees Cook --- mm/slab_common.c | 5 ++--- security/Kconfig | 13 +++++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index 6c14d765379f..17a4c4b33283 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -47,13 +47,12 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, /* * Merge control. If this is set then no merging of slab caches will occur. - * (Could be removed. This was introduced to pacify the merge skeptics.) */ -static int slab_nomerge; +static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); static int __init setup_slab_nomerge(char *str) { - slab_nomerge = 1; + slab_nomerge = true; return 1; } diff --git a/security/Kconfig b/security/Kconfig index 0c181cebdb8a..e40bd2a260f8 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -166,6 +166,19 @@ config HARDENED_USERCOPY_SPLIT_KMALLOC confined to a separate cache, attackers must find other ways to prepare heap attacks that will be near their desired target. +config SLAB_MERGE_DEFAULT + bool "Allow slab caches to be merged" + default y + help + For reduced kernel memory fragmentation, slab caches can be + merged when they share the same size and other characteristics. + This carries a small risk of kernel heap overflows being able + to overwrite objects from merged caches, which reduces the + difficulty of such heap attacks. By keeping caches unmerged, + these kinds of exploits can usually only damage objects in the + same cache. To disable merging at runtime, "slab_nomerge" can be + passed on the kernel command line. + config STATIC_USERMODEHELPER bool "Force all usermode helper calls through a single binary" help