From patchwork Thu Jun 27 13:03:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Potapenko X-Patchwork-Id: 11019685 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E83F31708 for ; Thu, 27 Jun 2019 13:03:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB5F528B08 for ; Thu, 27 Jun 2019 13:03:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CF97728B12; Thu, 27 Jun 2019 13:03:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4842628B08 for ; Thu, 27 Jun 2019 13:03:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 46C208E0007; Thu, 27 Jun 2019 09:03:25 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 3F64F8E0002; Thu, 27 Jun 2019 09:03:25 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2BE778E0007; Thu, 27 Jun 2019 09:03:25 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) by kanga.kvack.org (Postfix) with ESMTP id 092258E0002 for ; Thu, 27 Jun 2019 09:03:25 -0400 (EDT) Received: by mail-qt1-f197.google.com with SMTP id g56so2304493qte.4 for ; Thu, 27 Jun 2019 06:03:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:date:message-id:mime-version :subject:from:to:cc; bh=nkuGlh1b+gHriNiPX/Ra1Bh+mzhPWQ4oquwmkvO30T4=; b=e9jkHvzPh5yXvVpGLG+qwwSjCevy6Zg3lCm4tWUe5vZDdJPCMDW3WIiSc7sMoU8/uu rW3YOHsZh/Z5lbTvSMsw3M/Pg51mmRojTI5IS4AXw+DBuP2HD+nyTr1S/NGExgHjRyfC 37zwJYfJ3YAk2vAp65G7TUhYBumvcjtB3FDI8HVxPNH64q0C/KxhP18xZp/bjV35bCpd K2QDmZr3uMwLsbu2+mSCdHoYHjOoXIHjipSm99oeY/iSyXKusBEUOw1Owq0o1awBO0Ip pY2KvhltQqu6kx/93z8soJE9ND95vkhY+8JXLXBWVWKGAZHGLpU2CzzbCEwQ65mqH/Y+ 0t2g== X-Gm-Message-State: APjAAAX9RuLE8EYfE9Jw0BwZRQfJI7xndMpD+rrubL4U++4pARSlWNl/ uCKufWRQw53aeLHlulC9erGI46sYLpOrEuKHtZW/kEKZ5iBAuoZXHU97Dd0zYnuXfeKbjiOLfI6 FLQkSzbP7tGM8KBDCwHEx10sxvqk0mFylNAR4If53Vi77qAc3L5nSzqGwL09D/ZT+tg== X-Received: by 2002:a05:6214:3a5:: with SMTP id m5mr3007717qvy.7.1561640604730; Thu, 27 Jun 2019 06:03:24 -0700 (PDT) X-Received: by 2002:a05:6214:3a5:: with SMTP id m5mr3007664qvy.7.1561640604060; Thu, 27 Jun 2019 06:03:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561640604; cv=none; d=google.com; s=arc-20160816; b=s6bwDIGbSvBLARYIv3dsXYLAjAgLqZgkouBqcZq1K06WZEk0xkdEuuP3mydw4lhTwJ 5DdJo14aPdSBU3sWAPxpLcsUqPojsCvyAN7f0veXjNE9PTFoLsyef88+8AGGoIFGeEik ByXuOEIOniAFCEEJbazOJKyNLJc7NKyhOf+Xew3KV9cCMek2wOAY771fXZon9eXLHjNo i+FdPcW7N+MHukGf+te8heQW6P78EZX/400TVlfWwPwO3/rIIkMJP6BiWAIUbwdcT9Oy lEqL6rS4KcfoEInuS4Qhbzc9ANM4izGAeE3ajE/xYvTkwNfiHUaL1VRMANRIofXD44KX 3kiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:mime-version:message-id:date:dkim-signature; bh=nkuGlh1b+gHriNiPX/Ra1Bh+mzhPWQ4oquwmkvO30T4=; b=oN2NeU+1XxfddlLjIxTjxMkpJ7jHJcsCCIdPLNOIVS3cb6Ff7WInSpHSn23757K9rR oIeNPLOIPI41yBQ0l9+YCn6QGGycBog3uStrujt3hgrc/UMhho2ldR0B3HIykDQzcNHZ m7Y8uI7xuxo1SBmJO47sLHHy+xskI+GkfLsjxrIPeaRfqBFD4I2BUN18SSiDI7BierI1 hMDUn4C9ckScqMzngUxrG3vmXEMoZo6NntvXaCjgWVF4gstKmYDnQqKUuGT9CZYe6oO7 rQO625myK0B+8E/2ABnVgT33TazUvk2sN5YkqMfT1A0buEBoK6LllhTs4ErX2QQDjggZ 8QAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=iBxY0ZFg; spf=pass (google.com: domain of 3m74uxqykcfo8da56j8gg8d6.4gedafmp-eecn24c.gj8@flex--glider.bounces.google.com designates 209.85.220.73 as permitted sender) smtp.mailfrom=3m74UXQYKCFo8DA56J8GG8D6.4GEDAFMP-EECN24C.GJ8@flex--glider.bounces.google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from mail-sor-f73.google.com (mail-sor-f73.google.com. [209.85.220.73]) by mx.google.com with SMTPS id y187sor1327860qkc.24.2019.06.27.06.03.23 for (Google Transport Security); Thu, 27 Jun 2019 06:03:24 -0700 (PDT) Received-SPF: pass (google.com: domain of 3m74uxqykcfo8da56j8gg8d6.4gedafmp-eecn24c.gj8@flex--glider.bounces.google.com designates 209.85.220.73 as permitted sender) client-ip=209.85.220.73; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=iBxY0ZFg; spf=pass (google.com: domain of 3m74uxqykcfo8da56j8gg8d6.4gedafmp-eecn24c.gj8@flex--glider.bounces.google.com designates 209.85.220.73 as permitted sender) smtp.mailfrom=3m74UXQYKCFo8DA56J8GG8D6.4GEDAFMP-EECN24C.GJ8@flex--glider.bounces.google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=nkuGlh1b+gHriNiPX/Ra1Bh+mzhPWQ4oquwmkvO30T4=; b=iBxY0ZFgO84nGjeC4loAOGtpGOs9Yd+fQ6I8SutqbHSeU1rnf5JzTtlDWjLJJd0/Nr zxHj+IuFkHMyvyWAC33SPbFZGoTK8algV818k/Q71cVpkVHuMBWJKC2ksgxr8pUJEAaP dutE+V9ZPEuAoDr2MSkkEBS313KEVD9qNR/3caN6hxA6tFWKop/qr1X7z/Lboo8tZQwW I254YFH5T0q6XJAe0Tm+VeVcDZaaB1k/+ZUj+rUz7ui9QpYJ0gGlpps4Mr8zWe3VA6HN icTzVRARAhzNdo2Mw8haBEcLFFm82kBhXJPRKv+9+EU9hoEDndfPYq5OKewAgDwKnu5l kK2Q== X-Google-Smtp-Source: APXvYqyb2fwdKxY/0wj7U997eReOnW8Kj1pQxO+Xnu7fYid+NvlrsgBAglMJ1qJ5NwkNSnI/uio1IDG6JGY= X-Received: by 2002:a05:620a:35e:: with SMTP id t30mr3084826qkm.1.1561640603625; Thu, 27 Jun 2019 06:03:23 -0700 (PDT) Date: Thu, 27 Jun 2019 15:03:14 +0200 Message-Id: <20190627130316.254309-1-glider@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH v9 0/3] add init_on_alloc/init_on_free boot options From: Alexander Potapenko To: Andrew Morton , Christoph Lameter , Kees Cook Cc: Alexander Potapenko , Masahiro Yamada , Michal Hocko , James Morris , "Serge E. Hallyn" , Nick Desaulniers , Kostya Serebryany , Dmitry Vyukov , Sandeep Patil , Laura Abbott , Randy Dunlap , Jann Horn , Mark Rutland , Marco Elver , Qian Cai , linux-mm@kvack.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Provide init_on_alloc and init_on_free boot options. These are aimed at preventing possible information leaks and making the control-flow bugs that depend on uninitialized values more deterministic. Enabling either of the options guarantees that the memory returned by the page allocator and SL[AU]B is initialized with zeroes. SLOB allocator isn't supported at the moment, as its emulation of kmem caches complicates handling of SLAB_TYPESAFE_BY_RCU caches correctly. Enabling init_on_free also guarantees that pages and heap objects are initialized right after they're freed, so it won't be possible to access stale data by using a dangling pointer. As suggested by Michal Hocko, right now we don't let the heap users to disable initialization for certain allocations. There's not enough evidence that doing so can speed up real-life cases, and introducing ways to opt-out may result in things going out of control. To: Andrew Morton To: Christoph Lameter To: Kees Cook Cc: Masahiro Yamada Cc: Michal Hocko Cc: James Morris Cc: "Serge E. Hallyn" Cc: Nick Desaulniers Cc: Kostya Serebryany Cc: Dmitry Vyukov Cc: Sandeep Patil Cc: Laura Abbott Cc: Randy Dunlap Cc: Jann Horn Cc: Mark Rutland Cc: Marco Elver Cc: Qian Cai Cc: linux-mm@kvack.org Cc: linux-security-module@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Alexander Potapenko (2): mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options mm: init: report memory auto-initialization features at boot time .../admin-guide/kernel-parameters.txt | 9 +++ drivers/infiniband/core/uverbs_ioctl.c | 2 +- include/linux/mm.h | 24 +++++++ init/main.c | 24 +++++++ mm/dmapool.c | 4 +- mm/page_alloc.c | 71 +++++++++++++++++-- mm/slab.c | 16 ++++- mm/slab.h | 20 ++++++ mm/slub.c | 41 +++++++++-- net/core/sock.c | 2 +- security/Kconfig.hardening | 29 ++++++++ 11 files changed, 224 insertions(+), 18 deletions(-) --- v3: dropped __GFP_NO_AUTOINIT patches v5: dropped support for SLOB allocator, handle SLAB_TYPESAFE_BY_RCU v6: changed wording in boot-time message v7: dropped the test_meminit.c patch (picked by Andrew Morton already), minor wording changes v8: fixes for interoperability with other heap debugging features v9: added support for page/slab poisoning