From patchwork Thu Aug 13 15:19:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Popov X-Patchwork-Id: 11712587 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CE868739 for ; Thu, 13 Aug 2020 15:19:43 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 9A725208A9 for ; Thu, 13 Aug 2020 15:19:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9A725208A9 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id A85C66B000C; Thu, 13 Aug 2020 11:19:42 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id A0E176B000E; Thu, 13 Aug 2020 11:19:42 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8D5B38D0002; Thu, 13 Aug 2020 11:19:42 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0031.hostedemail.com [216.40.44.31]) by kanga.kvack.org (Postfix) with ESMTP id 7339A6B000C for ; Thu, 13 Aug 2020 11:19:42 -0400 (EDT) Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id B42AA180AD822 for ; Thu, 13 Aug 2020 15:19:41 +0000 (UTC) X-FDA: 77145904962.21.hope34_1307e9926ff5 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin21.hostedemail.com (Postfix) with ESMTP id 86069180442C7 for ; Thu, 13 Aug 2020 15:19:39 +0000 (UTC) X-Spam-Summary: 50,0,0,483345724c5f9dd4,d41d8cd98f00b204,a13xp0p0v88@gmail.com,,RULES_HIT:41:69:355:379:541:965:966:967:973:988:989:1260:1311:1314:1345:1437:1515:1535:1544:1711:1730:1747:1777:1792:2194:2196:2199:2200:2393:2525:2565:2682:2685:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3355:3421:3743:3865:3866:3867:3868:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4118:4250:4321:4361:4385:4390:4395:4605:5007:6117:6120:6261:6737:6738:7901:7903:8531:8603:8985:9025:9040:9108:9121:10004:11026:11233:11473:11658:11914:12043:12048:12291:12296:12297:12438:12517:12519:12555:12679:12683:12740:12895:12903:12986:13053:13161:13229:13894:14096:14180:14181:14394:14721:14819:21080:21444:21451:21611:21627:21788:21966:21990:30025:30054,0,RBL:209.85.221.65:@gmail.com:.lbl8.mailshell.net-66.100.201.100 62.18.0.100;04yfcojts35norqh8hbegmwo4xwfroco88u5jfiwqraas4d1g7jjou79dizauhi.ppmpigrmsmrgoaz3qdpzpzjqkr61nnsf4fpj39kjrrcetpwyshotpo4q8s4i 4g6.o-lb X-HE-Tag: hope34_1307e9926ff5 X-Filterd-Recvd-Size: 7517 Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65]) by imf11.hostedemail.com (Postfix) with ESMTP for ; Thu, 13 Aug 2020 15:19:38 +0000 (UTC) Received: by mail-wr1-f65.google.com with SMTP id r2so5644314wrs.8 for ; Thu, 13 Aug 2020 08:19:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kHpviHVAWFum71m9T91C+ViCrMTffHDaBIsRm4hTUyU=; b=H82BJJDxRSxjxcez/wt6PniPPOrCxxIw7zQQyl8B7nDIZdgJII6S0axTFplKEl14i6 URhlqvWDoGfJUA3Shhq+Xtq1MLyQ8swKb6+6jI3O4GEcRAhRSWvFFsSJEDvdIm/ruTij AWKT4csFyFo4wu7QKuok9bNI/9AdweJ98RC/mqtG4M058BlhhKklQIqkvGSmU0xprKVK yUY1ehGKdEhXrZgwcCXE+zZAScouskW0C3u5m4/fSJKtjFF6Bggr7ak+88zeI+sL0xqA 22yGpXmgkCD3S6CcJCzLAas47pw9ptrVyFIGD+Ab4wGyIAKlmuIJEP2lHKpJFHmPOZzo eCvw== X-Gm-Message-State: AOAM531m6ot0iv/BELQYlhinrFMy7yCcKKF/vtz6noIXwPOyDsiAwE86 hFchmWmX+ohXUk2KKlSgNy8= X-Google-Smtp-Source: ABdhPJwtcfXWy9ymXF9xh5AnIJbVJZKRsqkwfDB6bwfz2pR9v2SLKeaOyzgDFjsRvOSztqlcctDyPw== X-Received: by 2002:a5d:6505:: with SMTP id x5mr4470670wru.336.1597331977069; Thu, 13 Aug 2020 08:19:37 -0700 (PDT) Received: from localhost.localdomain ([185.248.161.177]) by smtp.gmail.com with ESMTPSA id d23sm10394044wmd.27.2020.08.13.08.19.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Aug 2020 08:19:36 -0700 (PDT) From: Alexander Popov To: Kees Cook , Jann Horn , Will Deacon , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Masahiro Yamada , Masami Hiramatsu , Steven Rostedt , Peter Zijlstra , Krzysztof Kozlowski , Patrick Bellasi , David Howells , Eric Biederman , Johannes Weiner , Laura Abbott , Arnd Bergmann , Greg Kroah-Hartman , kasan-dev@googlegroups.com, linux-mm@kvack.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, Alexander Popov Cc: notify@kernel.org Subject: [PATCH RFC 0/2] Break heap spraying needed for exploiting use-after-free Date: Thu, 13 Aug 2020 18:19:20 +0300 Message-Id: <20200813151922.1093791-1-alex.popov@linux.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-Rspamd-Queue-Id: 86069180442C7 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam01 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hello everyone! Requesting for your comments. Use-after-free vulnerabilities in the Linux kernel are very popular for exploitation. A few examples: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html?m=1 https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html Use-after-free exploits usually employ heap spraying technique. Generally it aims to put controlled bytes at a predetermined memory location on the heap. Heap spraying for exploiting use-after-free in the Linux kernel relies on the fact that on kmalloc(), the slab allocator returns the address of the memory that was recently freed. So allocating a kernel object with the same size and controlled contents allows overwriting the vulnerable freed object. I've found an easy way to break heap spraying for use-after-free exploitation. I simply extracted slab freelist quarantine from KASAN functionality and called it CONFIG_SLAB_QUARANTINE. Please see patch 1. If this feature is enabled, freed allocations are stored in the quarantine and can't be instantly reallocated and overwritten by the exploit performing heap spraying. In patch 2 you can see the lkdtm test showing how CONFIG_SLAB_QUARANTINE prevents immediate reallocation of a freed heap object. I tested this patch series both for CONFIG_SLUB and CONFIG_SLAB. CONFIG_SLAB_QUARANTINE disabled: # echo HEAP_SPRAY > /sys/kernel/debug/provoke-crash/DIRECT lkdtm: Performing direct entry HEAP_SPRAY lkdtm: Performing heap spraying... lkdtm: attempt 0: spray alloc addr 00000000f8699c7d vs freed addr 00000000f8699c7d lkdtm: freed addr is reallocated! lkdtm: FAIL! Heap spraying succeed :( CONFIG_SLAB_QUARANTINE enabled: # echo HEAP_SPRAY > /sys/kernel/debug/provoke-crash/DIRECT lkdtm: Performing direct entry HEAP_SPRAY lkdtm: Performing heap spraying... lkdtm: attempt 0: spray alloc addr 000000009cafb63f vs freed addr 00000000173cce94 lkdtm: attempt 1: spray alloc addr 000000003096911f vs freed addr 00000000173cce94 lkdtm: attempt 2: spray alloc addr 00000000da60d755 vs freed addr 00000000173cce94 lkdtm: attempt 3: spray alloc addr 000000000b415070 vs freed addr 00000000173cce94 ... lkdtm: attempt 126: spray alloc addr 00000000e80ef807 vs freed addr 00000000173cce94 lkdtm: attempt 127: spray alloc addr 00000000398fe535 vs freed addr 00000000173cce94 lkdtm: OK! Heap spraying hasn't succeed :) I did a brief performance evaluation of this feature. 1. Memory consumption. KASAN quarantine uses 1/32 of the memory. CONFIG_SLAB_QUARANTINE disabled: # free -m total used free shared buff/cache available Mem: 1987 39 1862 10 86 1907 Swap: 0 0 0 CONFIG_SLAB_QUARANTINE enabled: # free -m total used free shared buff/cache available Mem: 1987 140 1760 10 87 1805 Swap: 0 0 0 2. Performance penalty. I used `hackbench -s 256 -l 200 -g 15 -f 25 -P`. CONFIG_SLAB_QUARANTINE disabled (x86_64, CONFIG_SLUB): Times: 3.088, 3.103, 3.068, 3.103, 3.107 Mean: 3.0938 Standard deviation: 0.0144 CONFIG_SLAB_QUARANTINE enabled (x86_64, CONFIG_SLUB): Times: 3.303, 3.329, 3.356, 3.314, 3.292 Mean: 3.3188 (+7.3%) Standard deviation: 0.0223 I would appreciate your feedback! Best regards, Alexander Alexander Popov (2): mm: Extract SLAB_QUARANTINE from KASAN lkdtm: Add heap spraying test drivers/misc/lkdtm/core.c | 1 + drivers/misc/lkdtm/heap.c | 40 ++++++++++++++ drivers/misc/lkdtm/lkdtm.h | 1 + include/linux/kasan.h | 107 ++++++++++++++++++++----------------- include/linux/slab_def.h | 2 +- include/linux/slub_def.h | 2 +- init/Kconfig | 11 ++++ mm/Makefile | 3 +- mm/kasan/Makefile | 2 + mm/kasan/kasan.h | 75 +++++++++++++------------- mm/kasan/quarantine.c | 2 + mm/kasan/slab_quarantine.c | 99 ++++++++++++++++++++++++++++++++++ mm/slub.c | 2 +- 13 files changed, 258 insertions(+), 89 deletions(-) create mode 100644 mm/kasan/slab_quarantine.c