From patchwork Tue Mar 5 10:10:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13581907 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC1ABC54798 for ; Tue, 5 Mar 2024 10:10:32 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AA3656B0089; Tue, 5 Mar 2024 05:10:31 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A55346B008A; Tue, 5 Mar 2024 05:10:31 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 80E136B0092; Tue, 5 Mar 2024 05:10:31 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 5BF8B6B008A for ; Tue, 5 Mar 2024 05:10:31 -0500 (EST) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 2605C120E21 for ; Tue, 5 Mar 2024 10:10:31 +0000 (UTC) X-FDA: 81862565862.12.508ED8C Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by imf09.hostedemail.com (Postfix) with ESMTP id 75A85140008 for ; Tue, 5 Mar 2024 10:10:29 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=CMXNaPOD; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf09.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.182 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709633429; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=qzpdpDEJllHVHW238bpdd9oiZXbWj3sBmoX33gVHYPg=; b=Pkj2+8cN06ylHaO/qYL4aLQNfQHjavUPfhpFuZZ5e7ecYUkcLPG+yLSE2aTPblw2qAXcGW tvg9vYnT440jTduuJ1t0vJ7oUnYuNqXXgqKfr3UoepFdS+XGPVUVg6VDyRkOICFRLmgDjz AwjeGrU4Lu87VfBN8EhHhuYWA1fUsnk= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=CMXNaPOD; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf09.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.182 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709633429; a=rsa-sha256; cv=none; b=MjieggYmf2xzX4eu5T5Du7CKxnS7mrwY40uPIXjE3f7IH7rNzAT2R+CPBDk4FdtCZFEWdV 9gTPO8qgxlptJR+9NzpIrP2ptD5GYzjesAeHKkAzvFbH8T+9erdQ88qiChLiqRO9Vy9tPc yb5OTVgsu0Fbqi6UZr+JwheQykRkNIo= Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1dca3951ad9so52542945ad.3 for ; Tue, 05 Mar 2024 02:10:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709633428; x=1710238228; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qzpdpDEJllHVHW238bpdd9oiZXbWj3sBmoX33gVHYPg=; b=CMXNaPODfwqq8ef4yzZF+CokJE86yDsJJPyn7/Prb4a4eYAesnBysCZnOovb/ZfmeH zz+Kk5fNWMAvg0HJH5G87oIcPTsPtOvnZ05EEUK0U9ZA36Mw6Q5wFXtw2xJtvEfpyFf9 y/HyJyZdoaUPAgFhqDECisnv+U2aNONnfpHrk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709633428; x=1710238228; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qzpdpDEJllHVHW238bpdd9oiZXbWj3sBmoX33gVHYPg=; b=gSLBywbggYrY95b94R/VmfOor8ojAjNYH4iGyHuqt40GRJDdHo5D3BKQmwfe2bHvpB PlNp0iiNbNQg74v3buhbP/TPIrhbghCNyARUyvyTg16zVC96zuBhKI7pLUaEavIqBZkP LKI8vj/8PKJNlIV5DELFRgkUK2LSM0dhVPL8QCkrQkrXv3PvyPAESSyoBFo2reL+dSjk VvkgjaPxFcBk9Gk5HbgvNAJx6LCPtp6F7LvMWJVlnMAM7MerperBJHR4agJ/gGqkWJXF beJkPc5sgwgTrnKGc0XCWfZBEFkxsxhPeuyfudcOjpoEVi5iwM8GDxl92gCOFB/kOLLC yyHg== X-Forwarded-Encrypted: i=1; AJvYcCU+COR9vlQ95yq4k/mulIfaswLLgdImiZ/6wMX8g6nE1jQSjBrgQXLJAqVIWi0nHSl4xl3ulCecGHhetxDbzaFNRlY= X-Gm-Message-State: AOJu0Yzq9U1UT5RZxDvLWMhrGVtjnpzugFMa1xofTKgVrc46lAtcwmmM z1ynALPaaqVqjBY5E5PDrmN3myNKsXLDhEmbPtQ1aAvcoYqpiatpPmvkQsYp5Q== X-Google-Smtp-Source: AGHT+IEcqbQWha9zMTphyDxsSYTGyjtkP6BMhcrJEIBec5zMiUY2asWhZg5sbtJjMtzOhdLnrw8tqw== X-Received: by 2002:a17:902:c951:b0:1dc:673:1932 with SMTP id i17-20020a170902c95100b001dc06731932mr1799892pla.38.1709633428204; Tue, 05 Mar 2024 02:10:28 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id p4-20020a170902780400b001dd2b9ed407sm1124556pll.213.2024.03.05.02.10.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 02:10:27 -0800 (PST) From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: [PATCH v2 0/9] slab: Introduce dedicated bucket allocator Date: Tue, 5 Mar 2024 02:10:16 -0800 Message-Id: <20240305100933.it.923-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3660; i=keescook@chromium.org; h=from:subject:message-id; bh=edWPsSNhLUgYV01JFEWzJeLACWZPsISNNEUjPT6beEY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBl5u+QN2e7WFyXuymiV+m02giXTmHe/hI5tR0+A 6PRup3N4OaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZebvkAAKCRCJcvTf3G3A Jo14EACeZ3xWd6gW/b5hjqMeZ55W6EyPP6VoUB67J6zJ2PdYd8Gzy9EWRFtQVTdR5Z19nH0w9fD mBFL1sDyKQktxuNO36ylzQLo4OCN/I4vYgwsPblfZ5B/MW/inL/WaDQoXo598aporgDtOgmRFLO MB4M3LTyYa68aJgD94dQNbcMzn2501HtvR6SBWqNiYm9h2B74D40BNNbMPClXGSuVfmfbg/aCd2 t2DwUY0YSDIRDK/fvmUc+XAuC2MrktCSvSptBgZKkP5c7iTk+Se1z3Enn4l9UUqvTH5utSiuLDw +Bht0qxCTk5l2+LbakA1p2FFCzUnGg2lfIsCwyPr98FhaOw38eFoOluQnPv9Up7pcxW/JUAUYO8 X5sTPv2Wx5R3ZbGABQ9vf2Ms2iva5WmflzdKvmPm3cOqvzJWn4HRWNfMZGbCrke4ZGvYcfMC7vC 6v/FsPuSCrN5jYwU5O5IDmBbai5BLiBaydRhA5PO4OF63vKkiGuJNnAjti/vV8XsHU1d7RalfLv AwanRdWj9ObRQ8NhB53I5EzVgzPQiirraBFtktNTU10znDXg3hmlG6mi+EVQSY2UtJ8c/+0Yass SSWa9u6GFsB4FA/mnLKybDeRqPOvRyOuA13CZJE6xWPhGmpBhq27s70SA9E5mentgD4dh15OReO t8rAp2K KqXW0Zxw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 75A85140008 X-Stat-Signature: wbznsjwwuaozhbjhawo61u5kyuu1aja8 X-Rspam-User: X-HE-Tag: 1709633429-977004 X-HE-Meta: U2FsdGVkX1+QYbPzsgUK96+pbCYiWaSfLfTH2Rs9tkmEGdeN9DSQEuEYxbXHwCa7mV4R2HeFTjJOTy62XLtJiiK8gmimcQRMX1P2wGIydLMqjWHL9KsDxQVzRVW8AYzR9Dq09FTZj1Y4OxQMp0gPkIH1D+DPKRDprfMlf0dtpHTKHNoOTmmNg9gg3i7Ssx7kL3j8qtUwtNpICISOrS20Z+x+Ox/58PdTdlIN+hkWuWOkt1G5SJkpNUTTzGFr4WpDixhe9jmcFMTlsR9Ne0xvV+iddusjS5m36RKWmnaIQH8vVmvn1FixUkhGUJgkt98uS73X1+VQ5ZYCNzC1DOl3iuza7Uul61gLxOvg+YlV7Zwr4vLBFXnvUd0XrIUEnAtP4bgsd89KyafbHAVji9dZCdpyxNcy6rPGmHjfEEyWJuluPqcr1sOY62ns7xiGDDC3b7arbBBk7+XBuJ+KMZHfMs4L1iHJM0B+aMOBIPsfXSY9QqJQJwizqg45YIctYY6Gdzlac9tUQGUC82abAPe9U6++R3/ksKrAY2JLJV1HecgecH7JZceY/z6NDQCcA+m+L0SKA5Yh6pdGIt1YDaX+hJRYz+ABkmPYlsXF10zvGH92MNG2rdiJHzBlKZEvAlkAksOgD694pAU639KxlSudDBScY43s8n3sZ9LoRI7fkT2gyjaVp8RwTEfW9SJd5umyfp+V5ZKYymv4ZoKUr09NISrqPMwLxrkk1nPjAKt64IO+hD6FQA76Q3uqfYJ7GGBMCAgQwXdhOqGzaVS+nDtffMyaLGJciCMS19w23A5qt4R387pwJmobZITdfV4P8BJ5U/vptyKjtvOYe4IVoYJGN8bgNVRhlsGjY6XcFpLGX2CjoQFn6EJxaX5QGC7vLA++O5qgbjLM9gJy48vYIKH4AJXR+hraZ+HhVXqaWX8lsvx1S8viJn0IF1l+qAG51PhfQENBdbKysWbi3VEoEaK T8atyFKG ez01I5Qh8yUGcVzO+SVizEMI1Ea7j5O2z4IE8Vm8ck3DxRBX32A2DQqEHdupIlSAHtDsoi1bXRmi2guVguxixxyaKJu+IJSZquWUbLefZwHiEHjkVZ/OjMtDYrxNKagc954gojF7t3pdHmxoSOrH67x9BSg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, Repeating the commit logs for patch 4 here: Dedicated caches are available For fixed size allocations via kmem_cache_alloc(), but for dynamically sized allocations there is only the global kmalloc API's set of buckets available. This means it isn't possible to separate specific sets of dynamically sized allocations into a separate collection of caches. This leads to a use-after-free exploitation weakness in the Linux kernel since many heap memory spraying/grooming attacks depend on using userspace-controllable dynamically sized allocations to collide with fixed size allocations that end up in same cache. While CONFIG_RANDOM_KMALLOC_CACHES provides a probabilistic defense against these kinds of "type confusion" attacks, including for fixed same-size heap objects, we can create a complementary deterministic defense for dynamically sized allocations. In order to isolate user-controllable sized allocations from system allocations, introduce kmem_buckets_create(), which behaves like kmem_cache_create(). (The next patch will introduce kmem_buckets_alloc(), which behaves like kmem_cache_alloc().) Allows for confining allocations to a dedicated set of sized caches (which have the same layout as the kmalloc caches). This can also be used in the future once codetag allocation annotations exist to implement per-caller allocation cache isolation[0] even for dynamic allocations. Link: https://lore.kernel.org/lkml/202402211449.401382D2AF@keescook [0] After the implemetation are 2 example patches of how this could be used for some repeat "offenders" that get used in exploits. There are more to be isolated beyond just these. Repeating the commit log for patch 8 here: The msg subsystem is a common target for exploiting[1][2][3][4][5][6] use-after-free type confusion flaws in the kernel for both read and write primitives. Avoid having a user-controlled size cache share the global kmalloc allocator by using a separate set of kmalloc buckets. Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1] Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2] Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3] Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4] Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5] Link: https://zplin.me/papers/ELOISE.pdf [6] -Kees v2: significant rewrite, generalized the buckets type, added kvmalloc style v1: https://lore.kernel.org/lkml/20240304184252.work.496-kees@kernel.org/ Kees Cook (9): slab: Introduce kmem_buckets typedef slub: Plumb kmem_buckets into __do_kmalloc_node() util: Introduce __kvmalloc_node() that can take kmem_buckets argument slab: Introduce kmem_buckets_create() slab: Introduce kmem_buckets_alloc() slub: Introduce kmem_buckets_alloc_track_caller() slab: Introduce kmem_buckets_valloc() ipc, msg: Use dedicated slab buckets for alloc_msg() mm/util: Use dedicated slab buckets for memdup_user() include/linux/slab.h | 50 +++++++++++++++++++++------- ipc/msgutil.c | 13 +++++++- lib/fortify_kunit.c | 2 +- mm/slab.h | 6 ++-- mm/slab_common.c | 77 ++++++++++++++++++++++++++++++++++++++++++-- mm/slub.c | 14 ++++---- mm/util.c | 23 +++++++++---- 7 files changed, 154 insertions(+), 31 deletions(-)