Message ID | 20230915105933.495735-9-matteorizzo@google.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Prevent cross-cache attacks in the SLUB allocator | expand |
On Fri, Sep 15, 2023 at 10:59:27AM +0000, Matteo Rizzo wrote: > From: Jann Horn <jannh@google.com> > > SLAB_VIRTUAL is a mitigation for the SLUB allocator which prevents reuse > of virtual addresses across different slab caches and therefore makes > some types of use-after-free bugs unexploitable. > > SLAB_VIRTUAL is incompatible with KASAN and we believe it's not worth > adding support for it. This is because SLAB_VIRTUAL and KASAN are aimed > at two different use cases: KASAN is meant for catching bugs as early as > possible in debug/fuzz/testing builds, and it's not meant to be used in > production. SLAB_VIRTUAL on the other hand is an exploit mitigation that > doesn't attempt to highlight bugs but instead tries to make them > unexploitable. It doesn't make sense to enable it in debugging builds or > during fuzzing, and instead we expect that it will be enabled in > production kernels. > > SLAB_VIRTUAL is not currently compatible with KFENCE, removing this > limitation is future work. > > Signed-off-by: Jann Horn <jannh@google.com> Reviewed-by: Kees Cook <keescook@chromium.org>
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index 0f295961e773..9f4e6e38aa76 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -355,4 +355,18 @@ config GCC_PLUGIN_RANDSTRUCT * https://grsecurity.net/ * https://pax.grsecurity.net/ +config SLAB_VIRTUAL + bool "Allocate slab objects from virtual memory" + depends on SLUB && !SLUB_TINY + # If KFENCE support is desired, it could be implemented on top of our + # virtual memory allocation facilities + depends on !KFENCE + # ASAN support will require that shadow memory is allocated + # appropriately. + depends on !KASAN + help + Allocate slab objects from kernel-virtual memory, and ensure that + virtual memory used as a slab cache is never reused to store + objects from other slab caches or non-slab data. + endmenu