From patchwork Mon Mar 4 18:49:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13581009 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B96AC5478C for ; Mon, 4 Mar 2024 18:49:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DE6136B0089; Mon, 4 Mar 2024 13:49:40 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D950B6B008A; Mon, 4 Mar 2024 13:49:40 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BD07A6B008C; Mon, 4 Mar 2024 13:49:40 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id A02396B008A for ; Mon, 4 Mar 2024 13:49:40 -0500 (EST) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 71A8540116 for ; Mon, 4 Mar 2024 18:49:40 +0000 (UTC) X-FDA: 81860245320.04.CD63ED5 Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by imf12.hostedemail.com (Postfix) with ESMTP id AE72140008 for ; Mon, 4 Mar 2024 18:49:37 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=e8qnrbgT; spf=pass (imf12.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.174 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709578177; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=63pQSv4lgdcPPxgjmIdkeCTgPw+ykuMnj3qldPskCm4=; b=ceG+VHe2pcMuUXFoQEoeMCVnLwX2q+kAlMqiBng0hDFgNaiAliVJMZwoIzpLJjc0yhr3wc 7YgB5wxEWcNinCPfLWXvGVxhQVsGPzxhJ/Fgc5iz+Y7wQKak7AKFiAy+cIbclqm3HPpK8D pwYzxujM8aRpkMo62aKpZPObybr8mtk= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709578177; a=rsa-sha256; cv=none; b=LKHsnOq2jAD9uoIlPNkbMyOTXPR3nm6fAHeK8RPdmbKCCTBEy+54M4ZpDsSCuZZhFtI9EG NDwCWtaTdadsBmwjNOQamw4oyyek+5ignM2aOHeHbtLILLmlujiW0NNMtrTPtgcw4hZPtg RC/qDIrlZIaRIfz6LFcHnQHJBAs8LVk= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=e8qnrbgT; spf=pass (imf12.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.174 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-53fa455cd94so4186819a12.2 for ; Mon, 04 Mar 2024 10:49:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709578176; x=1710182976; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=63pQSv4lgdcPPxgjmIdkeCTgPw+ykuMnj3qldPskCm4=; b=e8qnrbgT0A4aSpJ5t4QU9kEquQKLaMkCE53tX4r8kgm9HLUw2ArD7nNs43SiLTUT1L NqjrNkyPpWluauXXwonRQouWU4vQIEENPIpU6UHVzJl/mDHCoKIfkQUlUDmsqndo2Qdv ePbus3J+fl7kJoXzdAsKiJn2vPlY1eTv3iAcU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709578176; x=1710182976; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=63pQSv4lgdcPPxgjmIdkeCTgPw+ykuMnj3qldPskCm4=; b=OCWKn5hpJzHZvXyP4VIOmlegMwQ83t6v4TAuZJMHy5K2j7bWoGNM+ass1qBJu3pA8o mtnCzKG0ayf59fQ44jbHokMniYbu0/ee9WKnJK5eR1GeiM1DV3lo2ff/C4TvyYwA2xwX RTdHMp/b0XmRFAL8yJWP1HzV8ekTIjhXAYCxx07e1YjsD9desjtrxQndTQ6byNZ/tUf9 G3saaGyELO17AzIjKQs3LvEKVETFDyrCMhhWjAm9jUEdLrbqUAM7NSMwrjHj5uQyIcl4 8TQ7VLUVpgrc39RUBGUsYSeRWl2QB3VrYXD5HYtWj+BhCanDUiSKID1OsFsvZpB51Z8t eeiQ== X-Forwarded-Encrypted: i=1; AJvYcCW4w0HAqs8yvipCkOTn7LZMhWT1vkd+vQGcIW7Ep53taFR4wguqMe7Aa6Qdtb9A78V9Uj+MtDkHGkaVNr04brhRtK8= X-Gm-Message-State: AOJu0Yyiyw3xbT1gdzQWAQVKsO9q62Y/f4jIM26CNLQ8mPkOAg/jX8Vt LOqYVKaBtunTi8VnuC5rU5DpPFdg+4ScCkmXc+4yfXHcSarO1nEQstZBFK3lgA== X-Google-Smtp-Source: AGHT+IEqbrBUCeaoycN6eZ+VoJQJ/3ekxM3Ni9GrmrAmVAhx541ISPKoahwiO20Sd0vgoGv+eX/7cQ== X-Received: by 2002:a05:6a21:9214:b0:1a1:4842:6760 with SMTP id tl20-20020a056a21921400b001a148426760mr1903106pzb.50.1709578176499; Mon, 04 Mar 2024 10:49:36 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id j4-20020a654284000000b005d8be4c125csm6743414pgp.80.2024.03.04.10.49.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Mar 2024 10:49:34 -0800 (PST) From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Christian Brauner , Al Viro , Jan Kara , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 2/4] ipc, msg: Use dedicated slab buckets for alloc_msg() Date: Mon, 4 Mar 2024 10:49:30 -0800 Message-Id: <20240304184933.3672759-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240304184252.work.496-kees@kernel.org> References: <20240304184252.work.496-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2289; i=keescook@chromium.org; h=from:subject; bh=+zltM60WJIwhQhbYbj+QC0RcHFfEEaTaC5b3PkagfmU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBl5he8qRUAcVCqu4hpjGv4CjmdHzSAnbUNg4er3 NYamCewr9+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZeYXvAAKCRCJcvTf3G3A JuDzEACBBwraGVldgENLbkSYf63dOOHOPJEiqhaSkAxMKXMPigi7yQdQbfcNSnwgtebo1L2uUYv 8a5GjWZgg0pW2K8BJCfxaWqaOKGcKcaQl1JGzOhYIznQhTvy3eFL7liqoKr/iyqINgJllEJw5u1 73nGpA9SrpjgMVQ1WWjUKo3CDRewIUR0dTk28fcGEgg2RubRBocB+ojMwSQvPfl2WwXNNJ6NnaM t1jPN5TOfmjkQwM+IKkwdXSau+eNTMhtba3hE02RRu1OPtszIgPzv9e6R7LQqcPA+z5Nnw9Mx4y ZbqEuw8j6jqARnWfEt9pH8SBkxg5A5JD8uhSVvD9eLQTvHQ47gbqoIV3OvqhNEVQB2mMxiFpJIK NlLkEb/nSKSv3ezcvBEPp9sNggeP6uknRz72aj7v0lLBeL9dnwoPjQS8Vx4tIco3WJcVgCiOxes 11aqWUfxoQSK/Hm/2uAQSZRBPq9t11u4mLp4PCdwiyhfBdIqhHXQUXwKfqAd5M95kCOWSger5J9 de8D2cgNhvOQlrVe+1Oj+J515SQVuJJH4p1jmyS5NEs9nXqR8qExyhvPhjm7ka/HrKG77o3MS0F 7hijfdr4qYUQTGuK0lTaECipjA3875yLPsHC4EB0tB+xynBLCgMVx7JT6jFuddPDRtCkf8QdmaT L+aT5CFzJLRrfWA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: AE72140008 X-Rspam-User: X-Stat-Signature: iwthopodnmfo6yeigidq1puyyfrw9mxu X-Rspamd-Server: rspam03 X-HE-Tag: 1709578177-668044 X-HE-Meta: U2FsdGVkX1+TwzjdHgef2kOcfKACksYFv9/cKn0gH27z6CENgJDfttk2MwhNKL94IP4xtxLrHFJ/Tgs8uF9vvuo2ZTotxBEAevasxuFp/9kK4BBhyQSgfG1VmgLzmNoykfftAqLyzUysxpozl5iMd2KJMXprnkX07nP0W+OZ/sHTuBNjRO+egnXX4awKQeyoA19PK9dXveLeCt0ba47E62PKdS5WcbsS/LqVW4f5/XGQHhyEgB2kec7Hmc3lH7BApu0zY5Gy8kj3ZYaYhLN4HjAwY9h8azmvGvpM5XXsqr4zqxpFMB80DfzUsz3qVwY+iYkbtXojQ3eg8Jc9c3zPPAynWcEef2BdY2XlXpfldB95tSqYN5F4Hpmnav0Kk90L50g8PaAvQtXsoAgZ6Dxa4BdGUJbF0/WK2b8CSs4znHG6O6ALbvXbQU2PFeiIwSQtDN4A0CnO60V5DwAMbsmH6rWJRnjwkCvCxnNMdwn4OGzHouKJijdR28ZZEzxnlHgL22LOKHoQ6qerocoGRfl+plcxzV0G1w+torNt9dDnU7YjhM8prNpXxlL8QputMHH8Pm1TYTJ5hTXSUvkajS1fF3L3hs5YAvmaBUSjZGsdrnDWqSM3wrJPbt/DMwU1sw2w9JBAMp2/G3B4DIyh+qM5f/thpIRTEgv3aOZlpOe9sehnkjgyXKhE5kRskWLzLhLF0hqkXwVzwnx7AJtd05yHi+qwApWaMMRNQGgNUql80U1trlkEnUvW8XW9KC+GEozKVXBx5hbydYzmbkw3sM/QZSJ4zUwIqgvg2xA2RoP0M1M+Pv5T4OxGm23R1xnE6myHsjc+wkfxKRh39kI9Mu5u3ucdgNAdfsa6MTrKHdqzzPtgR4tdOSbAn7dnciV0ljcpolq1GoefT9P0315Xnb6rGzLDlYsXY7RDkSDT+pcCu41DJLHpjw7+BwxHXs12TwACs6p6o1ERutHa+RvRVIu HXRbe1W4 qy11veHcTnZjKc1G9SZpIv/Ea2mbO7jU04lFft6+uX5O4KQ3T2dcxhmt/467j3gtGakZUB3OTkclIMZfv55LTDmqCZkztw+2ug+w7umiGdyZTXFIN3VNdLQleZY3hBtcu3Hy981r2nuz4yZ2xJitEZpssj9pzWaQs5WR+zuYDqdqkBa4RngFfMYDnD93xrFjQS0vqt4hjyNMWF8/gqHYLN6a0d1eurxh8VNdw1cKBIXPQZMOM/8Zum1bthA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The msg subsystem is a common target for exploiting[1][2][3][4][5][6] use-after-free type confusion flaws in the kernel for both read and write primitives. Avoid having a user-controlled size cache share the global kmalloc allocator by using a separate set of kmalloc buckets. After a fresh boot under Ubuntu 23.10, we can see the caches are already in use: # grep ^msg_msg /proc/slabinfo msg_msg-8k 0 0 8192 4 8 : ... msg_msg-4k 96 128 4096 8 8 : ... msg_msg-2k 64 64 2048 16 8 : ... msg_msg-1k 64 64 1024 16 4 : ... msg_msg-16 1024 1024 16 256 1 : ... msg_msg-8 0 0 8 512 1 : ... Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1] Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2] Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3] Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4] Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5] Link: https://zplin.me/papers/ELOISE.pdf [6] Signed-off-by: Kees Cook --- --- ipc/msgutil.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ipc/msgutil.c b/ipc/msgutil.c index d0a0e877cadd..36f1aa9ea1cf 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c @@ -42,6 +42,15 @@ struct msg_msgseg { #define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) #define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) +static struct kmem_buckets *msg_buckets __ro_after_init; + +static int __init init_msg_buckets(void) +{ + msg_buckets = kmem_buckets_create("msg_msg", 0, SLAB_ACCOUNT, 0, 0, NULL); + + return 0; +} +subsys_initcall(init_msg_buckets); static struct msg_msg *alloc_msg(size_t len) { @@ -50,7 +59,7 @@ static struct msg_msg *alloc_msg(size_t len) size_t alen; alen = min(len, DATALEN_MSG); - msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL_ACCOUNT); + msg = kmem_buckets_alloc(msg_buckets, sizeof(*msg) + alen, GFP_KERNEL); if (msg == NULL) return NULL;