| Message ID | 20240304184933.3672759-4-keescook@chromium.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
by smtp.lore.kernel.org (Postfix) with ESMTP id 55D0EC54E49
for <linux-mm@archiver.kernel.org>; Mon, 4 Mar 2024 18:49:46 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
id 4E5296B008A; Mon, 4 Mar 2024 13:49:41 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
id 4950B6B008C; Mon, 4 Mar 2024 13:49:41 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
id 30DE66B0092; Mon, 4 Mar 2024 13:49:41 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com
[216.40.44.17])
by kanga.kvack.org (Postfix) with ESMTP id 1E6F86B008A
for <linux-mm@kvack.org>; Mon, 4 Mar 2024 13:49:41 -0500 (EST)
Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1])
by unirelay06.hostedemail.com (Postfix) with ESMTP id 004FDA1126
for <linux-mm@kvack.org>; Mon, 4 Mar 2024 18:49:40 +0000 (UTC)
X-FDA: 81860245320.26.A7E30B9
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
[209.85.210.179])
by imf19.hostedemail.com (Postfix) with ESMTP id 402A91A001B
for <linux-mm@kvack.org>; Mon, 4 Mar 2024 18:49:39 +0000 (UTC)
Authentication-Results: imf19.hostedemail.com;
dkim=pass header.d=chromium.org header.s=google header.b=d0cJ+FET;
dmarc=pass (policy=none) header.from=chromium.org;
spf=pass (imf19.hostedemail.com: domain of keescook@chromium.org designates
209.85.210.179 as permitted sender) smtp.mailfrom=keescook@chromium.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=hostedemail.com;
s=arc-20220608; t=1709578179;
h=from:from:sender:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:cc:mime-version:mime-version:
content-type:content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=3eg+OHwarPCDDbCJMvwZ5D9ntaRfgGqvBfyy5rCCcVU=;
b=A20Y8xhpUN+8Lf1O3gBRp97/xRvu6dNbx7l0+1gY9ZSGaGTfLUM/MlYcRklm5Sf6c9JosP
pic8Z2q5JZtXh0zy26W7jplm2T5s2xusY+jCwowwIUDCWw4+Lyk7urO+UnTbLQeZDjUSU5
XE4ngPBA3t0z65mfF3C1Z0Oj3WbmxBQ=
ARC-Authentication-Results: i=1;
imf19.hostedemail.com;
dkim=pass header.d=chromium.org header.s=google header.b=d0cJ+FET;
dmarc=pass (policy=none) header.from=chromium.org;
spf=pass (imf19.hostedemail.com: domain of keescook@chromium.org designates
209.85.210.179 as permitted sender) smtp.mailfrom=keescook@chromium.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709578179; a=rsa-sha256;
cv=none;
b=76/UeF3LMMOfZ7c738OxF7D01mQQM361uoC51f1vmyDlW/utSTm26dpk3cldh7E4gtSCCe
YNhb/GD9+KJqdMyWCXy1kDDRY6TZybK1OeO7rhk6C6QDzenJ7CUGNYxXjPTpfj6+9qF0z9
4VtrM9RvSD+LGJgrCFvBamGz+WqhPH8=
Received: by mail-pf1-f179.google.com with SMTP id
d2e1a72fcca58-6e5dddd3b95so1867457b3a.1
for <linux-mm@kvack.org>; Mon, 04 Mar 2024 10:49:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1709578178; x=1710182978; darn=kvack.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=3eg+OHwarPCDDbCJMvwZ5D9ntaRfgGqvBfyy5rCCcVU=;
b=d0cJ+FETSp1z8GlrMk2FVEKuBwe+2xxjW8QjIPgvIj6m/aO4AWKts9L/90gObmRJFe
hL/gSAyS65V6bauNlqDBE1A4bvaTnTumLIAF9fA036RkiO2gW5jhgI9glQRUkrdGJsg4
2Iq85Szq9f++mu1ONo+yXB+5jnTon0dDISmlA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1709578178; x=1710182978;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=3eg+OHwarPCDDbCJMvwZ5D9ntaRfgGqvBfyy5rCCcVU=;
b=UBytNZ74WDLUIudS80bI1kW9wcMqftQuxPDHmdFrN8ZlRnSs1IImWy9WCdb2+onWiS
LXLPDfV3QaXjHNJ7EPKl7hAX/xP7FeNAfT+AjoTZZyiL7fjAPzTitkXyMeB9OBhuwBLg
wK0UQzP/tyTrqpEyko0ueg+lV0ZgCnfTL+LRh+soh8P5Odr6XptbpragPUhbU2ciWh4J
u2MtgU1lZKS+5wqDXsl+gVepMbZgj5WSBdj1lUxotguolYYqjWbfZJCkRRLD3ugpBCoF
U+tWUSy4mAuW06XEqcFGUwlljqnLO4RqxnsfbtekyOIg57ksfR9F24SjEv70UDwx2wRB
t5tg==
X-Forwarded-Encrypted: i=1;
AJvYcCU1UWE79YIIoMTDOswpx+qjxmFU0jcTT0iZxsAZgiCqEvCCxetuUspwQ3tsbVHm754lRqQGTscORRDaEIkKaOYvg3c=
X-Gm-Message-State: AOJu0Yxz7FodIigmY/DvuJozvtUzkUCS4NigPl31R56OB+oL63N4X3bm
kXzxr9Ae0wrqVwMHMfXyFdZu9hKUshsNad71YSvJEKkfpE8hKQyox79JnuwxXg==
X-Google-Smtp-Source:
AGHT+IGLXRXXimciJBhdk/dIb4Wb2zbKj+H0Uz/ceqDu67vjZT0fdQjMBcnwKVhjTqa97KV6aSVCaA==
X-Received: by 2002:a05:6a00:2d1e:b0:6e0:50cb:5f0a with SMTP id
fa30-20020a056a002d1e00b006e050cb5f0amr397502pfb.12.1709578177665;
Mon, 04 Mar 2024 10:49:37 -0800 (PST)
Received: from www.outflux.net ([198.0.35.241])
by smtp.gmail.com with ESMTPSA id
q67-20020a634346000000b005dc49afed53sm7759425pga.55.2024.03.04.10.49.34
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 04 Mar 2024 10:49:34 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org,
"GONG, Ruiqi" <gongruiqi@huaweicloud.com>,
Xiu Jianfeng <xiujianfeng@huawei.com>,
Suren Baghdasaryan <surenb@google.com>,
Kent Overstreet <kent.overstreet@linux.dev>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Roman Gushchin <roman.gushchin@linux.dev>,
Hyeonggon Yoo <42.hyeyoo@gmail.com>,
Christian Brauner <brauner@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Jan Kara <jack@suse.cz>,
linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: [PATCH 4/4] mm/util: Use dedicated slab buckets for memdup_user()
Date: Mon, 4 Mar 2024 10:49:32 -0800
Message-Id: <20240304184933.3672759-4-keescook@chromium.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240304184252.work.496-kees@kernel.org>
References: <20240304184252.work.496-kees@kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2330; i=keescook@chromium.org;
h=from:subject; bh=wVlg4Ywlqm3758Z/+rtNyin5k6LCR9PFs+qzYTfk1+I=;
b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBl5he8UYVHiwP9jlErQNW8kOwDMEcuQZnM208D3
8K1ECbNwiWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZeYXvAAKCRCJcvTf3G3A
Jl+iEACLE6xmcDHNPJUI5v4X0mux03kdgYRX+BLElIYHYI7U0wjiKpXajjtdiBhgakpjXtztCWM
P2osPYx1h7voVbtUuUWxNhSonJpnB0Nm+gAimqzvFzjmcT3+iOzWMdkuQIrnE6UmT3zpJFc6XCU
g2QFAVxdiGa3N2vDovfT4v30vBd49SiQha0Ku6yG7HjCQGZlzRr99NRAgutT/m9cF15+jsLLygf
27uNjMhYBScQ/t1LffYt6H0XCkJx/H2JYQjJ+BPC2G+PF99sedHnXOHDSkQv8x5Hl4PIhPslxFR
91ZyIfi2gek3k1qy2AtzadMoj202Ge/xe12M85LUqMOsf6P+R5s8/g8DiXl4l7Id7cPOTD5r9BS
SNlQ7S2KaIK2wznKMO/HoLjyqgjZhMD7IeID0qZ3TfjZ8BbqOuvRGqLMgn8tzc3LAB8agyecsTT
g0+xAUJYNoc8NRwjsjVNz+QckpIFcvn8kiUHKXwiZ2Qmorl1p9Fd9x1CQ9sTiJa59YI8DAUJ7Hb
dQsvxWmevu1RLkIB1tmDdAS2pqIFmK+0m57zvWu5UJnhkIQV+kiDxu0Dd/kq0opljR4/anmfMur
7WnTU2xy/QXL6JGYC1RXjxC4niOzOIZjfPwGZsXbo32sj+XkZkGkZ/jNwB4eNjVnoNor7p7CxLD
i3hiwyQiWnJh+Xw==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: 8bit
X-Rspamd-Server: rspam09
X-Rspamd-Queue-Id: 402A91A001B
X-Stat-Signature: jq96takzpma7cfhps5rotab88agmkrn1
X-Rspam-User:
X-HE-Tag: 1709578179-678226
X-HE-Meta:
U2FsdGVkX18+DTLnPZema72nVrRAP5izAGbtObvMZwGoc+Wo0zAw8skoVe5OvgtgZtAa2sO090g/NmLMIQ8DTnYKt5fk5ths1Sj418YorCb2tqvCvACLetcsOmtqej4Nq0T8tqILLEWCqdbwfgCCB2+4Ycab1/9mmbXJ55NMSMhkmfsWKM6PiLQ6CGnirZ0mPQyneY3XX3hh2XwJ99l8RStN3lqjO3Gkoq4M99lhDNEGHS9lX+G6MkmnIseyLX1C/HFn7Ztzyf0/OZpD1SedvxMSqp/8HjFHCFWLcbfx9d7D3lOZ+C6py8QC56SQgkEEoFdqffl+Vq4QBV5tz9awmJ6+ecI1l8UgKvsnln6XP36PKi+0t4dWM5Ite7xPDbjYwJNzMPzrqGVScn+rLUxE9sksrsx9GXfqauviurPwW0cVsm0V5dxYpyn8xeCpaJnxs1QNAm6YmRa/Fo8OOqd1n+4xITwhvvos6l5vpuiBbSMJ2MCX7TxE+1AhU01nMs6jby5VGRj/AQvs0aDo97/EZGR4gl5pcJbAFCSgRv4zVisLdzPx1bR2JfzvCzUti1P/9dx9vZGGIRNg7Ia6G8IlTmsXgP2ZodI7aC71v1IS0NSn5CIvcANLzt/Xx9ye7LkldyOPSnKCPJw7yx3/F+iR+2BAQXMSlO99lMIKcXcZw5v9UoGNTgD1tlxTOTlcoCaPeet2KMdZPz2Q6bzxS6qK6fke4carLVfQiA8i7AJ37CzmzmVf5W5ks/Mq9Q4IA0h8P95wQZgwopkIJTM06KOwbeJwYCOTDiQMgnOySY0IwqoGOpDCKCFOkO3lOkRCMmVqldzdXbRYPmIWzigtQIbLc7nYd/+4/XpYSYEAlSim6sEY/VcPG62le51flYqtg+4VP0BjwGJ3ppx3CV//b1q3rcktt6c+4uZLG5TEiCDSCCx6gs4Cz1vDfuMhBpgc9wGQ/xsjieM9Hp0cAt0O7OZ
jPxeR6KQ
1wdKfoSAzsh8Abiv/ZNbyH2RDNcce07LwvGHINcpX5MmJ2MPj/VXRLv8tqPuf2zFAyOA/mi6RCd2/PXyxkRONxXiZ4wbpz8FueCSKGSALA22gOg6fQEQG81SxaVU/tFRL+HcdlRoaY1HW+LBr+uk7qrM/SIyo2agBa12uNVG7CQFGRcVyLhkK3iTHkLHBf8cCs2p3EGM+r6B+7r4Zy9yJUAG6HQuCJSw6J5zbQbWzb8ylz98=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>
|
| Series |
slab: Introduce dedicated bucket allocator
|
expand
|
diff --git a/mm/util.c b/mm/util.c index 5a6a9802583b..818e74d11fb6 100644 --- a/mm/util.c +++ b/mm/util.c @@ -181,6 +181,16 @@ char *kmemdup_nul(const char *s, size_t len, gfp_t gfp) } EXPORT_SYMBOL(kmemdup_nul); +static struct kmem_buckets *user_buckets __ro_after_init; + +static int __init init_user_buckets(void) +{ + user_buckets = kmem_buckets_create("memdup_user", 0, 0, 0, UINT_MAX, NULL); + + return 0; +} +subsys_initcall(init_user_buckets); + /** * memdup_user - duplicate memory region from user space * @@ -194,7 +204,7 @@ void *memdup_user(const void __user *src, size_t len) { void *p; - p = kmalloc_track_caller(len, GFP_USER | __GFP_NOWARN); + p = kmem_buckets_alloc(user_buckets, len, GFP_USER | __GFP_NOWARN); if (!p) return ERR_PTR(-ENOMEM);
The prctl() PR_SET_VMA_ANON_NAME command can be used for exploiting[1] use-after-free type confusion flaws in the kernel. This is just one path to memdup_user() which is designed for contents coming from userspace. Avoid having a user-controlled size cache share the global kmalloc allocator by using a separate set of kmalloc buckets. After a fresh boot under Ubuntu 23.10, we can see the caches are already in use: # grep ^memdup /proc/slabinfo memdup_user-8k 4 4 8192 4 8 : ... memdup_user-4k 0 0 4096 8 8 : ... memdup_user-2k 16 16 2048 16 8 : ... memdup_user-1k 0 0 1024 16 4 : ... memdup_user-512 0 0 512 16 2 : ... memdup_user-256 0 0 256 16 1 : ... memdup_user-128 0 0 128 32 1 : ... memdup_user-64 256 256 64 64 1 : ... memdup_user-32 512 512 32 128 1 : ... memdup_user-16 1024 1024 16 256 1 : ... memdup_user-8 2048 2048 8 512 1 : ... memdup_user-192 0 0 192 21 1 : ... memdup_user-96 168 168 96 42 1 : ... Link: https://starlabs.sg/blog/2023/07-prctl-anon_vma_name-an-amusing-heap-spray/ [1] Signed-off-by: Kees Cook <keescook@chromium.org> --- Cc: Andrew Morton <akpm@linux-foundation.org> Cc: linux-mm@kvack.org --- mm/util.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)