From patchwork Tue Mar 5 10:10:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13581914 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1995DC54798 for ; Tue, 5 Mar 2024 10:10:50 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 74A7F6B009C; Tue, 5 Mar 2024 05:10:38 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6D3656B009D; Tue, 5 Mar 2024 05:10:38 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4B2EE6B009E; Tue, 5 Mar 2024 05:10:38 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 2C6A96B009C for ; Tue, 5 Mar 2024 05:10:38 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id EE3E280D75 for ; Tue, 5 Mar 2024 10:10:37 +0000 (UTC) X-FDA: 81862566114.16.964A3BA Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by imf04.hostedemail.com (Postfix) with ESMTP id 2D97640006 for ; Tue, 5 Mar 2024 10:10:35 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Cqf3Pp9R; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf04.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.178 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709633436; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=pnsMPssoThTQkcXoWA9Ekbi5Q1zZTU79wL6KH4AEkgQ=; b=SRPko4OJOxYt7jaB91RWinFZg05ic7kTfHh+BfC3UXQ70AvvfutLM88Vmqa/NUQhR9Cd4+ rEBVqadDcs/XEH/flMwNgT02l4QfM+umJqounjSYfphs6p+IN6RmxAw9+7jPJaLax5Ww6u W6kZbr2CeUqnteNFXoFgm6JGJplOZVk= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Cqf3Pp9R; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf04.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.178 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709633436; a=rsa-sha256; cv=none; b=JofTA2Tl6I5pWXvyIK4w3wICWxdgcY/rUwSVgglBfhBNCPxCHmhaSlUuQh5C9hqXoxKhCZ SPoxW++O0Pbhvxmbnn6xBV5JgC080DVN48uljdO6tXH4S8UjXYizbTUZDq4RwyHQT8lTzg rnEQ9vaNetuvc+mYZwGX33IhEGo11SI= Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-6e6082eab17so2010080b3a.1 for ; Tue, 05 Mar 2024 02:10:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709633435; x=1710238235; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pnsMPssoThTQkcXoWA9Ekbi5Q1zZTU79wL6KH4AEkgQ=; b=Cqf3Pp9RQvIG0dWjIE0nfsAQ/gOOh46CkU8L5uBeJmrZXdkcRTIZx4VUZl5NJS9Ikt Si1gzbvtPJd87vzpdbLN+SN5MCCzg+CuKObWbyBTTIPcr5E/Fy3Wzhi+gTEbzVoVNn4H 7CUnKk00DpY+KNvd497vlp6bWqukYCx84tIjc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709633435; x=1710238235; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pnsMPssoThTQkcXoWA9Ekbi5Q1zZTU79wL6KH4AEkgQ=; b=SOyWvrslJGGc8vNwUWuJ/i9fjoRo7Snm04g10IQLp8shMaorrnXEUKA89dCSB8a6p9 t1mVi1pdHhaX3h23Gc9oazmLWpUcl0HeYZBihYCpkNCXpk51UHzit/sv6X6m0jfgK1+f c2/DXnAW4zpWjye7xAXQwRH65FAfEg++y5TiXBvmBsvE8VGSESnZbL9tTQEYDBufi1Q9 vv/SlEeDf3dLWYQY94dj47T6YQqF5kWhsPtVLH5n1EQ7rry2Qb0cfGMvmAnl+LiNnYkl czp7WgiyxQzUhIkeTJGJUBxH9kt7RtxrGxrp11HBuTNyJOD1ia2rYmXwcgQUFkN8+oSg qd0Q== X-Forwarded-Encrypted: i=1; AJvYcCV46BwW2dmjtqW5H34rAk9XHiDaJd+2XyDLO6PHsraH9FC+DGe97KT4S6Uu2aAN99fTe4z+rYufwFhNWnTL6Aa0PXg= X-Gm-Message-State: AOJu0YzhdPZqvZXDJeqxuGfc++YRIM+Mh4FyJXzv7PZudt77BPALioGi 08KIWtjC/JR52xuro3ewtr76fa1BNidlsbIE5fZbLf04ge+2LPGXDxwmF0JCYg== X-Google-Smtp-Source: AGHT+IEiAWTgdgJYXNyV1wO/0LoKLC3IKAkw+TtluHY1zuMxHwA3vOiKJTRV4nyNTDEQlhJfiH3Lwg== X-Received: by 2002:a05:6a00:2354:b0:6e5:80a4:2ff2 with SMTP id j20-20020a056a00235400b006e580a42ff2mr12396375pfj.30.1709633435073; Tue, 05 Mar 2024 02:10:35 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id n9-20020aa79849000000b006e61b0a4b17sm3625323pfq.185.2024.03.05.02.10.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 02:10:30 -0800 (PST) From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: [PATCH v2 8/9] ipc, msg: Use dedicated slab buckets for alloc_msg() Date: Tue, 5 Mar 2024 02:10:24 -0800 Message-Id: <20240305101026.694758-8-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240305100933.it.923-kees@kernel.org> References: <20240305100933.it.923-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2182; i=keescook@chromium.org; h=from:subject; bh=Ltfy4agIWW8GFQ2wB/SGVqMVh7NAol3Xo3zP80oOSxA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBl5u+QWH/R4wFO4/C60XHEU8ysAaQUzkDa/3+3d QWUIDhM692JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZebvkAAKCRCJcvTf3G3A JrvaD/wNahnrlFTqZJolsZvbWW0JKOIUHvIZ9tu5KXbYjElEyGOPqLCj2ubk3S/Q6iA9219qfa6 pGqd/gb14P9uZyXmRoI9+3bS4VDQCYU2pVYoTkpLeg4mS3bLPisEIDg13VQAB8yGYFFzgx570th kBc2psi8XalZRDb+22nGBoKA0hP91pQ00G0kJzgtIobHvLf08qFlMvNbmsE5Pme/RYM37z+uKJo 6Ht69bJWQXxP3brIzWYPe9S0kO8dNubvglHpUetBciWXQNmWqzDhkprvcsUARwd7gUvgA4Zl2bU BvI0Fxk7BBq4ju+5KUIEligRbrLMIOn2dxUIdSfr3k4opmEl5ETlonQ+wt0savTeYPsbW/lgGwn v86/q0pgtJ/5Oxcd8pnWLe6dDPg5ZGQ00IiZ9h1x5iSLqXFJ1MFi/B+uFSaLnK0guFBVXHIUCmV I6mhgVKYMZALTQfYuz9ZZDYkV9pTJCysElPoennpSXdeUJ7Pc/edHh0770uIOALNa6rXB1b+K6i Yd1XOLuB2X7tDGZOo7NgNDNoxOX71alUQybWMW+kUfUFYB5XoVlC7XOD3Ax3ixm0n6sjPCVCuY/ t2ge5/Gjz6GsJY+hlaCoZ/t+yhtmsbD3m+Gu2eA5hteP/AAmSNJGiBGNGgQ09SV6+yyLUeBYps5 sysZ56s4nY6VilQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 2D97640006 X-Stat-Signature: g38bejryeehmooujj4n7uc1rtd8pt64h X-Rspam-User: X-HE-Tag: 1709633435-928886 X-HE-Meta: U2FsdGVkX1+3c4+4c9XkxV/wtuxQF/HZRWEtWh3D8pdt+M7YLO3iD7qwlidvsLimoF3+mwyT+HJwclbyIrdsFSpc5Udcd7u6tuBG9yjVYbPygAnPQvBYbrCbX9LY2HdhEDxMwVZxmCNlWbHaVX+pghoHMepeb8O/3wqW6Cjc9T8o6Ec/gQZFz0NogeG4lJfi7ns4Mrhf8fRy3YxQCNGRdJdlnwa/zYB2v132krCU2Xs+/ZkeAZ0PPplOEeQGdQejtCmHP6EPrCoqSC8USpNhMT/rTFwiShm3COcuIa9LimVmS2iruJgz3vZeeCVKaX6ZJICstnJ1KQKnhmJZFGHQeHMuAVcIfd0/37dOI2WomgxxiNcf1syWL9D05Kr1cW1XHRlSgJDPNirp3rh0sQYcojjJ5qjgpGXb7pp9F0ydV9qYS13dCnmv5RoG/NM9evoQ6BIu8fbWGIGRXJsEM5y1yNQkAixr/xtpnSZC4DnwwE355QJOGvMAMXNj54IW4ccIQik7dAGqOi/mORmxkzj3Pikd0VnX9jyTPFSvU76Hr7JQuMUHDoRePeaoXt1DaTzlxeRjnAFlUqzVw5OTA8cObkFUoNuELRjKKOqUGNW5Iruq27yKCZ4r3fXh2jRHwvxU3tCeNzA1g/dT9GT1LrjGYCp47gSk7DsypSUdRN+TZLEg4AQnkzl/ONFWMbw8CItnxeCIzSecIt5N57H4b1CnMzud0hG2v3wNNp3Dki8t8ptMD8COXKRur/LLn13829ZKvwML1Pt7kI/pjFXiC8mCw5tRsDoZIo+t5bG0sb+JvP2KlpjMygQrNZRBLEAJPXCbwLvQt2uXK0BwlJgx8SpNft/cxGAX/c/mpmNnAVWyz7bzN3vTSOQbTMgZXGZ3hosNZzmGIKizqhIRQzqYUrRHELMV5SkEjFVv1PV9HogfuhFmYqky/AWSshZ2Rs3yhbbyXbu7YIZtt23sKRso4d4 auZS2T+m De6B3S6Q9WrNDI/GnQukND/FA+PPhlRB6E7WuI2N4EbNOkEuIh6QVk2rcNCon47TcLamcJBcIajfjSna+c6yW+0gXYP3E1gd4e4g1U46N8JFFLgTyhfadlp4DnVpwi3jyNFr3Wsx2uLOcQ8ZSNOAMbbY/PnY5/NSwoa6k8DnCSJHacLhy30NBBCZtRHnGsIPuWc33kLE2f6ZvssEAaec71y5X2ic6soQT8ftZLJxvPSlUP1k= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The msg subsystem is a common target for exploiting[1][2][3][4][5][6] use-after-free type confusion flaws in the kernel for both read and write primitives. Avoid having a user-controlled size cache share the global kmalloc allocator by using a separate set of kmalloc buckets. Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1] Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2] Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3] Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4] Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5] Link: https://zplin.me/papers/ELOISE.pdf [6] Link: https://syst3mfailure.io/wall-of-perdition/ Signed-off-by: Kees Cook --- Cc: "GONG, Ruiqi" Cc: Xiu Jianfeng Cc: Suren Baghdasaryan Cc: Kent Overstreet Cc: Jann Horn Cc: Matteo Rizzo --- ipc/msgutil.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ipc/msgutil.c b/ipc/msgutil.c index d0a0e877cadd..f392f30a057a 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c @@ -42,6 +42,17 @@ struct msg_msgseg { #define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) #define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) +static kmem_buckets *msg_buckets __ro_after_init; + +static int __init init_msg_buckets(void) +{ + msg_buckets = kmem_buckets_create("msg_msg", 0, SLAB_ACCOUNT, + sizeof(struct msg_msg), + DATALEN_MSG, NULL); + + return 0; +} +subsys_initcall(init_msg_buckets); static struct msg_msg *alloc_msg(size_t len) { @@ -50,7 +61,7 @@ static struct msg_msg *alloc_msg(size_t len) size_t alen; alen = min(len, DATALEN_MSG); - msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL_ACCOUNT); + msg = kmem_buckets_alloc(msg_buckets, sizeof(*msg) + alen, GFP_KERNEL); if (msg == NULL) return NULL;