From patchwork Tue Mar 5 10:10:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13581915 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E74F3C54E41 for ; Tue, 5 Mar 2024 10:10:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3CC0D6B009D; Tue, 5 Mar 2024 05:10:39 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3534B6B009E; Tue, 5 Mar 2024 05:10:39 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 12F566B009F; Tue, 5 Mar 2024 05:10:39 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id E9DFF6B009D for ; Tue, 5 Mar 2024 05:10:38 -0500 (EST) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id C1E0BC0DF1 for ; Tue, 5 Mar 2024 10:10:38 +0000 (UTC) X-FDA: 81862566156.22.C3914D7 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by imf27.hostedemail.com (Postfix) with ESMTP id CC01740006 for ; Tue, 5 Mar 2024 10:10:34 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=kh7rnY4y; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf27.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.174 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709633434; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Jdg+vWQ/glPg3PLzwoChyf7fue9eFP8PVvp8lsS5Lok=; b=zGwmclDV/VNXOJIzLj56rhgUJ+Q52xfCdF5c5j8mWRsS1dL85N91XdbjFYEIk4SCdA5I/1 8eYPf+JMNmPsJLvOMO1cHqGX70ARkp/Kq4IZi4tDIhCD+Fh8asL3ysd7cdtuiyXaTiMZN0 vr008sSIWk6al0cSicv1bXRbV3wegUc= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=kh7rnY4y; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf27.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.174 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709633434; a=rsa-sha256; cv=none; b=ejhurCdcms+6GwBqWhVrzbYVN0eaBuxW3RN5970QfXDWBDn+KJA2l3MazHKvkPPzckw93M GKD0BVuNhaoeTOZphS2FFS0HCDqtx27CiZy0Y/Z2lU1ZMJv98h99P+sY0H21GeX7u5vlyR mzHs5fzGDPVlien1fMCLURgBhay57MU= Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1dd2dca2007so2733155ad.2 for ; Tue, 05 Mar 2024 02:10:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709633434; x=1710238234; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Jdg+vWQ/glPg3PLzwoChyf7fue9eFP8PVvp8lsS5Lok=; b=kh7rnY4yXM4pOYviwG+mSijHRF8brFjjjZPj/7dh+0JUQ8HJAB2RZMx5d7jQp4BdIJ w24tadbwY8lQsi5b1X7Dzrzb71czTNv7/H6pBe6hwFHrjEcIo1J3H6cBgomjOZnMr0ZV deV9yvS0apUhxLOYQMlEAOQMUyxAllE5Htz6M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709633434; x=1710238234; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Jdg+vWQ/glPg3PLzwoChyf7fue9eFP8PVvp8lsS5Lok=; b=VBcah4cg+xbi6VzYPTJvulL7+DXIRO55zOKmlbTFZ874pTq9aYcaSn0Va6Pt/bKiuC zxuQG3th9Cc1V2K/Zc3mhPm/t94TIRn+msBch7EW4/gnmH1Rl+fJEbtz/5NEZGGMkGX1 tcvcJfEmvwuDlJ/U36MGcwBcssciHY5QNJgzctDqLJlMzh6xJe+O5DyGbF42BiJopx53 0jbo0pMewRRo7GmpAoQWTA//tQP+x5TiyJcaEqjNyzCIvBNx/rUWg2FL9REEjs/ehpOr Dw5ERMuPTjxrQzi2cHkIEp94TY0Z0pCTxOIN7b9Hc+1yEG/Oo9/KPHQ0El5S/CW63RSx 3wOg== X-Forwarded-Encrypted: i=1; AJvYcCVBXTfr3RXlwfL1DkTJCEhA4j9DUZDkacn9tfz5E5mx3Js6gogMgUvlhvMWtow07b+Xeep2LFOYsu0z/g/teUEt+So= X-Gm-Message-State: AOJu0Yw3Dblc9ueFsJgwCK1WNnu9qKKrgGPTw0lYunKfdM0LCLzeQX9v dqzrSGE/05JwLJGPw3Gn3FNVa/kGeiesl9TTgvrV3SUfJDrsgeWYuztRd7ez7A== X-Google-Smtp-Source: AGHT+IHYCn9DBg9xzTvpQ8G0/N3dK13ZQWLK1qCcLYJXKOoBEAWGORs21YgWZoWg8YTIQaCZeo4VAA== X-Received: by 2002:a17:903:2287:b0:1dd:7da:e0a9 with SMTP id b7-20020a170903228700b001dd07dae0a9mr1791845plh.69.1709633433734; Tue, 05 Mar 2024 02:10:33 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id q17-20020a170902e31100b001dbcf653017sm10134281plc.289.2024.03.05.02.10.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 02:10:30 -0800 (PST) From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , Andrew Morton , "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , linux-mm@kvack.org, Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v2 9/9] mm/util: Use dedicated slab buckets for memdup_user() Date: Tue, 5 Mar 2024 02:10:25 -0800 Message-Id: <20240305101026.694758-9-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240305100933.it.923-kees@kernel.org> References: <20240305100933.it.923-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3141; i=keescook@chromium.org; h=from:subject; bh=6qDL+BboHaqcTpZSUCl+S9ocvneIfXXeMs3ajiQ2O/Q=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBl5u+Ruvag2LjJsl5BflMWP3F10S0bpaicfQjrP em4Flv551eJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZebvkQAKCRCJcvTf3G3A Jh5rD/wJ5mDNRMwSTsAR06j+XsdZ1LXMSaSe8WeQSfww+7fSDo2bwPbB2YuP2imZfi2Z0ALaDNc QjrOdKcPLNAptwDgTvG8rgq8Ads/uaBkD6rP1GpQd9XF7ZP+IN5Tj/Ust9Zx+YZOh1j757Tk9f4 /2I7O+56tM7rqcJYTzDVwwN3lx5z9LnJAIv9cA2fc5WZw4zdqRbzRZ2x2/jTvOictVZIOz75vdw eHxukjUd1puppQSWDfMARwCUPIILs8IjoAaR8UZAfPVGp0pxZe2GBSsLG2wB+yvlBFR58gg+qkr PPA4dy4re0Tig2xdNDMKxFzPI2MGhDuckv7+bdXYa1y03Qk/hE9om+kdYryhKz3AJ7c2FU6lReH mTQ/EPfpM/DP3hVk1yOvB4YQVT+SsRzeBQyHjE7vMel9E0zPFPRlsHvTQYQfzF3xQMEWSjWW4GG 5VQ0LGp6u8ey7adQvju72Jq5NXyiMZbaTebl1RgLT0AX7iek73VAJKe9Vp1MeHbuW3KzheQjEhv V+GYAiXu51x1VsKLuN69+yg2ofManoTrfcNE9k/KiZywKTTRvzJ7GlsihkF1zScLCrOfnIJLfWn mSg61FpR2fsWqar318TaCYm5iTXskabguFfuho/W7iHJo+XHIJRToiRH7s34zAmcK3ETFBpzTUP t3ctwbz/OBT4vHA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: CC01740006 X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: 5d5iwb5x1sixcmmd6fux44ohkrao4byk X-HE-Tag: 1709633434-981152 X-HE-Meta: U2FsdGVkX1/RJ4A22jkc02RsLZeZXqf63ZzImDTDLVQ7cQMayCp+2zD42r+SpJBiJFt5u4lU7eAom6g6lcEVdVEh4ua+7Y2asgDDB6yDJoFKh+yHG1ry5qU+sshOmn8+bEoT5OofA765VoDjG5vg/cuDwDtO3lIqK8QK0eUyX3+7AyAJf+XixzVGW8EcNt5xZwjyI0uz0oYPLh/4RBWURbTpSkuzQIzPWj9L7zY+6o7/INTQD/2NvW1t5dw2sjpYeveCG5Dxii480xtwlrmLM9BcD5KYRITUV4NWa47YkmDWtRsJXhBhEi8a/Dftk8VK6YE8TtXn7Qu6dXX72nLP8Eqz5pXoxiHYTn0T7LE3V3PyCaRUrGp18dG3RscdKHs2anw77bjgJj8Xs1xkFBzrHelgwMl7xzcX3NZGXauUjzFMibzan/zs45feXPectlkBLt6QZ5c+PuboZy5axz7jiV8jwA6Av1r+CpZAlRZpMkSMEkXOC7HVtNXN1LNY85p1CbSPPF73fZkBYwiLvETzPLerSOAeU4zq2uPTNnv5VbBwsSTHyUES6B3l9rq5qW1vqfN/wKZWv4xUeQKLE9NAX9gA81DYy0eBNioMpWt/vu/2/McsMGfJY93v26jHtjgXsBDgmTIgt0SWuvCLsSLRgX+hxWBVA1IIIoVGrlo/f4Lcbw+b0H/ISaKeQd4jtPs4XWBmJ0Inxk6MscVGVOIZQLUGD8Igrp+GNJzSuznrT+D/jACXa5ENF7lkjlWqFmbiwI2HktuAf5YmXI9J6wfmnkLa12K8hHqnzGJckWVhfqmYfoxJy9nAW33sxUpMR3p2Y5KyTCNfKGlIxCiRDjnwptDgPNC9oXtrduhpzSCtcLWKghKQJhXcC9naVbVGbCKU73B4YRUusurVRStVrILie4Z+TfoMxUlSOR3CTETM1WWvuGo8PcQ0mP2OJZiKY8XrGdtahOWtxO09QlACf5B gSGaBntz xzRkV7XuwCcPsKZQlaRll5R6lU3ju2mIfv0LI3syOUdpTRlRcT2tYTEbHLYr2L3vCIvLfsGH1UmHJmUfK2J5O1480BFLRCW9BeHKnp7htQpmq7CkIMpVOu7KyMYQ+Z3Kpv6J0qdLZuQe8E03xRfhGwfGdQW+tBvNx4Auq9XNnozc6bZTWSjN1ZjJAE3leMnoFYmRVKLz0M7QCXeCdM4/9xFrj1O4+VXj/Tzf5lZIjFU2V6u8rD3WR9JqR7jUeo7yugX3akT44mRLx2f2JlXPuWYCtxxIgJGsU7xd1pJVoQGZhUsLQ6L3zXhj83uK2+OWKZd3O00R00SRWEOF4Xzl1s6btjElBOggJmBarI9RfB66+4AhjU4RvhDk3Vj8I6A/G4taf1ucBrdEbHqtqSfX/LGWU1GbudIwK28SETeKznKvAjz9B4GODWi8NG/QNKOpnm5nY1/54g+uWG8TBCGCv0J8cuP6giHXyCSXaxuruI7bXp4i5+0EpNZmB1+xUYUDnfpcjTMHbIKH7ZBqPDxLzWFcWlNLqSeopVZi4W52+K1cYI57d2oDUXmuuvMreL/RHSUbQ7CPTx3aBaDUEXbL343GWugaFQa3nJIO0VrlkXJhHr7200O7pkxrySVFynpYqpyeQ977KfdNLTSnEvqXWK9rr8SktP6kndkPh99uA2WxSW4XPEVzpkUYRfqVJI5HmWIoq3+FTrmmSU12FvSTz8Nk4jI9hjU6oaPzXx8BTnNveYgYAWw0OvJkPG8uU+4K9M4EmZqr92RXI3h+SxYtNwZiQAlHyDMJPi10uF8EuycUZSwinhLJvKN9J0clDr0x/VoZjESunmZRXBNtTDgT0WypAE3LGAMimnOf+B7WOoEO99B7YOaERNI/qvkPCBbDYVDuWdD3ZMu38O7IT2wu8u0njPSKlpHp8ygIHVEj/bKM6TvFpRhtNvqTFzvC2zjIQqqppbGWwoF2DGiak/aYFlYqdIowR bGxSGJmq KEYm7Y+/+vw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Both memdup_user() and vmemdup_user() handle allocations that are regularly used for exploiting use-after-free type confusion flaws in the kernel (e.g. prctl() PR_SET_VMA_ANON_NAME[1] and setxattr[2][3][4] respectively). Since both are designed for contents coming from userspace, it allows for userspace-controlled allocation sizes. Use a dedicated set of kmalloc buckets so these allocations do not share caches with the global kmalloc buckets. After a fresh boot under Ubuntu 23.10, we can see the caches are already in active use: # grep ^memdup /proc/slabinfo memdup_user-8k 4 4 8192 4 8 : ... memdup_user-4k 8 8 4096 8 8 : ... memdup_user-2k 16 16 2048 16 8 : ... memdup_user-1k 0 0 1024 16 4 : ... memdup_user-512 0 0 512 16 2 : ... memdup_user-256 0 0 256 16 1 : ... memdup_user-128 0 0 128 32 1 : ... memdup_user-64 256 256 64 64 1 : ... memdup_user-32 512 512 32 128 1 : ... memdup_user-16 1024 1024 16 256 1 : ... memdup_user-8 2048 2048 8 512 1 : ... memdup_user-192 0 0 192 21 1 : ... memdup_user-96 168 168 96 42 1 : ... Link: https://starlabs.sg/blog/2023/07-prctl-anon_vma_name-an-amusing-heap-spray/ [1] Link: https://duasynt.com/blog/linux-kernel-heap-spray [2] Link: https://etenal.me/archives/1336 [3] Link: https://github.com/a13xp0p0v/kernel-hack-drill/blob/master/drill_exploit_uaf.c [4] Signed-off-by: Kees Cook --- Cc: Andrew Morton Cc: "GONG, Ruiqi" Cc: Xiu Jianfeng Cc: Suren Baghdasaryan Cc: Kent Overstreet Cc: Jann Horn Cc: Matteo Rizzo Cc: linux-mm@kvack.org --- mm/util.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/mm/util.c b/mm/util.c index 02c895b87a28..25b9122022a7 100644 --- a/mm/util.c +++ b/mm/util.c @@ -181,6 +181,16 @@ char *kmemdup_nul(const char *s, size_t len, gfp_t gfp) } EXPORT_SYMBOL(kmemdup_nul); +static kmem_buckets *user_buckets __ro_after_init; + +static int __init init_user_buckets(void) +{ + user_buckets = kmem_buckets_create("memdup_user", 0, 0, 0, INT_MAX, NULL); + + return 0; +} +subsys_initcall(init_user_buckets); + /** * memdup_user - duplicate memory region from user space * @@ -194,7 +204,7 @@ void *memdup_user(const void __user *src, size_t len) { void *p; - p = kmalloc_track_caller(len, GFP_USER | __GFP_NOWARN); + p = kmem_buckets_alloc_track_caller(user_buckets, len, GFP_USER | __GFP_NOWARN); if (!p) return ERR_PTR(-ENOMEM); @@ -220,7 +230,7 @@ void *vmemdup_user(const void __user *src, size_t len) { void *p; - p = kvmalloc(len, GFP_USER); + p = kmem_buckets_valloc(user_buckets, len, GFP_USER); if (!p) return ERR_PTR(-ENOMEM);