From patchwork Wed Jun 19 19:33:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13704463 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95AFAC27C53 for ; Wed, 19 Jun 2024 19:34:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 73DE26B0454; Wed, 19 Jun 2024 15:34:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 565726B0457; Wed, 19 Jun 2024 15:34:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2A2786B0455; Wed, 19 Jun 2024 15:34:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id EC4E36B0453 for ; Wed, 19 Jun 2024 15:34:04 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id B31991413E4 for ; Wed, 19 Jun 2024 19:34:04 +0000 (UTC) X-FDA: 82248638808.04.8B078CE Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf07.hostedemail.com (Postfix) with ESMTP id 5D6164000F for ; Wed, 19 Jun 2024 19:34:01 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ab6SRa4A; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf07.hostedemail.com: domain of kees@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718825636; a=rsa-sha256; cv=none; b=nY28h/Y27H539GutWvwHhY39yrAJK9LUrhkq6onK/qT7c6XLFgoAI8qT6sLFNdODI1lWy0 +cf2vwm+SdAzAajhDNdarQR3pZi9C7AlS1IW4Ewlq5ZOgd3pPRABaEOJt0buwH4XicUOXX mC1PpI2ChgYPMlV9mTnh/zrqMUbIS+E= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ab6SRa4A; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf07.hostedemail.com: domain of kees@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718825636; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=IbWZwSaBdM9Lvz0HjS7O1oMWRJ1BMTTMIEEWlKHcdGA=; b=DS0WWgZ9BfCzwqOdm5aQsUY95eqeFsNElcZQBL/mqG2jJjZVIJE1BkKXp0DGZoSfPBYUQL WvOCLFGGQCMT27s+CF8qu1I6Xk4NQzRh3S4dq3wm1nh1pbEkNum/pl8A7t0WQUdHsz0PN0 6MF1ZQbsQjX7c/9BwnzBp2ZNbT1AnYQ= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 3CDD6CE20C1; Wed, 19 Jun 2024 19:33:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 40ADBC2BBFC; Wed, 19 Jun 2024 19:33:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1718825638; bh=l6yqTeNyOBrP23PYN3nun8WZu+CjjUQ/unbct0M2mXI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ab6SRa4A4O3te1DOOmVV9LKCuiJpDJdfI2FJQBq7Kv17C7DHW9zsNHeb7bueSUyci Lw8BamiL2ZhJaGhfx8G68H5MVVl5rP0PoFMr3MXdBanf8G0+uamQxXGnta/B3S9dDw hxeMRHH2RbBfswtUdPsiANqaMFIchVgdwbI9OYciFSLtTNAUo6Y550TibRKn1EDO+N jFMP5K79mMw1Gt13ZqhVo7pLGtcBu3PyeZYSN0KNkStMGjUKsvFOBnXvq0ajXDw3Km hKwtApCwZSJRbY1AcU0nqYvTcz9qlLvkzi8luHa6uZNhZmCKnFcJPfiqqXBd6ZjO8p iynQrnp0MQn5A== From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , "GONG, Ruiqi" , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , jvoisin , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , Thomas Graf , Herbert Xu , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v5 5/6] ipc, msg: Use dedicated slab buckets for alloc_msg() Date: Wed, 19 Jun 2024 12:33:53 -0700 Message-Id: <20240619193357.1333772-5-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240619192131.do.115-kees@kernel.org> References: <20240619192131.do.115-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1957; i=kees@kernel.org; h=from:subject; bh=l6yqTeNyOBrP23PYN3nun8WZu+CjjUQ/unbct0M2mXI=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBmczKhrdqjrPyL3pEgr89Wc1pCFROhedjcMhzfD 1ktUaK7VaKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZnMyoQAKCRCJcvTf3G3A JiQ3D/9sneRcmARSURll7MrwE/KHnzRzFcQfEmQHROWakjylRhL3Z0qgUV2xaUp+i+YCu8W3lfd vjdODHDdoXjT/ExemxxivY16a/qE6rBCZGnPKOVxK3ieSuA9ZzetcC5zX+W+++FilPd31YyrXlJ mesSod6rWwnUA5JSzWJM3SRCSq9v826dVuBa/5LuO3DEBHKEJXdmuKjh0omg1zf2f5vPlkq6/dg QfbRJ89z7CY8mHavgoYcCnepTFBhqheIookn2IiB/Uml9NSas9I2zkAKvhknI/QSKeR1uJ+JKe+ Xvyod/C1OCjXxY2Mh9vpESjonkiOcjBwbvmUVemIO6/HtIRKr639BOBbvBgpjz3z70L4U4M7idu Y23rYQDQxyjeSsys0C0w3USaByxJj+rz7bwMoX+DwBhJdCchT/xvk4TlXJ9/j7Cd7FRjKYVvgrq swSCdTWUMlIcP+hMvlV7t0lUti3RUgOtnuLdtg08vETEz0mVTjgKy/fhn8z+N3MUPBwC2WEPqSq fE7nx3DOP8Eeo1yl4iIITBECv/k7Cppw1SaBEDd7IInEJ4sM+V5kIZU1+1LCQQLrffItFFCReOT MF6cMh4pmxuG4jeXxARn7mBikJcVkRfWhv2hbIQE/LCdwAEJRwNg5tKV6icRA6I5m7Oy2Gnm6Vp OMux8ZOHO1evhkg= = X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: 5D6164000F X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: wpaohu7io5f3owhh8kjdo3xidhd5brjz X-HE-Tag: 1718825641-591782 X-HE-Meta: U2FsdGVkX181baVtmwlX5TbuMEwvqRXgLbEnE8uSb8asUy+7cqy1De+ycgoo7hl08XSvkOfTZCrsvQbNdmQ5XoQyt8QXNVFi4mXrPZpiqGV35udVRdOgUhQ9VtLnP2zVAaNqeMldRdgJoSD9AaAwN2Dd+xXr8pCAb34HlTwnx/4qwcGn4fmZyACUMqRrTzSGi8kIE5uKXIWmxDET2h3T9NBvEWET6XdgkvdzRZxeB2Q4T2zl44xz9deHaJUhBx4Cxg4VNP2DPZkWzBYyr4AvH31T0IRw2YY6CrPwEQh19xxz+nZCCTCN9r9MucE8VmLLeXCDOOqMeTZkP+F+k+WcvknjmoMsUpTJ3KeWEpp49t0x5F2FTWydv5Q9hatPxmCxIRxXuW1mItgK9/thDuKI6TQCjb6jy2A5UwkH2QARHMpFyrRWTNWPhDvYZXosioe/KPf6IdUPo7k8N23KiwstYdiywJlxXOP2+4S+O/zz5zo26ncDeYh3Jj292rYkem026JtJvxkZWf/NE4ifC1K92mEVJ0OFoXicDG3raD07+yuGsMdJii7AyajC3CiQLN6K3aZ2cfd9dxcs23W5S+dIHDESOvgCRvj2AW5ElyOGfKKUGH7MpqcMCw1WFbuVKjYQhQ8kuUtHHGlhlx4BOhmAdOBb88itKbpSsHhqmQg+9GeB157tYKJEfa6l8k/W28U1dt5Xx/qTB4y/ISHTBfN3tnJlHC9KsiH9Qv0PkGj2cWS17/XrOwls1NyOqKNcBkrcJE7JS8ZkF7dGsSP/IFhDyKTKY8L0cb3/zvHhkq22UecNCFKzfZtswUkHm1UTbQqlK+cBu2CEacOKW8ph77kgYKtlnDXkMgGxa7sC0EL7pPToy9rdUCVp5m8EO1gtVecOTWzzX11omRjDtee/m3GLqfxUaI3Nwzxui0nbM/UW+MU0Uidk74x1Q6HN+NsmrVL9/HJUwRYJ5FNeJ0ewTjc 0+0oVIPl n7e79inhvqDc3psA9V3VNOIp85dTQDrWpleGYRfV/diTAuh2WITcUwi5svLC02a4g0+LqbmM2Cm3yGb8FD7mHXx64efwK51vmw+xcVY8Yre70o7TTvI9qmjAljtfI4Cwy7v5NHzl/7oGskeMJDMlVhszlyK05AVyI6qBvErt0iRqPdLsYn+q/a2ntJCsn4mvQkoPVVmPHNkTc5dCuSWjL6/PgrxgkkM4Wmx9RhmbmFKwYwkdvk/rREHKavp4dgCYiHVSNuPauVZjUDvS36luDm3JKpv9lwfZHSmK3baIZ9FdQBRib6JhX1wJZ1wwUYsOY3uKlalGUkQAOtY/42rxX2fXjqTpjWcxZ7C2P4vUF/+uwyU5pKpv1hVc6Hv9cyJ+wJIJ0H/iECgW1CCH5dpgz3kt7FadZ1hwFIUJ4r3tumQaB1I3hVr5M7wiBdwp7WoffUY/PtBF20NQOGnOqeL3tSrZIL3sjSdoN7V0vychsS2l6vSxqjZ6q5CZBBoDlo9QtfA9K1SBk3/1JxM8+FVNJkVA1N6SfAQRn/+8mWcpAf9wF2uA1y732kdwzET9j0vbwCfWmE0hXpVZeiKW1U1clqViHZh4nPEcheHMlYqI7eLIqY+S8NLQLhki+cYAGkADY0SfClI4YBEtYdhsyiZuLriK7FWmp/GgoVL/h/vS2qFN2QCDucaJbnnRwJDJcEK1Bb++iCQUT3PaOUk8yqKgibgxqeoypvz1230/UprZsdh7UKKArgLjv3fqX8KbnWtdemxJ3v0MegPPA35wPLGzZHrrrVZRPBlSrnenDFOQeiiJBVgC2IDQw9MExaCV7GQ0wmMUFY2eYlgNB8H1czPZkO4PiPBEls3dtWyiQFVMl6mju+mkrCsSQKVlMDrODZ2u85AYDFlpASEZEYBYripngbko87W4VLrVSDWqW0GN7WeU988EZzS1R3CYhrEYIbAaRRExC X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The msg subsystem is a common target for exploiting[1][2][3][4][5][6][7] use-after-free type confusion flaws in the kernel for both read and write primitives. Avoid having a user-controlled dynamically-size allocation share the global kmalloc cache by using a separate set of kmalloc buckets via the kmem_buckets API. Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1] Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2] Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3] Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4] Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5] Link: https://zplin.me/papers/ELOISE.pdf [6] Link: https://syst3mfailure.io/wall-of-perdition/ [7] Signed-off-by: Kees Cook --- ipc/msgutil.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ipc/msgutil.c b/ipc/msgutil.c index d0a0e877cadd..f392f30a057a 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c @@ -42,6 +42,17 @@ struct msg_msgseg { #define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) #define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) +static kmem_buckets *msg_buckets __ro_after_init; + +static int __init init_msg_buckets(void) +{ + msg_buckets = kmem_buckets_create("msg_msg", 0, SLAB_ACCOUNT, + sizeof(struct msg_msg), + DATALEN_MSG, NULL); + + return 0; +} +subsys_initcall(init_msg_buckets); static struct msg_msg *alloc_msg(size_t len) { @@ -50,7 +61,7 @@ static struct msg_msg *alloc_msg(size_t len) size_t alen; alen = min(len, DATALEN_MSG); - msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL_ACCOUNT); + msg = kmem_buckets_alloc(msg_buckets, sizeof(*msg) + alen, GFP_KERNEL); if (msg == NULL) return NULL;