From patchwork Mon Jul 1 19:13:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13718563 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C73DAC3065A for ; Mon, 1 Jul 2024 19:13:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D450D6B009F; Mon, 1 Jul 2024 15:13:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CAB706B00A0; Mon, 1 Jul 2024 15:13:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AAE386B00A3; Mon, 1 Jul 2024 15:13:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 80DBD6B009F for ; Mon, 1 Jul 2024 15:13:10 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 3EF96121D73 for ; Mon, 1 Jul 2024 19:13:10 +0000 (UTC) X-FDA: 82292131740.20.F53BC20 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf12.hostedemail.com (Postfix) with ESMTP id 7401A40012 for ; Mon, 1 Jul 2024 19:13:08 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=gghdBhp7; spf=pass (imf12.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1719861171; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=PHFH1hF0XEKuDuy0/XJtFXBGJjxBd+MCfaHf6SVwRo8=; b=ZGrvSBtOV4Q4Q4Y/RXlDcYFOV02Kzda0MDNd7erZ+lwLOnpJe2ohsJGcGg76U3JVzSxtHK jC32h7jBqt3jCJvhNpABBQjOPIL4rZdRKxQ8JylnF0b9yli7Umt2Rvfw6CM30rhLkJ5P53 YXLmOHKF65mcyCscSEHAo0L+xagxyWU= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=gghdBhp7; spf=pass (imf12.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1719861171; a=rsa-sha256; cv=none; b=gLkzYee0I9DLwQqlonf4LQLiBps+uVmhsTg5ZYfi+Xi052jCpv+m/rEzye+ZRmYDWB/5EU pPoPPbY4PZAV/R2LZ2ffEkJ2UwaMFUqAbd+BSJSuky3NYcsrA0xwT0OfvRalIzM216GDs4 IZXG+DXTCRgxDGn4J5woHLPjrS4hH5g= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 940E861791; Mon, 1 Jul 2024 19:13:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2019EC4AF0F; Mon, 1 Jul 2024 19:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1719861185; bh=ZC+4xLsqMS25+wle+eOPiqDyMZP//OUcAmXX2J5RAVo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gghdBhp7ZB7XhRBrUQVzahbv03mmZLCVplJYE8pWnFaiQBh2snWO0KElN7hj5L0Ny TCJLGI1T2/AYbR2OOeDbeBWZfI7c7oL4M/JJ+RlL0S6mrIsnfyUr2asG/Co/Y4NEib 2S8SMe6fCT9MJr1eFjg0+faPtFSQNhPRNUFqlzP/oVpb1NFgNCMw9FHbeSyp8aQwd8 Rpp3mces1RFAQJXcr+XIjwJD+CSoa+o3l+nguqgsSPs0GKDCrrDHUS+spXwD2uqiPF isAeixm5YYh/xbBj+DX8ZhRg76tY6LlFeuQrEUT5H9ThGb16jkfh9m3ifBk/g38bmt dF3WKO2zZc9Gg== From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , "GONG, Ruiqi" , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , jvoisin , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , Thomas Graf , Herbert Xu , "Gustavo A. R. Silva" , Jonathan Corbet , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v6 5/6] ipc, msg: Use dedicated slab buckets for alloc_msg() Date: Mon, 1 Jul 2024 12:13:02 -0700 Message-Id: <20240701191304.1283894-5-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240701190152.it.631-kees@kernel.org> References: <20240701190152.it.631-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1954; i=kees@kernel.org; h=from:subject; bh=ZC+4xLsqMS25+wle+eOPiqDyMZP//OUcAmXX2J5RAVo=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBmgv++179k0fHAvGjqEU5ltN8MHRwh6Dca9ahz8 0TL+TDEUBSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZoL/vgAKCRCJcvTf3G3A JmaMEAChdkbMO+SdicBA6J36xZMom97yPCUJe+AQcsVFpIdELNyttcTScgDv/IxVDdTTaDyBHTr YayvHGh0Bi1wtq7wdAnfUZIju5ZUa/WCgNCX2fLmkOeyKifYhjk2i9+VtTvLMF6K9caBNiPSieA zYCUvURzBk7S44/7T4ThX23ycIiwE+oU9Ud4uP15daHyrsTeeX+aLrWunFHWf4kTgAr71yIitjr 3mqyNbU+g8ZieFgH4PDLYynu+TtPt4iO2wZWiZec5JKUOCxFXM8gah47jLrZhvfdS4y8JwaEt9m Vjla4RVs4n8rqtja/7dPtTBSB1GkhywqySFJoH1BYAt2Vn2vFpWf5I8u5bLmvJM87SdhhRDZyf6 WLCvokYur6sn8yBFlXEw4LO99JBoilqOqAWn+ErUmZLEJeY1HXMJhqTpqU7H2HHlBpleEymLIiN nkdQyxDF92oetfAMKw6rcHGic8gH4aqBBSAELkoPYc3RQg7CKUb8oQDwtNSCtdEgmYI0+rJ2J13 XH821MfWZoLrYcu86MJQ8X3ue/s6Qz+Fj3yp/11eMIW48V1qmlShzTv+ZoL365+1pAl5J0Wbilv XRniyDfgf6MQmT5FSDohh8ztx9NNEwlKNAGEaogx5tGQ8x9sQVSpCXj3bPqAzpYTbjOlm/kTmqh rmeH/xNCP1FCX6Q= = X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Stat-Signature: zpwzfm5nc7o1pp3fhmnf6chzrr6afk1t X-Rspam-User: X-Rspamd-Queue-Id: 7401A40012 X-Rspamd-Server: rspam02 X-HE-Tag: 1719861188-373600 X-HE-Meta: U2FsdGVkX1+KAZxXpV1bAD4vxneEodXCH3fGKXH31lGwVf/hW46NSvcyfF6crAPYCmv1Rpa+mb2wgq+25ywOJbmaVqT5QXSVh4WNb5itpzg63ofElcnJFX7mQ+tpZYlWR9fmfQaUJRPDpze/G9xPmV8YmVGyXASnR+PDDikX8pm4BCskxe7cs8zstlfftzpqFi7o7a0hd6mgCpDelu5WjH+gZDl0cmire2tG97LMCa0NsItPofO7Tn8/40ivpu8PfzrKJ6xaAkAjj+H0X6KIuPbCRFvmdSv9AiQa56qRPca3L7MxJsZmUUGYDvFdV+w/3kglPuNW3Or06GR+SdOAfecORvrzLHqC4jj3aWHOVuqckA+6Ks7Un1apsZEqJoCV/DQOMck76i6r6+k0wyFxtcINlX785HnvGXwelTP5o3Qh/X5nkBZPgfMMSYuTOuk+8/PLOY2f5oIixaj5dU88R+yei9hFDhasUjpTfqwX0cVgc6FiSKAB+v9F/vOI0nfEPvCGFNUHVx6LbMy4d/EU6LfgjzrIPTjX8J9DNTW/7X5iX9ZSDNT1lX7fJqDITiR9D09jC4gY6JHStfY1wc7/CUhe0bQif2RKV3sULq+np8XjV3wJ7TBZdLykIU5svaI5nPs2ZyUCa2vLfTl2xec4zA6D1CKf6lrjBfJ2rpCoRI4yhAjblnE+jSzBdJZDqr35g2dum6i0djHKoEeBjutXzLPWdGYYPOJ7vV/e+X4c5jcM8q4XRUw6yO/3WCmnLZv9Tpi/w8Kei403PYK8Gj3NbeNgHEAgMQqBzuEFqkRoo9WDpTkG3IASCmgZoUXL1AfJQdFVGkeT4fWkflkMV6uXBXwgwBiHarKkOiaJPyoqlmgHSeyZknjar0+rD5IN2hO1TKKhY0rLo5MugXu8KkFyx0lzV48X975+twRe+hyvBKOVX0lWp86URu/bsazoY60RN9UgGpSH8toNqFzyQ17 ovq8FYlb +O69ueKJV+nVkAafDHDQpomZ+ECKjygkbD1oa1mYvsh/B0t7KwnP2SI0/VTmOryFbvFYaA4hlRNig/I5ghFYYuRDXnTlE92UihiX2LhhcrZY5CcgAefPmEJnuupsEYFbEH+BPVKewAihIQHz4MyRaqrCX3dBWz3dukGAHCJBRxSWPN4qN9k7i8k0JOOQ2iUnUP+VuVeXQ9KGw7fXzF8pMgvGc5goVQq/rPP88yp1obxqGKlb4q3xv4v/u0USirFj4apk/4G7ny4gSOEeal8y6vmU1KgOf6YrAw54F5P0qUNlMGsahboWUPGUmu+lW04jzdNcy1qzJILGa02mWTF5zvAL+AQIZQFq98j28THRrhnzOuQijRCc8IhWGguUK9kzmiYE1rcrbREnaytNDcXKuMeJ+Ni0yuCYB7+fPp6C3i/u5kFwLRfbAbjA0jZKEd5FAJyC1MO8yizMe46klYTMNLTiBOk8KI1IyjH9O2H/BlXc/E4QckdMy5VvLELOFGV+uwF80CzbkuZeiakaYnVgr5K9lsgwZTHxAPux9iUar6ArMGBnusWcdk7E6skSX7roB1vk0QgXoEo3pn4ui2QZzwpcW/RJbxrr0Wl6r3fUc25F71LKHXqiIDfUHkjfft2Z1gH4JyYlq1rHbOf/hcLXFeMInk5xMHUtWRHLN1rlyQUsZPEDIwoehihrIr+WScCILuMWs04DOTz/81AYSZnGOZ9gak4+PkqZKWdxBD5lH4C0mJgcOqwmIhK9Fbb8RFFMVjBYpRlWnuqNW4nroCVp9yT/nmB+9qdvdX1nHfymkurVwMUXX109VNoEJPrnQLYej3VP3x5B3tE6FFHKie/SIj75jfCId2+22cHE0Rd+t4sTi5aOcHHAY6pfIsagP8JnImPSXzayjzQhoYG/H8wNHeKK3khoxc51J/mm+geedJ0wi1l57++UB32R19PKrTyK8qWml X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The msg subsystem is a common target for exploiting[1][2][3][4][5][6][7] use-after-free type confusion flaws in the kernel for both read and write primitives. Avoid having a user-controlled dynamically-size allocation share the global kmalloc cache by using a separate set of kmalloc buckets via the kmem_buckets API. Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1] Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2] Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3] Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4] Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5] Link: https://zplin.me/papers/ELOISE.pdf [6] Link: https://syst3mfailure.io/wall-of-perdition/ [7] Signed-off-by: Kees Cook --- ipc/msgutil.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ipc/msgutil.c b/ipc/msgutil.c index d0a0e877cadd..c7be0c792647 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c @@ -42,6 +42,17 @@ struct msg_msgseg { #define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) #define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) +static kmem_buckets *msg_buckets __ro_after_init; + +static int __init init_msg_buckets(void) +{ + msg_buckets = kmem_buckets_create("msg_msg", SLAB_ACCOUNT, + sizeof(struct msg_msg), + DATALEN_MSG, NULL); + + return 0; +} +subsys_initcall(init_msg_buckets); static struct msg_msg *alloc_msg(size_t len) { @@ -50,7 +61,7 @@ static struct msg_msg *alloc_msg(size_t len) size_t alen; alen = min(len, DATALEN_MSG); - msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL_ACCOUNT); + msg = kmem_buckets_alloc(msg_buckets, sizeof(*msg) + alen, GFP_KERNEL); if (msg == NULL) return NULL;