Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Jul 2017 08:50:33 -0500 (CDT)
From: Christoph Lameter <>
To: Kees Cook <>
cc: Rik van Riel <>, Andrew Morton <>, 
    Pekka Enberg <>, David Rientjes <>, 
    Joonsoo Kim <>, 
    "Paul E. McKenney" <>, 
    Ingo Molnar <>, Josh Triplett <>, 
    Andy Lutomirski <>, 
    Nicolas Pitre <>, Tejun Heo <>, 
    Daniel Mack <>, 
    Sebastian Andrzej Siewior <>, 
    Sergey Senozhatsky <>, 
    Helge Deller <>, Linux-MM <>, 
    Tycho Andersen <>, LKML <>, 
    "" <>
Subject: Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation

On Thu, 6 Jul 2017, Kees Cook wrote:

> Right. This is about blocking the escalation of attack capability. For
> slab object overflow flaws, there are mainly two exploitation methods:
> adjacent allocated object overwrite and adjacent freed object
> overwrite (i.e. a freelist pointer overwrite). The first attack
> depends heavily on which slab cache (and therefore which structures)
> has been exposed by the bug. It's a very narrow and specific attack
> method. The freelist attack is entirely general purpose since it
> provides a reliable way to gain arbitrary write capabilities.
> Protecting against that attack greatly narrows the options for an
> attacker which makes attacks more expensive to create and possibly
> less reliable (and reliability is crucial to successful attacks).

The simplest thing here is to vary the location of the freelist pointer.
That way you cannot hit the freepointer in a deterministic way

The freepointer is put at offset 0 right now. But you could put it
anywhere in the object.

Index: linux/mm/slub.c
--- linux.orig/mm/slub.c
+++ linux/mm/slub.c
@@ -3467,7 +3467,8 @@ static int calculate_sizes(struct kmem_c
 		s->offset = size;
 		size += sizeof(void *);
-	}
+	} else
+		s->offset = s->size / sizeof(void *) * <insert random chance logic here>

 	if (flags & SLAB_STORE_USER)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.