Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Jul 2017 08:50:33 -0500 (CDT)
From: Christoph Lameter <cl@...ux.com>
To: Kees Cook <keescook@...omium.org>
cc: Rik van Riel <riel@...hat.com>, Andrew Morton <akpm@...ux-foundation.org>, 
    Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>, 
    Joonsoo Kim <iamjoonsoo.kim@....com>, 
    "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>, 
    Ingo Molnar <mingo@...nel.org>, Josh Triplett <josh@...htriplett.org>, 
    Andy Lutomirski <luto@...nel.org>, 
    Nicolas Pitre <nicolas.pitre@...aro.org>, Tejun Heo <tj@...nel.org>, 
    Daniel Mack <daniel@...que.org>, 
    Sebastian Andrzej Siewior <bigeasy@...utronix.de>, 
    Sergey Senozhatsky <sergey.senozhatsky@...il.com>, 
    Helge Deller <deller@....de>, Linux-MM <linux-mm@...ck.org>, 
    Tycho Andersen <tycho@...ker.com>, LKML <linux-kernel@...r.kernel.org>, 
    "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation

On Thu, 6 Jul 2017, Kees Cook wrote:

> Right. This is about blocking the escalation of attack capability. For
> slab object overflow flaws, there are mainly two exploitation methods:
> adjacent allocated object overwrite and adjacent freed object
> overwrite (i.e. a freelist pointer overwrite). The first attack
> depends heavily on which slab cache (and therefore which structures)
> has been exposed by the bug. It's a very narrow and specific attack
> method. The freelist attack is entirely general purpose since it
> provides a reliable way to gain arbitrary write capabilities.
> Protecting against that attack greatly narrows the options for an
> attacker which makes attacks more expensive to create and possibly
> less reliable (and reliability is crucial to successful attacks).


The simplest thing here is to vary the location of the freelist pointer.
That way you cannot hit the freepointer in a deterministic way

The freepointer is put at offset 0 right now. But you could put it
anywhere in the object.

Index: linux/mm/slub.c
===================================================================
--- linux.orig/mm/slub.c
+++ linux/mm/slub.c
@@ -3467,7 +3467,8 @@ static int calculate_sizes(struct kmem_c
 		 */
 		s->offset = size;
 		size += sizeof(void *);
-	}
+	} else
+		s->offset = s->size / sizeof(void *) * <insert random chance logic here>

 #ifdef CONFIG_SLUB_DEBUG
 	if (flags & SLAB_STORE_USER)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.