Date: Fri, 7 Jul 2017 08:50:33 -0500 (CDT) From: Christoph Lameter <cl@...ux.com> To: Kees Cook <keescook@...omium.org> cc: Rik van Riel <riel@...hat.com>, Andrew Morton <akpm@...ux-foundation.org>, Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>, Joonsoo Kim <iamjoonsoo.kim@....com>, "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>, Ingo Molnar <mingo@...nel.org>, Josh Triplett <josh@...htriplett.org>, Andy Lutomirski <luto@...nel.org>, Nicolas Pitre <nicolas.pitre@...aro.org>, Tejun Heo <tj@...nel.org>, Daniel Mack <daniel@...que.org>, Sebastian Andrzej Siewior <bigeasy@...utronix.de>, Sergey Senozhatsky <sergey.senozhatsky@...il.com>, Helge Deller <deller@....de>, Linux-MM <linux-mm@...ck.org>, Tycho Andersen <tycho@...ker.com>, LKML <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com> Subject: Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation On Thu, 6 Jul 2017, Kees Cook wrote: > Right. This is about blocking the escalation of attack capability. For > slab object overflow flaws, there are mainly two exploitation methods: > adjacent allocated object overwrite and adjacent freed object > overwrite (i.e. a freelist pointer overwrite). The first attack > depends heavily on which slab cache (and therefore which structures) > has been exposed by the bug. It's a very narrow and specific attack > method. The freelist attack is entirely general purpose since it > provides a reliable way to gain arbitrary write capabilities. > Protecting against that attack greatly narrows the options for an > attacker which makes attacks more expensive to create and possibly > less reliable (and reliability is crucial to successful attacks). The simplest thing here is to vary the location of the freelist pointer. That way you cannot hit the freepointer in a deterministic way The freepointer is put at offset 0 right now. But you could put it anywhere in the object. Index: linux/mm/slub.c =================================================================== --- linux.orig/mm/slub.c +++ linux/mm/slub.c @@ -3467,7 +3467,8 @@ static int calculate_sizes(struct kmem_c */ s->offset = size; size += sizeof(void *); - } + } else + s->offset = s->size / sizeof(void *) * <insert random chance logic here> #ifdef CONFIG_SLUB_DEBUG if (flags & SLAB_STORE_USER)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.