Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 18 Feb 2020 10:21:47 +0800
From: zerons <zeronsaxm@...il.com>
To: Kees Cook <keescook@...omium.org>
Cc: Alexander Popov <alex.popov@...ux.com>,
 Andrey Konovalov <andreyknvl@...gle.com>,
 kernel-hardening@...ts.openwall.com, Shawn <citypw@...denedlinux.org>,
 spender@...ecurity.net
Subject: Re: Maybe inappropriate use BUG_ON() in CONFIG_SLAB_FREELIST_HARDENED


> 
>>> In my opinion, this patch can somehow help attacker exploit this kind of bugs
>>> more reliable.
> 
> Why do you think this makes races easier to win?
> 

Sorry, not to make the races easier, but to make the exploitations
more reliable.

>> +Alexander Popov, who is the author of the double free check in
>> SLAB_FREELIST_HARDENED.
>>
>> Ah, so as long as the double free happens in a user process context,
>> you can retry triggering it until you succeed in winning the race to
>> reallocate the object (without causing slab freelist corruption, as it
>> would have had happened before SLAB_FREELIST_HARDENED). Nice idea!
> 
> Do you see improvements that could be made here?
> 

Could we use BUG_ON() only when panic_on_oops is set?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.