Date: Mon, 17 Aug 2020 13:53:51 +0200 From: Andrey Konovalov <andreyknvl@...gle.com> To: Kees Cook <keescook@...omium.org>, Alexander Popov <alex.popov@...ux.com> Cc: Jann Horn <jannh@...gle.com>, Will Deacon <will@...nel.org>, Andrey Ryabinin <aryabinin@...tuozzo.com>, Alexander Potapenko <glider@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, Christoph Lameter <cl@...ux.com>, Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>, Joonsoo Kim <iamjoonsoo.kim@....com>, Andrew Morton <akpm@...ux-foundation.org>, Masahiro Yamada <masahiroy@...nel.org>, Masami Hiramatsu <mhiramat@...nel.org>, Steven Rostedt <rostedt@...dmis.org>, Peter Zijlstra <peterz@...radead.org>, Krzysztof Kozlowski <krzk@...nel.org>, Patrick Bellasi <patrick.bellasi@....com>, David Howells <dhowells@...hat.com>, Eric Biederman <ebiederm@...ssion.com>, Johannes Weiner <hannes@...xchg.org>, Laura Abbott <labbott@...hat.com>, Arnd Bergmann <arnd@...db.de>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, kasan-dev <kasan-dev@...glegroups.com>, Linux Memory Management List <linux-mm@...ck.org>, kernel-hardening@...ts.openwall.com, LKML <linux-kernel@...r.kernel.org>, notify@...nel.org Subject: Re: [PATCH RFC 1/2] mm: Extract SLAB_QUARANTINE from KASAN On Sat, Aug 15, 2020 at 6:52 PM Kees Cook <keescook@...omium.org> wrote: > > On Thu, Aug 13, 2020 at 06:19:21PM +0300, Alexander Popov wrote: > > Heap spraying is an exploitation technique that aims to put controlled > > bytes at a predetermined memory location on the heap. Heap spraying for > > exploiting use-after-free in the Linux kernel relies on the fact that on > > kmalloc(), the slab allocator returns the address of the memory that was > > recently freed. Allocating a kernel object with the same size and > > controlled contents allows overwriting the vulnerable freed object. > > > > Let's extract slab freelist quarantine from KASAN functionality and > > call it CONFIG_SLAB_QUARANTINE. This feature breaks widespread heap > > spraying technique used for exploiting use-after-free vulnerabilities > > in the kernel code. > > > > If this feature is enabled, freed allocations are stored in the quarantine > > and can't be instantly reallocated and overwritten by the exploit > > performing heap spraying. [...] > In doing this extraction, I wonder if function naming should be changed? > If it's going to live a new life outside of KASAN proper, maybe call > these functions quarantine_cache_*()? But perhaps that's too much > churn... If quarantine is to be used without the rest of KASAN, I'd prefer for it to be separated from KASAN completely: move to e.g. mm/quarantine.c and don't mention KASAN in function/config names.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.