From patchwork Tue Sep 29 18:35:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Popov X-Patchwork-Id: 11806535 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EAB46618 for ; Tue, 29 Sep 2020 18:36:19 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 0D6452074A for ; Tue, 29 Sep 2020 18:36:18 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0D6452074A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-20023-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 26012 invoked by uid 550); 29 Sep 2020 18:36:04 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 25940 invoked from network); 29 Sep 2020 18:36:03 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2bxuhq/r6r8osy7pzVzO/JXpG1ASc+MUIPI5gsA7kxI=; b=uek3RWgWECbGyBN4iaBCNp1jjLAlR4vrI2czzV+O9UXIVkYF4wI8P8lQrh8kRXEbcX uTZMelJjE1TGEbrgzFGNt3/U5KCQ/NxT1aqbzgqUUeMBeQ8LUHCVVRelIKDlJ3a5ig9a GMU81gIzdtJgEwJ7jPrT6SG7plOVu/A2LxHayReOCPtM2pmGuu0vSLVuFpPjGT2XNc9A xKN5swiEAlz2sb7BwSoYzwDIRtGTa4L7f++xqcrNzFYgS1oVl6GiBYPsGKE+feFSku7e 6KuEkg1+/rDBSpFv4d7EBc4m6qlTTjQ/aF3xrDyZKYWZGF0GL35hyR9TyeXhijGFuLc1 HxxQ== X-Gm-Message-State: AOAM532tmKx9kL7Bx3e5tdOEL8v00bgQoCxVBJ7I0wvP3D5QBXiVSmNY AlFVQlSbuBaDlzvmWROp8uc= X-Google-Smtp-Source: ABdhPJy9A5JEn21mEASXT5hiuePaz0JL4sNUqlLTquEiKyft5GG7jNH5pWMw/hXwHiK/QazBvkyuwg== X-Received: by 2002:a1c:5685:: with SMTP id k127mr6197810wmb.135.1601404551593; Tue, 29 Sep 2020 11:35:51 -0700 (PDT) From: Alexander Popov To: Kees Cook , Jann Horn , Will Deacon , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Masahiro Yamada , Masami Hiramatsu , Steven Rostedt , Peter Zijlstra , Krzysztof Kozlowski , Patrick Bellasi , David Howells , Eric Biederman , Johannes Weiner , Laura Abbott , Arnd Bergmann , Greg Kroah-Hartman , Daniel Micay , Andrey Konovalov , Matthew Wilcox , Pavel Machek , Valentin Schneider , kasan-dev@googlegroups.com, linux-mm@kvack.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, Alexander Popov Cc: notify@kernel.org Subject: [PATCH RFC v2 3/6] mm: Integrate SLAB_QUARANTINE with init_on_free Date: Tue, 29 Sep 2020 21:35:10 +0300 Message-Id: <20200929183513.380760-4-alex.popov@linux.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200929183513.380760-1-alex.popov@linux.com> References: <20200929183513.380760-1-alex.popov@linux.com> MIME-Version: 1.0 Having slab quarantine without memory erasing is harmful. If the quarantined objects are not cleaned and contain data, then: 1. they will be useful for use-after-free exploitation, 2. there is no chance to detect use-after-free access. So we want the quarantined objects to be erased. Enable init_on_free that cleans objects before placing them into the quarantine. CONFIG_PAGE_POISONING should be disabled since it cuts off init_on_free. Signed-off-by: Alexander Popov --- init/Kconfig | 3 ++- mm/page_alloc.c | 22 ++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/init/Kconfig b/init/Kconfig index 358c8ce818f4..cd4cee71fd4e 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1933,7 +1933,8 @@ config SLAB_FREELIST_HARDENED config SLAB_QUARANTINE bool "Enable slab freelist quarantine" - depends on !KASAN && (SLAB || SLUB) + depends on !KASAN && (SLAB || SLUB) && !PAGE_POISONING + select INIT_ON_FREE_DEFAULT_ON help Enable slab freelist quarantine to delay reusing of freed slab objects. If this feature is enabled, freed objects are stored diff --git a/mm/page_alloc.c b/mm/page_alloc.c index fab5e97dc9ca..f67118e88500 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -168,6 +168,27 @@ static int __init early_init_on_alloc(char *buf) } early_param("init_on_alloc", early_init_on_alloc); +#ifdef CONFIG_SLAB_QUARANTINE +static int __init early_init_on_free(char *buf) +{ + /* + * Having slab quarantine without memory erasing is harmful. + * If the quarantined objects are not cleaned and contain data, then: + * 1. they will be useful for use-after-free exploitation, + * 2. use-after-free access may not be detected. + * So we want the quarantined objects to be erased. + * + * Enable init_on_free that cleans objects before placing them into + * the quarantine. CONFIG_PAGE_POISONING should be disabled since it + * cuts off init_on_free. + */ + BUILD_BUG_ON(!IS_ENABLED(CONFIG_INIT_ON_FREE_DEFAULT_ON)); + BUILD_BUG_ON(IS_ENABLED(CONFIG_PAGE_POISONING)); + pr_info("mem auto-init: init_on_free is on for CONFIG_SLAB_QUARANTINE\n"); + + return 0; +} +#else /* CONFIG_SLAB_QUARANTINE */ static int __init early_init_on_free(char *buf) { int ret; @@ -184,6 +205,7 @@ static int __init early_init_on_free(char *buf) static_branch_disable(&init_on_free); return ret; } +#endif /* CONFIG_SLAB_QUARANTINE */ early_param("init_on_free", early_init_on_free); /*