From patchwork Fri May 31 19:14:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13682015 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A1A9C27C4F for ; Fri, 31 May 2024 19:15:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C8EFB6B009E; Fri, 31 May 2024 15:15:03 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BE8806B00B0; Fri, 31 May 2024 15:15:03 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A469A6B007B; Fri, 31 May 2024 15:15:03 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 89F306B007B for ; Fri, 31 May 2024 15:15:03 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 3D4A4141291 for ; Fri, 31 May 2024 19:15:03 +0000 (UTC) X-FDA: 82179643686.10.F601AA0 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf12.hostedemail.com (Postfix) with ESMTP id 7AA7740020 for ; Fri, 31 May 2024 19:15:01 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=AJ94SEMU; spf=pass (imf12.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1717182901; a=rsa-sha256; cv=none; b=XEP8uTxvz135GFWgmA3rywKuv9qlplj2lY2+gvFEFpYF5xwn+8x2+cpvi8SfLZbK51VmWf gYmRQ31ujgktzvpCmfpEttNhJCPRxITlE/Mp9RWYIvMqRNY7iL1DQyDmyi4ex7WQVDG5OB dm5aTFmnxEd61ZaHNI6Oh6q7q7qYUWI= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=AJ94SEMU; spf=pass (imf12.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1717182901; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=o/tW4UvM4mY4y/TafnUt2sAkkNXXq/Gx6T3Qa9yaMv0=; b=LFvecDlRZLp4TNueY+TYWmKjQnCzPv4NuTPRgiMUYKBoObbhWDMYguyZHx1RfOT7orJ6T7 XsNjSXN0Oy9SHukllayltogw3u+VmMZM51fPcxaHT0UIjsyaOktWvJnHwh0ND/5AmlDyHA 0YhvSXEloRYB5w/y4aGYoA2QWHpSrVs= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 9CD5A62E02; Fri, 31 May 2024 19:15:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BABA8C4AF13; Fri, 31 May 2024 19:14:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1717182899; bh=9A8yq+jsLnEY9XtsifO4pnJhUYQibC3G54xH7WF3Dj0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AJ94SEMUEAi0G+xM96x4XYoiJDcb0qfXFLRPz0/u++ZCuMBiMP4N+dQZ/5WzMuf0J 7nEYVNuzZRF7r3hwWa0Jsf5KheXxXfycWzjYaRsXudaEtjxhpVB0ikcDRnDFR8iaV9 OZGkA9+rXQcezVxLSrx1tqCyJtoLLdY68VZ0AzQSxYGw2Ztaevj4N+pOUt/iAaovAY rybbbuKLKSr/KXIqwHOIIK5bOhBm+2NSgCmZ6YzUwhS+3fvK/bIEXpEY7pyM6y3HDV Yiq2Mtmr3OSKj/fIskTPFM5frnLmXncLQcHQF+K+K2cMUBIP30k8CRAS7Zd7XWVbL3 Pig4fGkgA24nA== From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , jvoisin , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Thomas Graf , Herbert Xu , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v4 5/6] ipc, msg: Use dedicated slab buckets for alloc_msg() Date: Fri, 31 May 2024 12:14:57 -0700 Message-Id: <20240531191458.987345-5-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240531191304.it.853-kees@kernel.org> References: <20240531191304.it.853-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2262; i=kees@kernel.org; h=from:subject; bh=9A8yq+jsLnEY9XtsifO4pnJhUYQibC3G54xH7WF3Dj0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBmWiGxyTBp2lx8Omk4GJvqG8JlvO5V6TG04TJr5 OpKBK400V+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZlohsQAKCRCJcvTf3G3A JjytD/4tYkg8aTTXkEDJQTDS78uMcmGvgti9YYYONm70aRUsgZ2NOCsbfkTf5fxNyTqi9iRQhCG M8mNQcuLRnO0XfhtP8+WYinTIpI/rMHdm3dJQ5qpqud8iyNGvkD9T4vFMs3q+SjzaF6SXt1lefj dotmyKXABhbLGYH3rRKXR6vOAhDbktYauSb/gjvMkYFl/82yOenQTK0bP+ysn2sVOhqCdwaNRlV GVS+Z0DRHZHNzhCwS4iZAhR5BLKdy8ljeD13yC9JmDXJBLdkL6XO5GJFxrixfq92hk3Gvmf1npE CvgNLaa/Q1h0CylSCrHiM7fsji0R1rW2PFjR2I3Dwh8RC5BgPZFW7iKn7dPZKE/JlwNhAFB7P3d odTCg9G87cqbhIuzbfVW873JG4yeVERpzVHT/tZlGxSPH/Gi+qdoGFJouhc9vX0EzRvlybRzGRd yttjTi2+GwRmuToPZIjIeTq3UG0xjeoLSBZOf+yVKJ46jIQmp6kaR9R1fL/j1q4qHchC1JnQl4y ksVMniTRqY1mgqX35gEIb0TbqNneD6WspnMzFKNVSZzkQMsOmlwxbPEnIEC59OcYfkTsScAj6Bu tqc3tfKbSiPqujUwsxw6EIjtkVwoSkgPO+uyzj6qC4EaPBF756njG76W6fn7B38ITUDAU1DDmTG IGdaAR94n/zELiQ= = X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: 7AA7740020 X-Rspam-User: X-Rspamd-Server: rspam12 X-Stat-Signature: tdez6cu5em5muk16hp51mh7h9z6c3j36 X-HE-Tag: 1717182901-30464 X-HE-Meta: U2FsdGVkX1+wi5Ebckb0AXaf55d44pndLQq7IFhmfDUMzsqVMBPd8Tdf1ckPe+h+kgduon+KSt0zECaR/OC2CEWmgRuvR74DRjjxDd5iP8IYMjPkUcmkXSFTem4gYqxBUNZdYqYg6l8pXSAVncdBz8A999VR6pUf78fvOLV8bHuK+NlJiEb7ptbMBW7Z45wcxKymi0VTkPPuTzciuc7AXA31kxXZ3Zr8Xf44pr+eUHK4fvicx7qmzdTwq7H4ddRvkmyoq3SkpamlZG9wUixekXOZHF9zziTrvY3M86B415ewksevP0U5AsqVKojkPudzw7O1swXtcK2V4ERThpfuCC3hOX/BtD4vqiZFn5XKHOIQlm7x4fcTvgKLVTX60SFq3NlMobvsrHMOgy4ngJ32oYyJE7GIqAvUAbMHx88KQRLCXsQ1OTVHAu+L68w5XRIT1JGnyTQkmszIUQA3R9BckQyQZwZnLDzfvOl4FPyfIt4/iVS91ADDA7wtKtoSOEFCkucWUrEfL/mQiz4fAAPbNtREKhUcjJrZSHBWu8b01Rb5VFH2n4nQ6TFAKNPhs7xy+Ijn69wMo3l44hHCgUEqg+BrcFj0BZqqnp6mjBeVoTLNbjth+G7Z9KQX1Qr9f9V+CWquMWtnGqQukN65NT5unj8efIaZtEDKcEhX53UFt1gUBpRgTHEHHxgiXrhebnhRnC40Y0QaPirIPwhypp1ZTjWoEG6Xv//HcgoRPas0H9PdgWnomhRGtgwW1nL3v/z9uO9pAVxIPc2C+RipgrfH9xYGWQiWI6SaE5Z4LpigSTrVTJD3qnjMTFec073FYacaWUBMnllZ2Dq7rtNvkN5cR2nIv93TZi1eP4SYwHmI3WeUZpSMUi8gjGZBjR9gd93pYwNESaZe3z4f+wgRPY0qVoq/MxU9wWTaizHlIVcqKXW/TbLydbf359Z4lgWD+gPsmCzWtxR+z0UXleEKTTF S21XjYBf KML1CgPDdqMt033JTnGx+ZUiNMWhkv+Z8a6AK6FwlWlYB6pWrmibnSwZEtMwtc2g6cdAh0MnPfM0+yPkh5BCYji3qFzIahgXY+qZe2dqNt7evzlhB8kVr1imXFY4EXR+sH0SYdGJy73bFdoNbLPwlVhkeMhOmaUDc5Qb+9BWiimdugxME8GVUwS2CoDsAXqy10h/v9CGeyW+IdLqZdidzIJ4iyF7ikx9J9lDjJ3kOzTifjWp6Tc7TZwlxvAHgYNXPTkawkKjVdgfaePBxacAvvTpjSJ5ifSGM/zK+cY7DZl/CKrqo1RnJXu+VFZGkB0eimw2Q4+mgqsa5qUjiuDf43sl/kn6t4qTZfY1ZaFXCW08npjD7Cv14+Q1OAELzx/e4ZJicGGSQsAnColQIZaoI2X4aLtLUhbUiewCz+R/V6SAEBs8xh5pNkkxL9yFf7+FodG+2DkSlhIbUPYq5NPCfwqga493MLxExmnbsoF7cer+P1StYkN1CH42lP6pjgqy/NYGDnWlgMYz9LM1s52+rMaybPr7d1siudDpbvvy7UI7CIAAE4v5s1/mKf9TiljUIpk67emyIzG1yRnnDydjkb4fwCBFS+TSvJbTgeIvZbOt5sqVU5lsPw20oqebKDTBO2TMWH1uS/Rqq41QAiC/E1h2QMzLPkbL5mzV5fSaBTdIqD8cxXflaAR7wX3slpEc1I0x0kM0Dn5MX+m4vmoJbjaWIfXRYEkpt0i1rJwWrSO1PgHdVoEblpNGF/O+3qJYBg2y8lyZrWwU3vSfJ4HJdC7ZfHCQl+Bnh5vOQX9uckTMRTh1aNQkBsX2V+7/KCYCLwwC4pc464fDSqrFeMNWbjYEaRi8rVl6z/gvTqFTbB0PrSLCM2yHIU4zhlyvHZMogdfgMji2Ge2nmT4wG6JHcid2a+YMRS07zKUAvchw0wrGvh2xctY4b1EI+dy+Cb0qVTIEI8/Ms1M2Jo0E8buoxa0Xowpk3 dAFwmsnF 2UZ6slaboIjnkvaPSHB9NuKaXDOGc/rZbSyGCOYUThfaR7ToqmpzW1CnFLBuyR5bX7TlOM3XigBKdWuJm0v3uK7sZRuJs3+rzceixyK1FKQtY17aAmcI6WxNoLSsI0Eu X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The msg subsystem is a common target for exploiting[1][2][3][4][5][6][7] use-after-free type confusion flaws in the kernel for both read and write primitives. Avoid having a user-controlled dynamically-size allocation share the global kmalloc cache by using a separate set of kmalloc buckets via the kmem_buckets API. Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1] Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2] Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3] Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4] Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5] Link: https://zplin.me/papers/ELOISE.pdf [6] Link: https://syst3mfailure.io/wall-of-perdition/ [7] Signed-off-by: Kees Cook --- Cc: "GONG, Ruiqi" Cc: Xiu Jianfeng Cc: Suren Baghdasaryan Cc: Kent Overstreet Cc: Jann Horn Cc: Matteo Rizzo Cc: jvoisin --- ipc/msgutil.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ipc/msgutil.c b/ipc/msgutil.c index d0a0e877cadd..f392f30a057a 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c @@ -42,6 +42,17 @@ struct msg_msgseg { #define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) #define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) +static kmem_buckets *msg_buckets __ro_after_init; + +static int __init init_msg_buckets(void) +{ + msg_buckets = kmem_buckets_create("msg_msg", 0, SLAB_ACCOUNT, + sizeof(struct msg_msg), + DATALEN_MSG, NULL); + + return 0; +} +subsys_initcall(init_msg_buckets); static struct msg_msg *alloc_msg(size_t len) { @@ -50,7 +61,7 @@ static struct msg_msg *alloc_msg(size_t len) size_t alen; alen = min(len, DATALEN_MSG); - msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL_ACCOUNT); + msg = kmem_buckets_alloc(msg_buckets, sizeof(*msg) + alen, GFP_KERNEL); if (msg == NULL) return NULL;