Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation

From: Christoph Lameter
Date: Thu Jul 06 2017 - 09:43:52 EST

Next message: Todor Tomov: "Re: [PATCH v2 08/19] media: camss: Add files which handle the video device nodes"
Previous message: Chao Yu: "Re: [f2fs-dev] [PATCH] f2fs: avoid migratepage for atomic written page"
In reply to: Kees Cook: "[PATCH v3] mm: Add SLUB free list pointer obfuscation"
Next in thread: Kees Cook: "Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 5 Jul 2017, Kees Cook wrote:

> @@ -3536,6 +3565,9 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags)
> {
> s->flags = kmem_cache_flags(s->size, flags, s->name, s->ctor);
> s->reserved = 0;
> +#ifdef CONFIG_SLAB_FREELIST_HARDENED
> + s->random = get_random_long();
> +#endif
>
> if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU))
> s->reserved = sizeof(struct rcu_head);
>

So if an attacker knows the internal structure of data then he can simply
dereference page->kmem_cache->random to decode the freepointer.

Assuming someone is already targeting a freelist pointer (which indicates
detailed knowledge of the internal structure) then I would think that
someone like that will also figure out how to follow the pointer links to
get to the random value.

Not seeing the point of all of this.

Next message: Todor Tomov: "Re: [PATCH v2 08/19] media: camss: Add files which handle the video device nodes"
Previous message: Chao Yu: "Re: [f2fs-dev] [PATCH] f2fs: avoid migratepage for atomic written page"
In reply to: Kees Cook: "[PATCH v3] mm: Add SLUB free list pointer obfuscation"
Next in thread: Kees Cook: "Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]