Re: [PATCH RFC] Randomized slab caches for kmalloc()

From: Gong Ruiqi
Date: Mon Apr 24 2023 - 23:55:30 EST

Next message: Xueming Feng: "Re: [PATCH bpf-next v2] bpftool: Dump map id instead of value for map_of_maps types"
Previous message: Google: "Re: [PATCH v11 8/8] selftests/ftrace: Add funcgraph-retval test case"
In reply to: Alexander Lobakin: "Re: [PATCH RFC] Randomized slab caches for kmalloc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2023/04/24 21:46, Alexander Lobakin wrote:
> From: Gong, Ruiqi <gongruiqi1@xxxxxxxxxx>
> Date: Mon, 24 Apr 2023 10:54:33 +0800
>
> ...
>
>>
>>> It's fast enough according to Jason... `_RET_IP_ % nr` doesn't sound
>>> "secure" to me. It really is a compile-time constant, which can be
>>> calculated (or not?) manually. Even if it wasn't, `% nr` doesn't sound
>>> good, there should be at least hash_32().
>>
>> Yes, `_RET_IP_ % nr` is a bit naive. Currently the patch is more like a
>> PoC so I wrote this. Indeed a proper hash function should be used here.
>>
>> And yes _RET_IP_ could somehow be manually determined especially for
>> kernels without KASLR, and I think adding a per-boot random seed into
>> the selection could solve this.
>
> I recall how it is done for kCFI/FineIBT in the x86 code -- it also uses
> per-boot random seed (although it gets patched into the code itself each
> time, when applying alternatives). So probably should be optimal enough.
> The only thing I'm wondering is where to store this per-boot seed :D
> It's generic code, so you can't patch it directly. OTOH storing it in
> .data/.bss can make it vulnerable to attacks... Can't it?

I think marking the seed with __ro_after_init is enough, since we don't
mind it could be read by the attacker.

Given that the code paths the attacker can utilize to spray the heap is
limited, our address-related randomness in most cases prevents
kmalloc()s on these paths from picking the same cache the vulnerable
subsystem/module would pick. Although _RET_IP_ of kmalloc()s could be
known, without tampering the source code and rebuilding the image, the
attacker can't do anything to make those caches collide if the cache
selection algorithm says they don't.

So in my perspective the per-boot random seed is more like an
enhancement: if one day, by analyzing the open source code, the attacker
does find a usable kmalloc that happens to pick the same cache with the
vulnerable subsystem/module, the seed could make his/her effort wasted ;)

>
>>
>> I will implement these in v2. Thanks!
>>
>>>
>>> Thanks,
>>> Olek
>>>
>
> Thanks,
> Olek

Next message: Xueming Feng: "Re: [PATCH bpf-next v2] bpftool: Dump map id instead of value for map_of_maps types"
Previous message: Google: "Re: [PATCH v11 8/8] selftests/ftrace: Add funcgraph-retval test case"
In reply to: Alexander Lobakin: "Re: [PATCH RFC] Randomized slab caches for kmalloc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]