| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1eb1cfff-14f0-8fa9-1b48-679865339646@infradead.org>
Date: Tue, 20 Jun 2017 16:16:36 -0700
From: Randy Dunlap <rdunlap@...radead.org>
To: Kees Cook <keescook@...omium.org>, Christoph Lameter <cl@...ux.com>
Cc: Jonathan Corbet <corbet@....net>,
Daniel Micay <danielmicay@...il.com>,
David Windsor <dave@...lcore.net>,
Eric Biggers <ebiggers3@...il.com>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
"Rafael J. Wysocki" <rafael.j.wysocki@...el.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...nel.org>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
Arnd Bergmann <arnd@...db.de>,
Andy Lutomirski <luto@...nel.org>,
Nicolas Pitre <nicolas.pitre@...aro.org>,
Tejun Heo <tj@...nel.org>, Daniel Mack <daniel@...que.org>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Helge Deller <deller@....de>, Rik van Riel <riel@...hat.com>,
linux-doc@...r.kernel.org, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] mm: Allow slab_nomerge to be set at build time
On 06/20/2017 04:09 PM, Kees Cook wrote:
> Some hardened environments want to build kernels with slab_nomerge
> already set (so that they do not depend on remembering to set the kernel
> command line option). This is desired to reduce the risk of kernel heap
> overflows being able to overwrite objects from merged caches and changes
> the requirements for cache layout control, increasing the difficulty of
> these attacks. By keeping caches unmerged, these kinds of exploits can
> usually only damage objects in the same cache (though the risk to metadata
> exploitation is unchanged).
>
> Cc: Daniel Micay <danielmicay@...il.com>
> Cc: David Windsor <dave@...lcore.net>
> Cc: Eric Biggers <ebiggers3@...il.com>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> v2: split out of slab whitelisting series
> ---
> Documentation/admin-guide/kernel-parameters.txt | 10 ++++++++--
> init/Kconfig | 14 ++++++++++++++
> mm/slab_common.c | 5 ++---
> 3 files changed, 24 insertions(+), 5 deletions(-)
> diff --git a/init/Kconfig b/init/Kconfig
> index 1d3475fc9496..ce813acf2f4f 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1891,6 +1891,20 @@ config SLOB
>
> endchoice
>
> +config SLAB_MERGE_DEFAULT
> + bool "Allow slab caches to be merged"
> + default y
> + help
> + For reduced kernel memory fragmentation, slab caches can be
> + merged when they share the same size and other characteristics.
> + This carries a risk of kernel heap overflows being able to
> + overwrite objects from merged caches (and more easily control
> + cache layout), which makes such heap attacks easier to exploit
> + by attackers. By keeping caches unmerged, these kinds of exploits
> + can usually only damage objects in the same cache. To disable
> + merging at runtime, "slab_nomerge" can be passed on the kernel
> + command line.
command line or this option can be disabled in the kernel config.
> +
> config SLAB_FREELIST_RANDOM
> default n
> depends on SLAB || SLUB
--
~Randy
Powered by blists - more mailing lists