lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202003111036.80DEE85@keescook>
Date:   Wed, 11 Mar 2020 10:37:40 -0700
From:   Kees Cook <keescook@...omium.org>
To:     David Laight <David.Laight@...LAB.COM>
Cc:     'Christopher Lameter' <cl@...ux.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Pekka Enberg <penberg@...nel.org>,
        David Rientjes <rientjes@...gle.com>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Daniel Micay <danielmicay@...il.com>,
        Vitaly Nikolenko <vnik@...synt.com>,
        Silvio Cesare <silvio.cesare@...il.com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] slub: Relocate freelist pointer to middle of object

On Wed, Mar 11, 2020 at 02:48:05PM +0000, David Laight wrote:
> From: Christopher Lameter
> > Sent: 08 March 2020 19:21
> 
> > 
> > On Thu, 5 Mar 2020, Kees Cook wrote:
> > 
> > > Instead of having the freelist pointer at the very beginning of an
> > > allocation (offset 0) or at the very end of an allocation (effectively
> > > offset -sizeof(void *) from the next allocation), move it away from
> > > the edges of the allocation and into the middle. This provides some
> > > protection against small-sized neighboring overflows (or underflows),
> > > for which the freelist pointer is commonly the target. (Large or well
> > > controlled overwrites are much more likely to attack live object contents,
> > > instead of attempting freelist corruption.)
> > 
> > Sounds good. You could even randomize the position to avoid attacks on via
> > the freelist pointer.
> 
> Random overwrites could be detected (fairly cheaply) by putting two
> copies of the pointer into the same cacheline in the buffer.
> Or better make the second one 'pointer xor constant'.

My sense is that this starts to stray closer to "too much overhead" vs
the mitigation benefit against known heap metadata attacks. I'm open to
seeing patches, of course, though! :)

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ