[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHKB1w+9GgY_e6J+rZ4zDaXrPZab5xteTuDEH0Z2hWe6x-pT5g@mail.gmail.com>
Date: Tue, 19 Sep 2023 17:48:42 +0200
From: Matteo Rizzo <matteorizzo@...gle.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Ingo Molnar <mingo@...nel.org>,
"Lameter, Christopher" <cl@...amperecomputing.com>,
Dave Hansen <dave.hansen@...el.com>, penberg@...nel.org,
rientjes@...gle.com, iamjoonsoo.kim@....com,
akpm@...ux-foundation.org, vbabka@...e.cz,
roman.gushchin@...ux.dev, 42.hyeyoo@...il.com,
keescook@...omium.org, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-mm@...ck.org,
linux-hardening@...r.kernel.org, tglx@...utronix.de,
mingo@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com,
x86@...nel.org, hpa@...or.com, corbet@....net, luto@...nel.org,
peterz@...radead.org, jannh@...gle.com, evn@...gle.com,
poprdi@...gle.com, jordyzomer@...gle.com
Subject: Re: [RFC PATCH 00/14] Prevent cross-cache attacks in the SLUB allocator
On Mon, 18 Sept 2023 at 20:05, Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
>
> ... and equally importantly, what about DMA?
I'm not exactly sure what you mean by this, I don't think this should
affect the performance of DMA.
> Or what about the fixed-size slabs (aka kmalloc?) What's the point of
> "never re-use the same address for a different slab", when the *same*
> slab will contain different kinds of allocations anyway?
There are a number of patches out there (for example the random_kmalloc
series which recently got merged into v6.6) which attempt to segregate
kmalloc'd objects into different caches to make exploitation harder.
Another thing that we would like to have in the future is to segregate
objects by type (like XNU's kalloc_type
https://security.apple.com/blog/towards-the-next-generation-of-xnu-memory-safety/)
which makes exploiting use-after-free by type confusion much harder or
impossible.
All of these mitigations can be bypassed very easily if the attacker can
mount a cross-cache attack, which is what this series attempts to prevent.
This is not only theoretical, we've seen attackers use this all the time in
kCTF/kernelCTF submissions (for example
https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/).
> I think the whole "make it one single compile-time option" model is
> completely and fundamentally broken.
Wouldn't making this toggleable at boot time or runtime make performance
even worse?
--
Matteo
Powered by blists - more mailing lists