lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <5c34b253-b476-494a-96c9-fe3c95b9b74d@linux.dev>
Date: Thu, 25 Apr 2024 23:14:59 +0800
From: Chengming Zhou <chengming.zhou@...ux.dev>
To: Nicolas Bouchinet <nicolas.bouchinet@...p-os.org>, linux-mm@...ck.org,
 linux-kernel@...r.kernel.org
Cc: cl@...ux.com, penberg@...nel.org, rientjes@...gle.com,
 iamjoonsoo.kim@....com, akpm@...ux-foundation.org, vbabka@...e.cz,
 roman.gushchin@...ux.dev, 42.hyeyoo@...il.com
Subject: Re: [PATCH] slub: Fixes freepointer encoding for single free

On 2024/4/25 23:02, Nicolas Bouchinet wrote:
> Hy,
> 
> First of all, thanks a lot for your time.
> 
> On 4/25/24 10:36, Chengming Zhou wrote:
>> On 2024/4/24 20:47, Nicolas Bouchinet wrote:
>>> From: Nicolas Bouchinet<nicolas.bouchinet@....gouv.fr>
>>>
>>> Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing
>>> separately") splits single and bulk object freeing in two functions
>>> slab_free() and slab_free_bulk() which leads slab_free() to call
>>> slab_free_hook() directly instead of slab_free_freelist_hook().
>> Right.
>>
>>> If `init_on_free` is set, slab_free_hook() zeroes the object.
>>> Afterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are
>>> set, the do_slab_free() slowpath executes freelist consistency
>>> checks and try to decode a zeroed freepointer which leads to a
>>> "Freepointer corrupt" detection in check_object().
>> IIUC, the "freepointer" can be checked on the free path only when
>> it's outside the object memory. Here slab_free_hook() zeroed the
>> freepointer and caused the problem.
>>
>> But why we should zero the memory outside the object_size? It seems
>> more reasonable to only zero the object_size when init_on_free is set?
> 
> The original purpose was to avoid leaking information through the object and its metadata / tracking information as described in init_on_free initial Commit 6471384af2a6 ("mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options").
> 
> I have to admit I didn't read the entire lore about the original patchset yet, though it could be interesting to know a bit more the threat models, specifically regarding the object metadata init.

Thank you for the reference! I also don't get why it needs to zero
the metadata and tracking information.

> 
> The patch could also be optimized a bit by restricting set_freepointer() call to the `CONFIG_SLAB_FREELIST_HARDENED` option value.
> 

Yeah. Maybe memcg_alloc_abort_single() needs this too.

Thanks.

> Thanks again, Nicolas
> 
>>
>> Thanks.
>>
>>> Object's freepointer thus needs to be properly set using
>>> set_freepointer() after init_on_free.
>>>
>>> To reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the
>>> command line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`.
>>>
>>> dmesg sample log:
>>> [   10.708715] =============================================================================
>>> [   10.710323] BUG kmalloc-rnd-05-32 (Tainted: G    B           T ): Freepointer corrupt
>>> [   10.712695] -----------------------------------------------------------------------------
>>> [   10.712695]
>>> [   10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2)
>>> [   10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c
>>> [   10.716698]
>>> [   10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>> [   10.720703] Object   ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>> [   10.720703] Object   ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>> [   10.724696] Padding  ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>> [   10.724696] Padding  ffff9d9a8035667c: 00 00 00 00                                      ....
>>> [   10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed
>>>
>>> Signed-off-by: Nicolas Bouchinet<nicolas.bouchinet@....gouv.fr>
>>> ---
>>>   mm/slub.c | 8 +++++++-
>>>   1 file changed, 7 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/mm/slub.c b/mm/slub.c
>>> index 3aa12b9b323d9..71dbff9ad8f17 100644
>>> --- a/mm/slub.c
>>> +++ b/mm/slub.c
>>> @@ -4342,10 +4342,16 @@ static __fastpath_inline
>>>   void slab_free(struct kmem_cache *s, struct slab *slab, void *object,
>>>              unsigned long addr)
>>>   {
>>> +    bool init = false;
>>> +
>>>       memcg_slab_free_hook(s, slab, &object, 1);
>>> +    init = slab_want_init_on_free(s);
>>>   -    if (likely(slab_free_hook(s, object, slab_want_init_on_free(s))))
>>> +    if (likely(slab_free_hook(s, object, init))) {
>>> +        if (init)
>>> +            set_freepointer(s, object, NULL);
>>>           do_slab_free(s, slab, object, object, 1, addr);
>>> +    }
>>>   }
>>>     static __fastpath_inline

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ