| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+fCnZf++VKo-VKYTJsuiYeP9LJoxHdd3nk1DL+tZP1TOQ9xrw@mail.gmail.com> Date: Thu, 1 Aug 2024 14:54:04 +0200 From: Andrey Konovalov <andreyknvl@...il.com> To: Jann Horn <jannh@...gle.com> Cc: Marco Elver <elver@...gle.com>, Andrey Ryabinin <ryabinin.a.a@...il.com>, Alexander Potapenko <glider@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, Vincenzo Frascino <vincenzo.frascino@....com>, Andrew Morton <akpm@...ux-foundation.org>, Christoph Lameter <cl@...ux.com>, Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>, Joonsoo Kim <iamjoonsoo.kim@....com>, Vlastimil Babka <vbabka@...e.cz>, Roman Gushchin <roman.gushchin@...ux.dev>, Hyeonggon Yoo <42.hyeyoo@...il.com>, kasan-dev@...glegroups.com, linux-kernel@...r.kernel.org, linux-mm@...ck.org Subject: Re: [PATCH v5 1/2] kasan: catch invalid free before SLUB reinitializes the object On Thu, Aug 1, 2024 at 6:01 AM Jann Horn <jannh@...gle.com> wrote: > > > > @@ -503,15 +509,22 @@ bool __kasan_mempool_poison_object(void *ptr, unsigned long ip) > > > kasan_poison(ptr, folio_size(folio), KASAN_PAGE_FREE, false); > > > return true; > > > } > > > > > > if (is_kfence_address(ptr)) > > > return false; > > > + if (!kasan_arch_is_ready()) > > > + return true; > > > > Hm, I think we had a bug here: the function should return true in both > > cases. This seems reasonable: if KASAN is not checking the object, the > > caller can do whatever they want with it. > > But if the object is a kfence allocation, we maybe do want the caller > to free it quickly so that kfence can catch potential UAF access? So > "return false" in that case seems appropriate. Return false would mean: allocation is buggy, do not use it and do not free it (note that the return value meaning here is inverse compared to the newly added check_slab_allocation()). And this doesn't seem like something we want for KFENCE-managed objects. But regardless of the return value here, the callers tend not to free these allocations to the slab allocator, that's the point of mempools. So KFENCE won't catch a UAF either way. > Or maybe we don't > because that makes the probability of catching an OOB access much > lower if the mempool is going to always return non-kfence allocations > as long as the pool isn't empty? Also I guess whether kfence vetoes > reuse of kfence objects probably shouldn't depend on whether the > kernel is built with KASAN... so I guess it would be more consistent > to either put "return true" there or change the !KASAN stub of this to > check for kfence objects or something like that? Honestly I think the > latter would be most appropriate, though then maybe the hook shouldn't > have "kasan" in its name... Yeah, we could add some custom handling of mempool to KFENCE as well. But that would be a separate effort. > Either way, I agree that the current situation wrt mempools and kfence > is inconsistent, but I think I should probably leave that as-is in my > series for now, and the kfence mempool issue can be addressed > separately afterwards? I also would like to avoid changing kfence > behavior as part of this patch. Sure, sounds good to me. > If you want, I can add a comment above the "if (is_kfence_address())" > that notes the inconsistency? Up to you, I'll likely add a note to the bug tracker to fix this once the patch lands anyway. Thanks!
Powered by blists - more mailing lists