lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAG_fn=UBWge=QGeB+XQRtuFkzqWbrA8_FJsrwhihhwkrzt8DoQ@mail.gmail.com>
Date: Wed, 7 Aug 2024 10:27:03 +0200
From: Alexander Potapenko <glider@...gle.com>
To: Marco Elver <elver@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>, Andrey Konovalov <andreyknvl@...il.com>, 
	Dmitry Vyukov <dvyukov@...gle.com>, Jann Horn <jannh@...gle.com>, kasan-dev@...glegroups.com, 
	linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH] kfence: introduce burst mode

On Mon, Aug 5, 2024 at 2:43 PM Marco Elver <elver@...gle.com> wrote:
>
> Introduce burst mode, which can be configured with kfence.burst=$count,
> where the burst count denotes the additional successive slab allocations
> to be allocated through KFENCE for each sample interval.
>
> The idea is that this can give developers an additional knob to make
> KFENCE more aggressive when debugging specific issues of systems where
> either rebooting or recompiling the kernel with KASAN is not possible.
>
> Experiment: To assess the effectiveness of the new option, we randomly
> picked a recent out-of-bounds [1] and use-after-free bug [2], each with
> a reproducer provided by syzbot, that initially detected these bugs with
> KASAN. We then tried to reproduce the bugs with KFENCE below.
>
> [1] Fixed by: 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr")
>     https://syzkaller.appspot.com/bug?id=9d1b59d4718239da6f6069d3891863c25f9f24a2
> [2] Fixed by: f8ad00f3fb2a ("l2tp: fix possible UAF when cleaning up tunnels")
>     https://syzkaller.appspot.com/bug?id=4f34adc84f4a3b080187c390eeef60611fd450e1
>
> The following KFENCE configs were compared. A pool size of 1023 objects
> was used for all configurations.
>
>         Baseline
>                 kfence.sample_interval=100
>                 kfence.skip_covered_thresh=75
>                 kfence.burst=0
>
>         Aggressive
>                 kfence.sample_interval=1
>                 kfence.skip_covered_thresh=10
>                 kfence.burst=0
>
>         AggressiveBurst
>                 kfence.sample_interval=1
>                 kfence.skip_covered_thresh=10
>                 kfence.burst=1000
>
> Each reproducer was run 10 times (after a fresh reboot), with the
> following detection counts for each KFENCE config:
>
>                     | Detection Count out of 10 |
>                     |    OOB [1]  |    UAF [2]  |
>   ------------------+-------------+-------------+
>   Default           |     0/10    |     0/10    |
>   Aggressive        |     0/10    |     0/10    |
>   AggressiveBurst   |     8/10    |     8/10    |
>
> With the Default and even the Aggressive configs the results are
> unsurprising, given KFENCE has not been designed for deterministic bug
> detection of small test cases.
>
> However, when enabling burst mode with relatively large burst count,
> KFENCE can start to detect heap memory-safety bugs even in simpler test
> cases with high probability (in the above cases with ~80% probability).
>
> Signed-off-by: Marco Elver <elver@...gle.com>
Reviewed-by: Alexander Potapenko <glider@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ