Re: [PATCH RFC v2 0/6] Break heap spraying needed for exploiting use-after-free

From: Matthew Wilcox
Date: Mon Oct 05 2020 - 20:45:18 EST

Next message: Ricardo Neri: "Re: [PATCH 0/4] drivers core: Introduce CPU type sysfs interface"
Previous message: Matthias Kaehlcke: "Re: [PATCH v4 1/2] dt-bindings: usb: Add binding for discrete onboard USB hubs"
In reply to: Jann Horn: "Re: [PATCH RFC v2 0/6] Break heap spraying needed for exploiting use-after-free"
Next in thread: Jann Horn: "Re: [PATCH RFC v2 0/6] Break heap spraying needed for exploiting use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 06, 2020 at 12:56:33AM +0200, Jann Horn wrote:
> It seems to me like, if you want to make UAF exploitation harder at
> the heap allocator layer, you could do somewhat more effective things
> with a probably much smaller performance budget. Things like
> preventing the reallocation of virtual kernel addresses with different
> types, such that an attacker can only replace a UAF object with
> another object of the same type. (That is not an idea I like very much
> either, but I would like it more than this proposal.) (E.g. some
> browsers implement things along those lines, I believe.)

The slab allocator already has that functionality. We call it
TYPESAFE_BY_RCU, but if forcing that on by default would enhance security
by a measurable amount, it wouldn't be a terribly hard sell ...

Next message: Ricardo Neri: "Re: [PATCH 0/4] drivers core: Introduce CPU type sysfs interface"
Previous message: Matthias Kaehlcke: "Re: [PATCH v4 1/2] dt-bindings: usb: Add binding for discrete onboard USB hubs"
In reply to: Jann Horn: "Re: [PATCH RFC v2 0/6] Break heap spraying needed for exploiting use-after-free"
Next in thread: Jann Horn: "Re: [PATCH RFC v2 0/6] Break heap spraying needed for exploiting use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]