Re: [PATCH v3] mm: Add SLUB free list pointer obfuscation
From: Christoph Lameter
Date: Fri Jul 07 2017 - 09:50:51 EST
On Thu, 6 Jul 2017, Kees Cook wrote:
> Right. This is about blocking the escalation of attack capability. For
> slab object overflow flaws, there are mainly two exploitation methods:
> adjacent allocated object overwrite and adjacent freed object
> overwrite (i.e. a freelist pointer overwrite). The first attack
> depends heavily on which slab cache (and therefore which structures)
> has been exposed by the bug. It's a very narrow and specific attack
> method. The freelist attack is entirely general purpose since it
> provides a reliable way to gain arbitrary write capabilities.
> Protecting against that attack greatly narrows the options for an
> attacker which makes attacks more expensive to create and possibly
> less reliable (and reliability is crucial to successful attacks).
The simplest thing here is to vary the location of the freelist pointer.
That way you cannot hit the freepointer in a deterministic way
The freepointer is put at offset 0 right now. But you could put it
anywhere in the object.
Index: linux/mm/slub.c
===================================================================
--- linux.orig/mm/slub.c
+++ linux/mm/slub.c
@@ -3467,7 +3467,8 @@ static int calculate_sizes(struct kmem_c
*/
s->offset = size;
size += sizeof(void *);
- }
+ } else
+ s->offset = s->size / sizeof(void *) * <insert random chance logic here>
#ifdef CONFIG_SLUB_DEBUG
if (flags & SLAB_STORE_USER)