[PATCH 0/3] mm/slab: Improved sanity checking
From: Kees Cook
Date: Thu May 30 2019 - 00:54:18 EST
Hi,
This adds defenses against slab cache confusion (as seen in real-world
exploits[1]) and gracefully handles type confusions when trying to look
up slab caches from an arbitrary page. (Also is patch 3: new LKDTM tests
for these defenses as well as for the existing double-free detection. To
avoid possible merge conflicts, I'd prefer patch 3 went via drivers/misc,
which I will send to Greg separately, but I've included it here to help
illustrate the issues.)
-Kees
[1] https://github.com/ThomasKing2014/slides/raw/master/Building%20universal%20Android%20rooting%20with%20a%20type%20confusion%20vulnerability.pdf
Kees Cook (3):
mm/slab: Validate cache membership under freelist hardening
mm/slab: Sanity-check page type when looking up cache
lkdtm/heap: Add tests for freelist hardening
drivers/misc/lkdtm/core.c | 5 +++
drivers/misc/lkdtm/heap.c | 72 ++++++++++++++++++++++++++++++++++++++
drivers/misc/lkdtm/lkdtm.h | 5 +++
mm/slab.c | 14 ++++----
mm/slab.h | 29 +++++++++------
5 files changed, 107 insertions(+), 18 deletions(-)
--
2.17.1