[PATCH 0/3] mm/slab: Improved sanity checking

From: Kees Cook
Date: Thu May 30 2019 - 00:54:18 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.1 198/405] hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses"
Previous message: David Miller: "Re: [PATCH v2 net-next] net: ethernet: ti: cpsw: correct .ndo_open error path"
Next in thread: Kees Cook: "[PATCH 2/3] mm/slab: Sanity-check page type when looking up cache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This adds defenses against slab cache confusion (as seen in real-world
exploits[1]) and gracefully handles type confusions when trying to look
up slab caches from an arbitrary page. (Also is patch 3: new LKDTM tests
for these defenses as well as for the existing double-free detection. To
avoid possible merge conflicts, I'd prefer patch 3 went via drivers/misc,
which I will send to Greg separately, but I've included it here to help
illustrate the issues.)

-Kees

[1] https://github.com/ThomasKing2014/slides/raw/master/Building%20universal%20Android%20rooting%20with%20a%20type%20confusion%20vulnerability.pdf

Kees Cook (3):
mm/slab: Validate cache membership under freelist hardening
mm/slab: Sanity-check page type when looking up cache
lkdtm/heap: Add tests for freelist hardening

drivers/misc/lkdtm/core.c | 5 +++
drivers/misc/lkdtm/heap.c | 72 ++++++++++++++++++++++++++++++++++++++
drivers/misc/lkdtm/lkdtm.h | 5 +++
mm/slab.c | 14 ++++----
mm/slab.h | 29 +++++++++------
5 files changed, 107 insertions(+), 18 deletions(-)

--
2.17.1

Next message: Greg Kroah-Hartman: "[PATCH 5.1 198/405] hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses"
Previous message: David Miller: "Re: [PATCH v2 net-next] net: ethernet: ti: cpsw: correct .ndo_open error path"
Next in thread: Kees Cook: "[PATCH 2/3] mm/slab: Sanity-check page type when looking up cache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]