[PATCH 0/4] slab: Introduce dedicated bucket allocator
From: Kees Cook
Date: Mon Mar 04 2024 - 13:50:01 EST
Hi,
Repeating the commit logs for patch 1 here:
Dedicated caches are available For fixed size allocations via
kmem_cache_alloc(), but for dynamically sized allocations there is only
the global kmalloc API's set of buckets available. This means it isn't
possible to separate specific sets of dynamically sized allocations into
a separate collection of caches.
This leads to a use-after-free exploitation weakness in the Linux
kernel since many heap memory spraying/grooming attacks depend on using
userspace-controllable dynamically sized allocations to collide with
fixed size allocations that end up in same cache.
While CONFIG_RANDOM_KMALLOC_CACHES provides a probabilistic defense
against these kinds of "type confusion" attacks, including for fixed
same-size heap objects, we can create a complementary deterministic
defense for dynamically sized allocations.
In order to isolate user-controllable sized allocations from system
allocations, introduce kmem_buckets_create() and kmem_buckets_alloc(),
which behave like kmem_cache_create() and like kmem_cache_alloc() for
confining allocations to a dedicated set of sized caches (which have
the same layout as the kmalloc caches).
This can also be used in the future once codetag allocation annotations
exist to implement per-caller allocation cache isolation[0] even for
dynamic allocations.
Link: https://lore.kernel.org/lkml/202402211449.401382D2AF@keescook [0]
After the implemetation are 3 example patch of how this could be used
for some repeat "offenders" that get used in exploits. There are more to
be isolated beyond just these. Repeating the commit log for patch 2 here:
The msg subsystem is a common target for exploiting[1][2][3][4][5][6]
use-after-free type confusion flaws in the kernel for both read and
write primitives. Avoid having a user-controlled size cache share the
global kmalloc allocator by using a separate set of kmalloc buckets.
After a fresh boot under Ubuntu 23.10, we can see the caches are already
in use:
# grep ^msg_msg /proc/slabinfo
msg_msg-8k 0 0 8192 4 8 : ...
msg_msg-4k 96 128 4096 8 8 : ...
msg_msg-2k 64 64 2048 16 8 : ...
msg_msg-1k 64 64 1024 16 4 : ...
msg_msg-16 1024 1024 16 256 1 : ...
msg_msg-8 0 0 8 512 1 : ...
Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1]
Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2]
Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3]
Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4]
Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [5]
Link: https://zplin.me/papers/ELOISE.pdf [6]
-Kees
Kees Cook (4):
slab: Introduce dedicated bucket allocator
ipc, msg: Use dedicated slab buckets for alloc_msg()
xattr: Use dedicated slab buckets for setxattr()
mm/util: Use dedicated slab buckets for memdup_user()
fs/xattr.c | 12 ++++++++-
include/linux/slab.h | 26 ++++++++++++++++++
ipc/msgutil.c | 11 +++++++-
mm/slab_common.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
mm/util.c | 12 ++++++++-
5 files changed, 122 insertions(+), 3 deletions(-)
--
2.34.1