• Kees Cook's avatar
    mm: add SLUB free list pointer obfuscation · 2482ddec
    Kees Cook authored
    This SLUB free list pointer obfuscation code is modified from Brad
    Spengler/PaX Team's code in the last public patch of grsecurity/PaX
    based on my understanding of the code.  Changes or omissions from the
    original code are mine and don't reflect the original grsecurity/PaX
    This adds a per-cache random value to SLUB caches that is XORed with
    their freelist pointer address and value.  This adds nearly zero
    overhead and frustrates the very common heap overflow exploitation
    method of overwriting freelist pointers.
    A recent example of the attack is written up here:
    and there is a section dedicated to the technique the book "A Guide to
    Kernel Exploitation: Attacking the Core".
    This is based on patches by Daniel Micay, and refactored to minimize the
    use of #ifdef.
    With 200-count cycles of "hackbench -g 20 -l 1000" I saw the following
    run times:
     	mean 10.11882499999999999995
    	variance .03320378329145728642
    	stdev .18221905304181911048
    	mean 10.12654000000000000014
    	variance .04700556623115577889
    	stdev .21680767106160192064
    The difference gets lost in the noise, but if the above is to be taken
    literally, using CONFIG_FREELIST_HARDENED is 0.07% slower.
    Link: http://lkml.kernel.org/r/20170802180609.GA66807@beast
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Suggested-by: default avatarDaniel Micay <danielmicay@gmail.com>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Tycho Andersen <tycho@docker.com>
    Cc: Alexander Popov <alex.popov@linux.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>