From 2eb3076519471028c2672939c5d97d45f45e425e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 14 Apr 2020 10:10:15 +0200 Subject: [PATCH] 4.19-stable patches added patches: slub-improve-bit-diffusion-for-freelist-ptr-obfuscation.patch --- queue-4.19/series | 1 + ...ffusion-for-freelist-ptr-obfuscation.patch | 71 +++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 queue-4.19/slub-improve-bit-diffusion-for-freelist-ptr-obfuscation.patch diff --git a/queue-4.19/series b/queue-4.19/series index 511d297d863..5e76f7441fa 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -40,3 +40,4 @@ btrfs-remove-a-bug_on-from-merge_reloc_roots.patch btrfs-track-reloc-roots-based-on-their-commit-root-b.patch ib-mlx5-replace-tunnel-mpls-capability-bits-for-tunn.patch uapi-rename-ext2_swab-to-swab-and-share-globally-in-.patch +slub-improve-bit-diffusion-for-freelist-ptr-obfuscation.patch diff --git a/queue-4.19/slub-improve-bit-diffusion-for-freelist-ptr-obfuscation.patch b/queue-4.19/slub-improve-bit-diffusion-for-freelist-ptr-obfuscation.patch new file mode 100644 index 00000000000..92a43563220 --- /dev/null +++ b/queue-4.19/slub-improve-bit-diffusion-for-freelist-ptr-obfuscation.patch @@ -0,0 +1,71 @@ +From 1ad53d9fa3f6168ebcf48a50e08b170432da2257 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 1 Apr 2020 21:04:23 -0700 +Subject: slub: improve bit diffusion for freelist ptr obfuscation + +From: Kees Cook + +commit 1ad53d9fa3f6168ebcf48a50e08b170432da2257 upstream. + +Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak +in that the ptr and ptr address were usually so close that the first XOR +would result in an almost entirely 0-byte value[1], leaving most of the +"secret" number ultimately being stored after the third XOR. A single +blind memory content exposure of the freelist was generally sufficient to +learn the secret. + +Add a swab() call to mix bits a little more. This is a cheap way (1 +cycle) to make attacks need more than a single exposure to learn the +secret (or to know _where_ the exposure is in memory). + +kmalloc-32 freelist walk, before: + +ptr ptr_addr stored value secret +ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d) +ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d) +ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d) +ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d) +ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d) +... + +after: + +ptr ptr_addr stored value secret +ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d) +ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d) +ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d) +ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d) +ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d) + +[1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html + +Fixes: 2482ddec670f ("mm: add SLUB free list pointer obfuscation") +Reported-by: Silvio Cesare +Signed-off-by: Kees Cook +Signed-off-by: Andrew Morton +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: +Link: http://lkml.kernel.org/r/202003051623.AF4F8CB@keescook +Signed-off-by: Linus Torvalds +[kees: Backport to v4.19 which doesn't call kasan_reset_untag()] +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -249,7 +249,7 @@ static inline void *freelist_ptr(const s + unsigned long ptr_addr) + { + #ifdef CONFIG_SLAB_FREELIST_HARDENED +- return (void *)((unsigned long)ptr ^ s->random ^ ptr_addr); ++ return (void *)((unsigned long)ptr ^ s->random ^ swab(ptr_addr)); + #else + return ptr; + #endif -- 2.47.3