|
Message-Id: <20190626121943.131390-1-glider@google.com> Date: Wed, 26 Jun 2019 14:19:41 +0200 From: Alexander Potapenko <glider@...gle.com> To: Andrew Morton <akpm@...ux-foundation.org>, Christoph Lameter <cl@...ux.com>, Kees Cook <keescook@...omium.org> Cc: Alexander Potapenko <glider@...gle.com>, Masahiro Yamada <yamada.masahiro@...ionext.com>, Michal Hocko <mhocko@...nel.org>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Nick Desaulniers <ndesaulniers@...gle.com>, Kostya Serebryany <kcc@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, Sandeep Patil <sspatil@...roid.com>, Laura Abbott <labbott@...hat.com>, Randy Dunlap <rdunlap@...radead.org>, Jann Horn <jannh@...gle.com>, Mark Rutland <mark.rutland@....com>, Marco Elver <elver@...gle.com>, Qian Cai <cai@....pw>, linux-mm@...ck.org, linux-security-module@...r.kernel.org, kernel-hardening@...ts.openwall.com Subject: [PATCH v8 0/3] add init_on_alloc/init_on_free boot options Provide init_on_alloc and init_on_free boot options. These are aimed at preventing possible information leaks and making the control-flow bugs that depend on uninitialized values more deterministic. Enabling either of the options guarantees that the memory returned by the page allocator and SL[AU]B is initialized with zeroes. SLOB allocator isn't supported at the moment, as its emulation of kmem caches complicates handling of SLAB_TYPESAFE_BY_RCU caches correctly. Enabling init_on_free also guarantees that pages and heap objects are initialized right after they're freed, so it won't be possible to access stale data by using a dangling pointer. As suggested by Michal Hocko, right now we don't let the heap users to disable initialization for certain allocations. There's not enough evidence that doing so can speed up real-life cases, and introducing ways to opt-out may result in things going out of control. To: Andrew Morton <akpm@...ux-foundation.org> To: Christoph Lameter <cl@...ux.com> To: Kees Cook <keescook@...omium.org> Cc: Masahiro Yamada <yamada.masahiro@...ionext.com> Cc: Michal Hocko <mhocko@...nel.org> Cc: James Morris <jmorris@...ei.org> Cc: "Serge E. Hallyn" <serge@...lyn.com> Cc: Nick Desaulniers <ndesaulniers@...gle.com> Cc: Kostya Serebryany <kcc@...gle.com> Cc: Dmitry Vyukov <dvyukov@...gle.com> Cc: Sandeep Patil <sspatil@...roid.com> Cc: Laura Abbott <labbott@...hat.com> Cc: Randy Dunlap <rdunlap@...radead.org> Cc: Jann Horn <jannh@...gle.com> Cc: Mark Rutland <mark.rutland@....com> Cc: Marco Elver <elver@...gle.com> Cc: Qian Cai <cai@....pw> Cc: linux-mm@...ck.org Cc: linux-security-module@...r.kernel.org Cc: kernel-hardening@...ts.openwall.com Alexander Potapenko (2): mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options mm: init: report memory auto-initialization features at boot time .../admin-guide/kernel-parameters.txt | 9 +++ drivers/infiniband/core/uverbs_ioctl.c | 2 +- include/linux/mm.h | 22 ++++++ init/main.c | 24 +++++++ mm/dmapool.c | 4 +- mm/page_alloc.c | 71 +++++++++++++++++-- mm/slab.c | 16 ++++- mm/slab.h | 19 +++++ mm/slub.c | 43 +++++++++-- net/core/sock.c | 2 +- security/Kconfig.hardening | 29 +++++++++ 12 files changed, 204 insertions(+), 19 deletions(-) --- v3: dropped __GFP_NO_AUTOINIT patches v5: dropped support for SLOB allocator, handle SLAB_TYPESAFE_BY_RCU v6: changed wording in boot-time message v7: dropped the test_meminit.c patch (picked by Andrew Morton already), minor wording changes v8: fixes for interoperability with other heap debugging features -- 2.22.0.410.gd8fdbe21b5-goog
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.