On Mon, Jun 19, 2017 at 9:09 PM, Daniel Micay <danielmicay@xxxxxxxxx> wrote: > On Mon, 2017-06-19 at 16:36 -0700, Kees Cook wrote: >> Some hardened environments want to build kernels with slab_nomerge >> already set (so that they do not depend on remembering to set the >> kernel >> command line option). This is desired to reduce the risk of kernel >> heap >> overflows being able to overwrite objects from merged caches, >> increasing >> the difficulty of these attacks. By keeping caches unmerged, these >> kinds >> of exploits can usually only damage objects in the same cache (though >> the >> risk to metadata exploitation is unchanged). > > It also further fragments the ability to influence slab cache layout, > i.e. primitives to do things like filling up slabs to set things up for > an exploit might not be able to deal with the target slabs anymore. It > doesn't need to be mentioned but it's something to think about too. In > theory, disabling merging can make it *easier* to get the right layout > too if there was some annoyance that's now split away. It's definitely a > lot more good than bad for security though, but allocator changes have > subtle impact on exploitation. This can make caches more deterministic. Good point about changes to heap grooming; I'll adjust the commit log. -Kees -- Kees Cook Pixel Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
