On 2023/04/24 21:46, Alexander Lobakin wrote: > From: Gong, Ruiqi <gongruiqi1@xxxxxxxxxx> > Date: Mon, 24 Apr 2023 10:54:33 +0800 > > ... > >> >>> It's fast enough according to Jason... `_RET_IP_ % nr` doesn't sound >>> "secure" to me. It really is a compile-time constant, which can be >>> calculated (or not?) manually. Even if it wasn't, `% nr` doesn't sound >>> good, there should be at least hash_32(). >> >> Yes, `_RET_IP_ % nr` is a bit naive. Currently the patch is more like a >> PoC so I wrote this. Indeed a proper hash function should be used here. >> >> And yes _RET_IP_ could somehow be manually determined especially for >> kernels without KASLR, and I think adding a per-boot random seed into >> the selection could solve this. > > I recall how it is done for kCFI/FineIBT in the x86 code -- it also uses > per-boot random seed (although it gets patched into the code itself each > time, when applying alternatives). So probably should be optimal enough. > The only thing I'm wondering is where to store this per-boot seed :D > It's generic code, so you can't patch it directly. OTOH storing it in > .data/.bss can make it vulnerable to attacks... Can't it? I think marking the seed with __ro_after_init is enough, since we don't mind it could be read by the attacker. Given that the code paths the attacker can utilize to spray the heap is limited, our address-related randomness in most cases prevents kmalloc()s on these paths from picking the same cache the vulnerable subsystem/module would pick. Although _RET_IP_ of kmalloc()s could be known, without tampering the source code and rebuilding the image, the attacker can't do anything to make those caches collide if the cache selection algorithm says they don't. So in my perspective the per-boot random seed is more like an enhancement: if one day, by analyzing the open source code, the attacker does find a usable kmalloc that happens to pick the same cache with the vulnerable subsystem/module, the seed could make his/her effort wasted ;) > >> >> I will implement these in v2. Thanks! >> >>> >>> Thanks, >>> Olek >>> > > Thanks, > Olek
