[PATCH v3 2/2] slab: Achieve better kmalloc caches randomization in kvmalloc

Wed, 12 Feb 2025 00:05:17 -0800 

As revealed by this writeup[1], due to the fact that __kmalloc_node (now
renamed to __kmalloc_node_noprof) is an exported symbol and will never
get inlined, using it in kvmalloc_node (now is __kvmalloc_node_noprof)
would make the RET_IP inside always point to the same address:

    upper_caller
        kvmalloc
        kvmalloc_node
        kvmalloc_node_noprof
        __kvmalloc_node_noprof  <-- all macros all the way down here
            __kmalloc_node_noprof
                __do_kmalloc_node(.., _RET_IP_)
            ...                 <-- _RET_IP_ points to

That literally means all kmalloc invoked via kvmalloc would use the same
seed for cache randomization (CONFIG_RANDOM_KMALLOC_CACHES), which makes
this hardening non-functional.

The root cause of this problem, IMHO, is that using RET_IP only cannot
identify the actual allocation site in case of kmalloc being called
inside non-inlined wrappers or helper functions. And I believe there
could be similar cases in other functions. Nevertheless, I haven't
thought of any good solution for this. So for now let's solve this
specific case first.

For __kvmalloc_node_noprof, replace __kmalloc_node_noprof and call
__do_kmalloc_node directly instead, so that RET_IP can take the return
address of kvmalloc and differentiate each kvmalloc invocation:

    upper_caller
        kvmalloc
        kvmalloc_node
        kvmalloc_node_noprof
        __kvmalloc_node_noprof  <-- all macros all the way down here
            __do_kmalloc_node(.., _RET_IP_)
        ...                     <-- _RET_IP_ points to

Thanks to Tamás Koczka for the report and discussion!

Link: 
https://github.com/google/security-research/blob/908d59b573960dc0b90adda6f16f7017aca08609/pocs/linux/kernelctf/CVE-2024-27397_mitigation/docs/exploit.md?plain=1#L259
 [1]
Reported-by: Tamás Koczka <[email protected]>
Signed-off-by: GONG Ruiqi <[email protected]>
---
 mm/slub.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mm/slub.c b/mm/slub.c
index abc982d68feb..1f7d1d260eeb 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -4925,9 +4925,9 @@ void *__kvmalloc_node_noprof(DECL_BUCKET_PARAMS(size, b), 
gfp_t flags, int node)
         * It doesn't really make sense to fallback to vmalloc for sub page
         * requests
         */
-       ret = __kmalloc_node_noprof(PASS_BUCKET_PARAMS(size, b),
-                                   kmalloc_gfp_adjust(flags, size),
-                                   node);
+       ret = __do_kmalloc_node(size, PASS_BUCKET_PARAM(b),
+                               kmalloc_gfp_adjust(flags, size),
+                               node, _RET_IP_);
        if (ret || size <= PAGE_SIZE)
                return ret;
 
-- 
2.25.1

Reply via email to