[PATCH v7 0/3] add init_on_alloc/init_on_free boot options
Alexander Potapenko
glider at google.com
Mon Jun 17 15:10:48 UTC 2019
Provide init_on_alloc and init_on_free boot options.
These are aimed at preventing possible information leaks and making the
control-flow bugs that depend on uninitialized values more deterministic.
Enabling either of the options guarantees that the memory returned by the
page allocator and SL[AU]B is initialized with zeroes.
SLOB allocator isn't supported at the moment, as its emulation of kmem
caches complicates handling of SLAB_TYPESAFE_BY_RCU caches correctly.
Enabling init_on_free also guarantees that pages and heap objects are
initialized right after they're freed, so it won't be possible to access
stale data by using a dangling pointer.
As suggested by Michal Hocko, right now we don't let the heap users to
disable initialization for certain allocations. There's not enough
evidence that doing so can speed up real-life cases, and introducing
ways to opt-out may result in things going out of control.
To: Andrew Morton <akpm at linux-foundation.org>
To: Christoph Lameter <cl at linux.com>
To: Kees Cook <keescook at chromium.org>
Cc: Masahiro Yamada <yamada.masahiro at socionext.com>
Cc: Michal Hocko <mhocko at kernel.org>
Cc: James Morris <jmorris at namei.org>
Cc: "Serge E. Hallyn" <serge at hallyn.com>
Cc: Nick Desaulniers <ndesaulniers at google.com>
Cc: Kostya Serebryany <kcc at google.com>
Cc: Dmitry Vyukov <dvyukov at google.com>
Cc: Sandeep Patil <sspatil at android.com>
Cc: Laura Abbott <labbott at redhat.com>
Cc: Randy Dunlap <rdunlap at infradead.org>
Cc: Jann Horn <jannh at google.com>
Cc: Mark Rutland <mark.rutland at arm.com>
Cc: Marco Elver <elver at google.com>
Cc: linux-mm at kvack.org
Cc: linux-security-module at vger.kernel.org
Cc: kernel-hardening at lists.openwall.com
Alexander Potapenko (2):
mm: security: introduce init_on_alloc=1 and init_on_free=1 boot
options
mm: init: report memory auto-initialization features at boot time
.../admin-guide/kernel-parameters.txt | 9 +++
drivers/infiniband/core/uverbs_ioctl.c | 2 +-
include/linux/mm.h | 22 +++++++
init/main.c | 24 +++++++
kernel/kexec_core.c | 2 +-
mm/dmapool.c | 2 +-
mm/page_alloc.c | 63 ++++++++++++++++---
mm/slab.c | 16 ++++-
mm/slab.h | 19 ++++++
mm/slub.c | 33 ++++++++--
net/core/sock.c | 2 +-
security/Kconfig.hardening | 29 +++++++++
12 files changed, 204 insertions(+), 19 deletions(-)
---
v3: dropped __GFP_NO_AUTOINIT patches
v5: dropped support for SLOB allocator, handle SLAB_TYPESAFE_BY_RCU
v6: changed wording in boot-time message
v7: dropped the test_meminit.c patch (picked by Andrew Morton already),
minor wording changes
--
2.22.0.410.gd8fdbe21b5-goog
More information about the Linux-security-module-archive
mailing list