LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: [PATCH] Make /proc/slabinfo 0400

[Posted March 9, 2011 by jake]

From:  Matt Mackall <mpm-AT-selenic.com>
To:  Dan Rosenberg <drosenberg-AT-vsecurity.com>
Subject:  Re: [PATCH] Make /proc/slabinfo 0400
Date:  Thu, 03 Mar 2011 14:58:02 -0600
Message-ID:  <1299185882.3062.233.camel@calx>
Cc:  cl-AT-linux-foundation.org, penberg-AT-kernel.org, linux-mm-AT-kvack.org, linux-kernel-AT-vger.kernel.org
Archive-link:  Article, Thread 

On Thu, 2011-03-03 at 12:50 -0500, Dan Rosenberg wrote:
> Allowing unprivileged users to read /proc/slabinfo represents a security
> risk, since revealing details of slab allocations can expose information
> that is useful when exploiting kernel heap corruption issues.  This is
> evidenced by observing that nearly all recent public exploits for heap
> issues rely on feedback from /proc/slabinfo to manipulate heap layout
> into an exploitable state.

Looking at a couple of these exploits, my suspicion is that looking at
slabinfo simply improves the odds of success by a small factor (ie 10x
or so) and doesn't present a real obstacle to attackers. All that
appears to be required is to arrange that an overrunnable object be
allocated next to one that is exploitable when overrun. And that can be
arranged with fairly high probability on SLUB's merged caches.

On the other hand, I'm not convinced the contents of this file are of
much use to people without admin access.

-- 
Mathematics is the supreme nostalgia of our time.
(Log in to post comments)

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds