[src/trunk]: src/sys/kern Kernel Heap Hardening: manage freed items with bitm...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/c9a2378a7f37
branches:  trunk
changeset: 449730:c9a2378a7f37
user:      maxv <maxv%NetBSD.org@localhost>
date:      Mon Mar 18 20:34:48 2019 +0000

description:
Kernel Heap Hardening: manage freed items with bitmaps rather than linked
lists when we're on-page and the page header is naturally big enough to
contain a bitmap.

This comes with no increase in memory consumption, and similar CPU cost
(maybe it's a little faster actually).

We want to favor bitmaps over linked lists, because linked lists install
kernel pointers inside the items, and this can be too easily exploitable
in use-after-free or double-free conditions, or in item buffer overflows
occurring within a pool page.

diffstat:

 sys/kern/subr_pool.c |  26 +++++++++++++++++++++-----
 1 files changed, 21 insertions(+), 5 deletions(-)

diffs (65 lines):

diff -r f7b0a605e626 -r c9a2378a7f37 sys/kern/subr_pool.c
--- a/sys/kern/subr_pool.c      Mon Mar 18 20:14:02 2019 +0000
+++ b/sys/kern/subr_pool.c      Mon Mar 18 20:34:48 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: subr_pool.c,v 1.242 2019/03/17 19:57:54 maxv Exp $     */
+/*     $NetBSD: subr_pool.c,v 1.243 2019/03/18 20:34:48 maxv Exp $     */
 
 /*
  * Copyright (c) 1997, 1999, 2000, 2002, 2007, 2008, 2010, 2014, 2015, 2018
@@ -33,7 +33,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_pool.c,v 1.242 2019/03/17 19:57:54 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_pool.c,v 1.243 2019/03/18 20:34:48 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ddb.h"
@@ -601,10 +601,26 @@
 static inline bool
 pool_init_is_usebmap(const struct pool *pp)
 {
+       size_t bmapsize;
+
        if (pp->pr_roflags & PR_NOTOUCH) {
                return true;
        }
 
+       /*
+        * If we're on-page, and the page header can already contain a bitmap
+        * big enough to cover all the items of the page, go with a bitmap.
+        */
+       if (!(pp->pr_roflags & PR_PHINPAGE)) {
+               return false;
+       }
+       bmapsize = roundup(PHSIZE, pp->pr_align) -
+           offsetof(struct pool_item_header, ph_bitmap[0]);
+       KASSERT(bmapsize % sizeof(pool_item_bitmap_t) == 0);
+       if (pp->pr_itemsperpage <= bmapsize * CHAR_BIT) {
+               return true;
+       }
+
        return false;
 }
 
@@ -728,6 +744,9 @@
                SPLAY_INIT(&pp->pr_phtree);
        }
 
+       pp->pr_itemsperpage = itemspace / pp->pr_size;
+       KASSERT(pp->pr_itemsperpage != 0);
+
        /*
         * Decide whether to use a bitmap or a linked list to manage freed
         * items.
@@ -736,9 +755,6 @@
                pp->pr_roflags |= PR_USEBMAP;
        }
 
-       pp->pr_itemsperpage = itemspace / pp->pr_size;
-       KASSERT(pp->pr_itemsperpage != 0);
-
        /*
         * If we're off-page and use a bitmap, choose the appropriate pool to
         * allocate page headers, whose size varies depending on the bitmap. If