Re: [PATCH 2/2] net: skb: isolate skb data area allocations into a separate bucket
From: Kees Cook <kees@kernel.org>
Date: 2026-06-05 18:09:28
Also in:
linux-hardening, linux-mm, lkml
From: Kees Cook <kees@kernel.org>
Date: 2026-06-05 18:09:28
Also in:
linux-hardening, linux-mm, lkml
On Tue, Jun 02, 2026 at 07:31:22PM +0100, Pedro Falcato wrote:
SKB data area allocations (as done from alloc_skb()) use kmalloc(). These allocations can be variably sized and their contents can be more or less controlled from userspace, which makes them useful for attackers that want to overwrite a use-after-free'd object from the same kmalloc slab (which often just requires the sizes to roughly match into the same kmalloc bucket). [0] is an easy example of an exploit that uses netlink skb allocation to target another similarly-sized accidentally freed object. While other mitigations like CONFIG_RANDOM_KMALLOC_CACHES exist, these are probabilistic. Use the existing kmem buckets API to further isolate these allocations in a guaranteed fashion, when CONFIG_SLAB_BUCKETS=y. Link: https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4207_lts_cos_mitigation_2/docs/exploit.md [0] Signed-off-by: Pedro Falcato <pfalcato@suse.de>
Great! This is exactly what the bucket API was made for. :) Reviewed-by: Kees Cook <kees@kernel.org> -- Kees Cook