Thread (13 messages) 13 messages, 6 authors, 26d ago

Re: [PATCH 2/2] net: skb: isolate skb data area allocations into a separate bucket

From: Kees Cook <kees@kernel.org>
Date: 2026-06-05 18:09:28
Also in: linux-hardening, linux-mm, lkml

On Tue, Jun 02, 2026 at 07:31:22PM +0100, Pedro Falcato wrote:
SKB data area allocations (as done from alloc_skb()) use kmalloc().
These allocations can be variably sized and their contents can be more
or less controlled from userspace, which makes them useful for attackers
that want to overwrite a use-after-free'd object from the same kmalloc slab
(which often just requires the sizes to roughly match into the same kmalloc
bucket). [0] is an easy example of an exploit that uses netlink skb
allocation to target another similarly-sized accidentally freed object.

While other mitigations like CONFIG_RANDOM_KMALLOC_CACHES exist, these are
probabilistic. Use the existing kmem buckets API to further isolate these
allocations in a guaranteed fashion, when CONFIG_SLAB_BUCKETS=y.

Link: https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4207_lts_cos_mitigation_2/docs/exploit.md [0]
Signed-off-by: Pedro Falcato <pfalcato@suse.de>
Great! This is exactly what the bucket API was made for. :)

Reviewed-by: Kees Cook <kees@kernel.org>

-- 
Kees Cook
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help