Re: [PATCH RFC 1/2] mm: Extract SLAB_QUARANTINE from KASAN

From: Alexander Popov
Date: Mon Aug 17 2020 - 16:34:27 EST


On 15.08.2020 21:54, Matthew Wilcox wrote:
> On Thu, Aug 13, 2020 at 06:19:21PM +0300, Alexander Popov wrote:
>> +config SLAB_QUARANTINE
>> + bool "Enable slab freelist quarantine"
>> + depends on !KASAN && (SLAB || SLUB)
>> + help
>> + Enable slab freelist quarantine to break heap spraying technique
>> + used for exploiting use-after-free vulnerabilities in the kernel
>> + code. If this feature is enabled, freed allocations are stored
>> + in the quarantine and can't be instantly reallocated and
>> + overwritten by the exploit performing heap spraying.
>> + This feature is a part of KASAN functionality.
>
> After this patch, it isn't part of KASAN any more ;-)

Ok, I'll change that to "this feature is used by KASAN" :)

> The way this is written is a bit too low level. Let's write it in terms
> that people who don't know the guts of the slab allocator or security
> terminology can understand:
>
> Delay reuse of freed slab objects. This makes some security
> exploits harder to execute. It reduces performance slightly
> as objects will be cache cold by the time they are reallocated,
> and it costs a small amount of memory.
>
> (feel free to edit this)

Ok, I see.
I'll start from high-level description and add low-level details at the end.

>> +struct qlist_node {
>> + struct qlist_node *next;
>> +};
>
> I appreciate this isn't new, but why do we have a new singly-linked-list
> abstraction being defined in this code?

I don't know for sure.
I suppose it is caused by SLAB/SLUB freelist implementation details (qlist_node
in kasan_free_meta is also used for the allocator freelist).

Best regards,
Alexander