Re: [PATCH v3 1/1] Randomized slab caches for kmalloc()

From: Vlastimil Babka
Date: Thu Jun 22 2023 - 09:56:22 EST


On 6/16/23 13:18, GONG, Ruiqi wrote:
> index a3c95338cd3a..6150e9a946a7 100644
> --- a/mm/Kconfig
> +++ b/mm/Kconfig
> @@ -337,6 +337,55 @@ config SLUB_CPU_PARTIAL
> which requires the taking of locks that may cause latency spikes.
> Typically one would choose no for a realtime system.
>
> +config RANDOM_KMALLOC_CACHES
> + default n
> + depends on SLUB
> + bool "Random slab caches for normal kmalloc"
> + help
> + A hardening feature that creates multiple copies of slab caches for
> + normal kmalloc allocation and makes kmalloc randomly pick one based
> + on code address, which makes the attackers unable to spray vulnerable
> + memory objects on the heap for exploiting memory vulnerabilities.
> +
> +choice
> + prompt "Number of random slab caches copies"
> + depends on RANDOM_KMALLOC_CACHES
> + default RANDOM_KMALLOC_CACHES_16
> + help
> + The number of copies of random slab caches. Bigger value makes the
> + potentially vulnerable memory object less likely to collide with
> + objects allocated from other subsystems or modules.

When I read this, without further knowledge, why would I select anything
else than the largest value? It should mention memory overhead maybe?

Also would anyone really select only "2" and thus limit the collision
probability to 50% and not less? "4" also seems quite low for the given
purpose? Could we just pick and hardcode 8 or 16 and avoid the selection, at
least until there's some more experience with the whole approach?