Re: [PATCH v3 1/1] Randomized slab caches for kmalloc()

From: Kees Cook
Date: Thu Jun 22 2023 - 16:10:08 EST

Next message: Sohil Mehta: "Re: [PATCH] syscalls: Remove file path comments from headers"
Previous message: kernel test robot: "Re: [PATCH v2 14/14] powerpc: Implement UACCESS validation on PPC32"
In reply to: Vlastimil Babka: "Re: [PATCH v3 1/1] Randomized slab caches for kmalloc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 22, 2023 at 03:56:04PM +0200, Vlastimil Babka wrote:
> On 6/16/23 13:18, GONG, Ruiqi wrote:
> > index a3c95338cd3a..6150e9a946a7 100644
> > --- a/mm/Kconfig
> > +++ b/mm/Kconfig
> > @@ -337,6 +337,55 @@ config SLUB_CPU_PARTIAL
> > which requires the taking of locks that may cause latency spikes.
> > Typically one would choose no for a realtime system.
> >
> > +config RANDOM_KMALLOC_CACHES
> > + default n
> > + depends on SLUB
> > + bool "Random slab caches for normal kmalloc"
> > + help
> > + A hardening feature that creates multiple copies of slab caches for
> > + normal kmalloc allocation and makes kmalloc randomly pick one based
> > + on code address, which makes the attackers unable to spray vulnerable
> > + memory objects on the heap for exploiting memory vulnerabilities.
> > +
> > +choice
> > + prompt "Number of random slab caches copies"
> > + depends on RANDOM_KMALLOC_CACHES
> > + default RANDOM_KMALLOC_CACHES_16
> > + help
> > + The number of copies of random slab caches. Bigger value makes the
> > + potentially vulnerable memory object less likely to collide with
> > + objects allocated from other subsystems or modules.
>
> When I read this, without further knowledge, why would I select anything
> else than the largest value? It should mention memory overhead maybe?

Yeah, good idea.

> Also would anyone really select only "2" and thus limit the collision
> probability to 50% and not less? "4" also seems quite low for the given
> purpose? Could we just pick and hardcode 8 or 16 and avoid the selection, at
> least until there's some more experience with the whole approach?

I assume it was for doing performance (speed or space) analysis for
people interested in tuning it. The default is 16, which is what most
folks will end up with. i.e. I'm not sure I see a benefit to dropping 2
and 4, since I imagine people will either want the highest value (16),
or the ability to do a full comparison of each setting.

Regardless, I would be fine if we dropped 2 and 4, since I am focused on
the maximum number (16) of hash buckets. :)

-Kees

--
Kees Cook

Next message: Sohil Mehta: "Re: [PATCH] syscalls: Remove file path comments from headers"
Previous message: kernel test robot: "Re: [PATCH v2 14/14] powerpc: Implement UACCESS validation on PPC32"
In reply to: Vlastimil Babka: "Re: [PATCH v3 1/1] Randomized slab caches for kmalloc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]