On Tue, 2 Jun 2026 19:31:22 +0100 Pedro Falcato wrote: > SKB data area allocations (as done from alloc_skb()) use kmalloc(). > These allocations can be variably sized and their contents can be more > or less controlled from userspace, which makes them useful for attackers > that want to overwrite a use-after-free'd object from the same kmalloc slab > (which often just requires the sizes to roughly match into the same kmalloc > bucket). [0] is an easy example of an exploit that uses netlink skb > allocation to target another similarly-sized accidentally freed object. > > While other mitigations like CONFIG_RANDOM_KMALLOC_CACHES exist, these are > probabilistic. Use the existing kmem buckets API to further isolate these > allocations in a guaranteed fashion, when CONFIG_SLAB_BUCKETS=y.
No idea on the merits but from networking point of view: Acked-by: Jakub Kicinski <[email protected]>
