On Tue, Jun 02, 2026 at 07:31:22PM +0100, Pedro Falcato wrote: > SKB data area allocations (as done from alloc_skb()) use kmalloc(). > These allocations can be variably sized and their contents can be more > or less controlled from userspace, which makes them useful for attackers > that want to overwrite a use-after-free'd object from the same kmalloc slab > (which often just requires the sizes to roughly match into the same kmalloc > bucket). [0] is an easy example of an exploit that uses netlink skb > allocation to target another similarly-sized accidentally freed object. > > While other mitigations like CONFIG_RANDOM_KMALLOC_CACHES exist, these are > probabilistic. Use the existing kmem buckets API to further isolate these > allocations in a guaranteed fashion, when CONFIG_SLAB_BUCKETS=y. > > Link: > https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4207_lts_cos_mitigation_2/docs/exploit.md > [0] > Signed-off-by: Pedro Falcato <[email protected]>
Great! This is exactly what the bucket API was made for. :) Reviewed-by: Kees Cook <[email protected]> -- Kees Cook
