On Mon, Jun 08, 2026 at 09:20:39AM +0200, Vlastimil Babka (SUSE) wrote: > On 6/8/26 06:22, Jarkko Sakkinen wrote: > > On Thu, Jun 04, 2026 at 01:50:34PM +0100, Mohammed EL Kadiri wrote: > >> The key_jar slab cache holds struct key objects containing cryptographic > >> keys, authentication tokens, and keyring linkage. This cache currently > >> lacks merge prevention, allowing the SLUB allocator to merge it with > >> other similarly-sized caches. > >> > >> On a default Ubuntu 6.17.0-23-generic system, key_jar has 5 aliases, > >> meaning 5 unrelated object types share its slab pages. struct key is > >> 224 bytes, placed in 256-byte slabs alongside biovec-16, maple_node, > >> ip6_dst_cache, task_delay_info, and kmalloc-256 users. > >> > >> Cross-cache heap exploitation is a well-documented attack class > >> (CVE-2022-29582, CVE-2022-2588, CVE-2021-22555) where slab cache > >> merging enables type confusion between unrelated kernel objects. A > >> use-after-free in any subsystem sharing slab pages with key_jar could > >> allow an attacker to reclaim a freed slot as a struct key, or corrupt > >> an existing key through a dangling pointer to a different type. > >> > >> Add SLAB_NO_MERGE to ensure key_jar receives dedicated slab pages, > >> eliminating cross-cache attacks targeting struct key. The memory > >> overhead is minimal: with 32 objects per slab page and typical key > >> usage bounded by system keyring size, the cost of dedicated pages is > >> negligible. There is zero performance impact on the allocation hot > >> path. > >> > >> This follows the precedent set by skbuff_head_cache (net/core/skbuff.c) > >> which uses SLAB_NO_MERGE for similar isolation requirements. > > I just realized this part is somewhat misleading, because it's done there > for performance reasons, so I wouldn't say "similar".
Mohammed, could you at least send v2, which does not emphasize on CVEs? It's better the use no_merge for sake of hardnening but some risk is not same as vulnerability. I'll replace the patch in my tree with updated once I get it. Or I can strip off the parts myself, whatever goes... > > > > > ~/work/kernel.org/jarkko/linux-tpmdd master* > > ❯ git log --oneline -1 d0bf7d5759c1d89fb013aa41cca5832e00b9632a > > d0bf7d5759c1 mm/slab: introduce kmem_cache flag SLAB_NO_MERGE > > > > ~/work/kernel.org/jarkko/linux-tpmdd master* > > ❯ git describe --contains d0bf7d5759c1d89fb013aa41cca5832e00b9632a > > v6.5-rc1~137^2^3~1 > > > > So we could probably forward to stable's starting from v6.6+ if that > > is necessary / makes sense? > > It won't hurt, but I doubt it's "necessary" per stable rules. But stable > maintainers ignore those themselves anyway, so whatever. > > > It's not a bug fix but kind of still I think would be a change that > > stable kernels are better off with it than without it. > > > > What do you think? > > Won't object. Yeah, I agree, and yeah I think commit message goes over the top, while the change is for better. BR, Jarkko
