Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 Aug 2020 13:53:51 +0200
From: Andrey Konovalov <>
To: Kees Cook <>, Alexander Popov <>
Cc: Jann Horn <>, Will Deacon <>, 
	Andrey Ryabinin <>, Alexander Potapenko <>, 
	Dmitry Vyukov <>, Christoph Lameter <>, Pekka Enberg <>, 
	David Rientjes <>, Joonsoo Kim <>, 
	Andrew Morton <>, Masahiro Yamada <>, 
	Masami Hiramatsu <>, Steven Rostedt <>, 
	Peter Zijlstra <>, Krzysztof Kozlowski <>, 
	Patrick Bellasi <>, David Howells <>, 
	Eric Biederman <>, Johannes Weiner <>, 
	Laura Abbott <>, Arnd Bergmann <>, 
	Greg Kroah-Hartman <>, kasan-dev <>, 
	Linux Memory Management List <>,, 
	LKML <>,
Subject: Re: [PATCH RFC 1/2] mm: Extract SLAB_QUARANTINE from KASAN

On Sat, Aug 15, 2020 at 6:52 PM Kees Cook <> wrote:
> On Thu, Aug 13, 2020 at 06:19:21PM +0300, Alexander Popov wrote:
> > Heap spraying is an exploitation technique that aims to put controlled
> > bytes at a predetermined memory location on the heap. Heap spraying for
> > exploiting use-after-free in the Linux kernel relies on the fact that on
> > kmalloc(), the slab allocator returns the address of the memory that was
> > recently freed. Allocating a kernel object with the same size and
> > controlled contents allows overwriting the vulnerable freed object.
> >
> > Let's extract slab freelist quarantine from KASAN functionality and
> > call it CONFIG_SLAB_QUARANTINE. This feature breaks widespread heap
> > spraying technique used for exploiting use-after-free vulnerabilities
> > in the kernel code.
> >
> > If this feature is enabled, freed allocations are stored in the quarantine
> > and can't be instantly reallocated and overwritten by the exploit
> > performing heap spraying.


> In doing this extraction, I wonder if function naming should be changed?
> If it's going to live a new life outside of KASAN proper, maybe call
> these functions quarantine_cache_*()? But perhaps that's too much
> churn...

If quarantine is to be used without the rest of KASAN, I'd prefer for
it to be separated from KASAN completely: move to e.g. mm/quarantine.c
and don't mention KASAN in function/config names.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.