Re: [PATCH 2/2] net: skb: isolate skb data area allocations into a separate bucket

Next message: Armin Wolf: "[PATCH v4 4/9] platform/x86: dell-wmi-base: Use new buffer-based WMI API"
Previous message: Kees Cook: "Re: [PATCH 1/2] mm/slab: add a node-track-caller variant for kmem buckets allocation"
In reply to: Jakub Kicinski: "Re: [PATCH 2/2] net: skb: isolate skb data area allocations into a separate bucket"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kees Cook

Date: Fri Jun 05 2026 - 14:16:35 EST

On Tue, Jun 02, 2026 at 07:31:22PM +0100, Pedro Falcato wrote:
> SKB data area allocations (as done from alloc_skb()) use kmalloc().
> These allocations can be variably sized and their contents can be more
> or less controlled from userspace, which makes them useful for attackers
> that want to overwrite a use-after-free'd object from the same kmalloc slab
> (which often just requires the sizes to roughly match into the same kmalloc
> bucket). [0] is an easy example of an exploit that uses netlink skb
> allocation to target another similarly-sized accidentally freed object.
>
> While other mitigations like CONFIG_RANDOM_KMALLOC_CACHES exist, these are
> probabilistic. Use the existing kmem buckets API to further isolate these
> allocations in a guaranteed fashion, when CONFIG_SLAB_BUCKETS=y.
>
> Link: https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4207_lts_cos_mitigation_2/docs/exploit.md [0]
> Signed-off-by: Pedro Falcato <pfalcato@xxxxxxx>

Great! This is exactly what the bucket API was made for. :)

Reviewed-by: Kees Cook <kees@xxxxxxxxxx>

--
Kees Cook