From: Alexander Popov <alex.popov@linux.com>
To: "kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
linux-hardening@vger.kernel.org,
kasan-dev <kasan-dev@googlegroups.com>,
Kees Cook <keescook@chromium.org>, Kees Cook <kees@kernel.org>,
Jann Horn <jannh@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Marco Elver <elver@google.com>,
Matteo Rizzo <matteorizzo@google.com>,
Florent Revest <revest@google.com>,
GONG Ruiqi <gongruiqi1@huawei.com>,
Harry Yoo <harry.yoo@oracle.com>,
Peter Zijlstra <peterz@infradead.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Slab allocator hardening and cross-cache attacks
Date: Fri, 5 Sep 2025 23:11:10 +0300 [thread overview]
Message-ID: <01d9ec74-27bb-4e41-9676-12ce028c503f@linux.com> (raw)
Hello!
I published the article "Kernel-hack-drill and a new approach to exploiting
CVE-2024-50264 in the Linux kernel":
https://a13xp0p0v.github.io/2025/09/02/kernel-hack-drill-and-CVE-2024-50264.html
It's about exploiting CVE-2024-50264, a race condition in AF_VSOCK sockets that
happens between the connect() system call and a POSIX signal, resulting in a
use-after-free (UAF).
I chose Ubuntu Server 24.04 with OEM/HWE kernel as the target for my
experiments. This kernel ships with kconfig options that neutralize naive heap
spraying for UAF exploitation:
- CONFIG_SLAB_BUCKETS=y, which creates a set of separate slab caches for
allocations with user-controlled data;
- CONFIG_RANDOM_KMALLOC_CACHES=y, which creates multiple copies of slab caches
for normal kmalloc allocation and makes kmalloc randomly pick one based on code
address.
I used my pet project kernel-hack-drill to learn how cross-cache attacks behave
on the kernel with slab allocator hardening turned on. Kernel-hack-drill is an
open-source project (published under GPL-3.0) that provides a testing
environment for learning and experimenting with Linux kernel vulnerabilities,
exploit primitives, and kernel hardening features:
https://github.com/a13xp0p0v/kernel-hack-drill
In kernel-hack-drill, I developed several prototypes that implement cross-cache
and cross-allocator attacks. The article thoroughly describes the procedure I
used to debug them.
After experimenting with kernel-hack-drill on Ubuntu Server 24.04, I found that
CONFIG_RANDOM_KMALLOC_CACHES and CONFIG_SLAB_BUCKETS block naive UAF
exploitation, yet they also make my cross-cache attacks completely stable. It
looks like these allocator features give an attacker better control over the
slab with vulnerable objects and reduce the noise from other objects. Would you
agree?
It seems that, without a mitigation such as SLAB_VIRTUAL, the Linux kernel
remains wide-open to cross-cache attacks.
Best regards,
Alexander
next reply other threads:[~2025-09-05 20:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-05 20:11 Alexander Popov [this message]
2025-09-05 21:18 ` Slab allocator hardening and cross-cache attacks Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01d9ec74-27bb-4e41-9676-12ce028c503f@linux.com \
--to=alex.popov@linux.com \
--cc=andreyknvl@gmail.com \
--cc=elver@google.com \
--cc=gongruiqi1@huawei.com \
--cc=harry.yoo@oracle.com \
--cc=jannh@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kees@kernel.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matteorizzo@google.com \
--cc=peterz@infradead.org \
--cc=revest@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.