On Sat, Aug 15, 2020 at 6:52 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > On Thu, Aug 13, 2020 at 06:19:21PM +0300, Alexander Popov wrote: > > Heap spraying is an exploitation technique that aims to put controlled > > bytes at a predetermined memory location on the heap. Heap spraying for > > exploiting use-after-free in the Linux kernel relies on the fact that on > > kmalloc(), the slab allocator returns the address of the memory that was > > recently freed. Allocating a kernel object with the same size and > > controlled contents allows overwriting the vulnerable freed object. > > > > Let's extract slab freelist quarantine from KASAN functionality and > > call it CONFIG_SLAB_QUARANTINE. This feature breaks widespread heap > > spraying technique used for exploiting use-after-free vulnerabilities > > in the kernel code. > > > > If this feature is enabled, freed allocations are stored in the quarantine > > and can't be instantly reallocated and overwritten by the exploit > > performing heap spraying. [...] > In doing this extraction, I wonder if function naming should be changed? > If it's going to live a new life outside of KASAN proper, maybe call > these functions quarantine_cache_*()? But perhaps that's too much > churn... If quarantine is to be used without the rest of KASAN, I'd prefer for it to be separated from KASAN completely: move to e.g. mm/quarantine.c and don't mention KASAN in function/config names.
