On 2023/06/23 4:10, Kees Cook wrote: > On Thu, Jun 22, 2023 at 03:56:04PM +0200, Vlastimil Babka wrote: >> On 6/16/23 13:18, GONG, Ruiqi wrote: >>> index a3c95338cd3a..6150e9a946a7 100644 >>> --- a/mm/Kconfig >>> +++ b/mm/Kconfig >>> @@ -337,6 +337,55 @@ config SLUB_CPU_PARTIAL >>> which requires the taking of locks that may cause latency spikes. >>> Typically one would choose no for a realtime system. >>> >>> +config RANDOM_KMALLOC_CACHES >>> + default n >>> + depends on SLUB >>> + bool "Random slab caches for normal kmalloc" >>> + help >>> + A hardening feature that creates multiple copies of slab caches for >>> + normal kmalloc allocation and makes kmalloc randomly pick one based >>> + on code address, which makes the attackers unable to spray vulnerable >>> + memory objects on the heap for exploiting memory vulnerabilities. >>> + >>> +choice >>> + prompt "Number of random slab caches copies" >>> + depends on RANDOM_KMALLOC_CACHES >>> + default RANDOM_KMALLOC_CACHES_16 >>> + help >>> + The number of copies of random slab caches. Bigger value makes the >>> + potentially vulnerable memory object less likely to collide with >>> + objects allocated from other subsystems or modules. >> >> When I read this, without further knowledge, why would I select anything >> else than the largest value? It should mention memory overhead maybe? > > Yeah, good idea. > No problem. Will add some text about memory overhead into the help paragraph of RANDOM_KMALLOC_CACHES. >> Also would anyone really select only "2" and thus limit the collision >> probability to 50% and not less? "4" also seems quite low for the given >> purpose? Could we just pick and hardcode 8 or 16 and avoid the selection, at >> least until there's some more experience with the whole approach? > > I assume it was for doing performance (speed or space) analysis for > people interested in tuning it. The default is 16, which is what most > folks will end up with. i.e. I'm not sure I see a benefit to dropping 2 > and 4, since I imagine people will either want the highest value (16), > or the ability to do a full comparison of each setting. > > Regardless, I would be fine if we dropped 2 and 4, since I am focused on > the maximum number (16) of hash buckets. :) > It's true that 2 and 4 don't make much sense from the hardening perspective, and I added them only to cover all possible choices. And since the overhead difference between 8 and 16 is small, I will hardcode 16 and drop all other options in the next version. > -Kees >
