On 6/4/24 12:44 AM, Kees Cook wrote: > On Mon, Jun 03, 2024 at 07:06:15PM +0200, Vlastimil Babka wrote: >> On 5/31/24 9:14 PM, Kees Cook wrote: >> > Introduce CONFIG_SLAB_BUCKETS which provides the infrastructure to >> > support separated kmalloc buckets (in the follow kmem_buckets_create() >> > patches and future codetag-based separation). Since this will provide >> > a mitigation for a very common case of exploits, enable it by default. >> >> Are you sure? I thought there was a policy that nobody is special enough >> to have stuff enabled by default. Is it worth risking Linus shouting? :) > > I think it's important to have this enabled given how common the > exploitation methodology is and how cheap this solution is. Regardless, > if you want it "default n", I can change it. Yeah, I'd just recommend it in the help, noting it has a bit of memory overhead. Defaults are not that important anyway IMHO, either it's distro doing the config, and individually security conscious people should know what they are doing. > > This looks really nice, thank you! This is well aligned with the codetag > followup, which also needs to have "size" be very easy to find (to the > macros can check for compile-time-constant or not). > > I will go work from your branch... Great! > Thanks! > > -Kees >
