Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Aug 2020 00:03:57 +0300
From: Alexander Popov <>
To: Pavel Machek <>, Matthew Wilcox <>
Cc: Kees Cook <>, Jann Horn <>,
 Will Deacon <>, Andrey Ryabinin <>,
 Alexander Potapenko <>, Dmitry Vyukov <>,
 Christoph Lameter <>, Pekka Enberg <>,
 David Rientjes <>, Joonsoo Kim <>,
 Andrew Morton <>,
 Masahiro Yamada <>,
 Masami Hiramatsu <>, Steven Rostedt
 <>, Peter Zijlstra <>,
 Krzysztof Kozlowski <>,
 Patrick Bellasi <>,
 David Howells <>, Eric Biederman <>,
 Johannes Weiner <>, Laura Abbott <>,
 Arnd Bergmann <>,
 Greg Kroah-Hartman <>,,,,,,
 Andrey Konovalov <>
Subject: Re: [PATCH RFC 1/2] mm: Extract SLAB_QUARANTINE from KASAN

On 16.08.2020 22:59, Pavel Machek wrote:
> On Sat 2020-08-15 19:54:55, Matthew Wilcox wrote:
>> On Thu, Aug 13, 2020 at 06:19:21PM +0300, Alexander Popov wrote:
>>> +	bool "Enable slab freelist quarantine"
>>> +	depends on !KASAN && (SLAB || SLUB)
>>> +	help
>>> +	  Enable slab freelist quarantine to break heap spraying technique
>>> +	  used for exploiting use-after-free vulnerabilities in the kernel
>>> +	  code. If this feature is enabled, freed allocations are stored
>>> +	  in the quarantine and can't be instantly reallocated and
>>> +	  overwritten by the exploit performing heap spraying.
>>> +	  This feature is a part of KASAN functionality.
>> After this patch, it isn't part of KASAN any more ;-)
>> The way this is written is a bit too low level.  Let's write it in terms
>> that people who don't know the guts of the slab allocator or security
>> terminology can understand:
>> 	  Delay reuse of freed slab objects.  This makes some security
>> 	  exploits harder to execute.  It reduces performance slightly
>> 	  as objects will be cache cold by the time they are reallocated,
>> 	  and it costs a small amount of memory.
> Written this way, it invites questions:
> Does it introduce any new deadlocks in near out-of-memory situations?

Linux kernel with enabled KASAN is heavily tested by syzbot.
I think Dmitry and Andrey can give good answers to your question.

Some time ago I was doing Linux kernel fuzzing with syzkaller on low memory
virtual machines (with KASAN and LOCKUP_DETECTOR enabled). I gave less than 1G
to each debian stretch VM. I didn't get any special deadlock caused by OOM.

Best regards,

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.