[PATCH net-next v2 2/2] net: skb: isolate skb data area allocations into a separate bucket

Thu, 11 Jun 2026 05:51:57 -0700 

SKB data area allocations (as done from alloc_skb()) use kmalloc().
These allocations can be variably sized and their contents can be more
or less controlled from userspace, which makes them useful for attackers
that want to overwrite a use-after-free'd object from the same kmalloc slab
(which often just requires the sizes to roughly match into the same kmalloc
bucket). [0] is an easy example of an exploit that uses netlink skb
allocation to target another similarly-sized accidentally freed object.

While other mitigations like CONFIG_RANDOM_KMALLOC_CACHES exist, these are
probabilistic. Use the existing kmem buckets API to further isolate these
allocations in a guaranteed fashion, when CONFIG_SLAB_BUCKETS=y.

Link: 
https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4207_lts_cos_mitigation_2/docs/exploit.md
 [0]
Reviewed-by: Kees Cook <[email protected]>
Acked-by: Jakub Kicinski <[email protected]>
Signed-off-by: Pedro Falcato <[email protected]>
---
 net/core/skbuff.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 44a7f8401468..ac9fed7461ba 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -584,6 +584,8 @@ struct sk_buff *napi_build_skb(void *data, unsigned int 
frag_size)
 }
 EXPORT_SYMBOL(napi_build_skb);
 
+static kmem_buckets *skb_data_buckets __ro_after_init;
+
 static void *kmalloc_pfmemalloc(size_t obj_size, gfp_t flags, int node)
 {
        if (!gfp_pfmemalloc_allowed(flags))
@@ -591,7 +593,8 @@ static void *kmalloc_pfmemalloc(size_t obj_size, gfp_t 
flags, int node)
        if (!obj_size)
                return kmem_cache_alloc_node(net_hotdata.skb_small_head_cache,
                                             flags, node);
-       return kmalloc_node_track_caller(obj_size, flags, node);
+       return kmem_buckets_alloc_node_track_caller(skb_data_buckets, obj_size,
+                                                   flags, node);
 }
 
 /*
@@ -632,7 +635,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t 
flags, int node,
         * Try a regular allocation, when that fails and we're not entitled
         * to the reserves, fail.
         */
-       obj = kmalloc_node_track_caller(obj_size,
+       obj = kmem_buckets_alloc_node_track_caller(skb_data_buckets, obj_size,
                                        flags | __GFP_NOMEMALLOC | __GFP_NOWARN,
                                        node);
        if (likely(obj))
@@ -5213,6 +5216,7 @@ void __init skb_init(void)
                                                0,
                                                SKB_SMALL_HEAD_HEADROOM,
                                                NULL);
+       skb_data_buckets = kmem_buckets_create("skb_data", SLAB_PANIC, 0, 
INT_MAX, NULL);
        skb_extensions_init();
 }
 
-- 
2.54.0

Reply via email to