Linux 6.6 Adding Randomized Kmalloc Caches For Further System Hardening

To help harden the Linux kernel from memory vulnerabilities and in particular heap spraying, set to be merged into the Linux 6.6 kernel is optional support for randomized slab caches for kmalloc() calls.

This new opt-in security feature makes it harder to carry out heap spraying. When enabled, there are sixteen copies of kmalloc caches to reduce the chance of an attacker-controllable allocation site to land in the same slab as where another vulnerability may be trying for exploitation.

The earlier patch by Huawei engineers on the kernel mailing list explains more of the feature:

"When exploiting memory vulnerabilities, "heap spraying" is a common technique targeting those related to dynamic memory allocation (i.e. the "heap"), and it plays an important role in a successful exploitation. Basically, it is to overwrite the memory area of vulnerable object by triggering allocation in other subsystems or modules and therefore getting a reference to the targeted memory location. It's usable on various types of vulnerablity including use after free (UAF), heap out-of-bound write and etc.

There are (at least) two reasons why the heap can be sprayed: 1) generic slab caches are shared among different subsystems and modules, and 2) dedicated slab caches could be merged with the generic ones. Currently these two factors cannot be prevented at a low cost: the first one is a widely used memory allocation mechanism, and shutting down slab merging completely via `slub_nomerge` would be overkill.

To efficiently prevent heap spraying, we propose the following approach: to create multiple copies of generic slab caches that will never be merged, and random one of them will be used at allocation. The random selection is based on the address of code that calls `kmalloc()`, which means it is static at runtime (rather than dynamically determined at each time of allocation, which could be bypassed by repeatedly spraying in brute force). In this way, the vulnerable object and memory allocated in other subsystems and modules will (most probably) be on different slab caches, which prevents the object from being sprayed."

Enabling this randomized slab caches functionality can have some minor impact on the system performance as well as some slight memory implications from the additional caches.

Enabling the feature can be set at compile-time via the RANDOM_KMALLOC_CACHES Kconfig option as well as adjusting the number of slab cache copies if wanting a different value compared to the default 16 caches.

This feature was sent in today as part of the slab updates for Linux 6.6.