From: GONG Ruiqi <gongruiqi1@huawei.com>
To: Marco Elver <elver@google.com>
Cc: <linux-kernel@vger.kernel.org>, <kasan-dev@googlegroups.com>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Alexander Potapenko <glider@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andrey Konovalov <andreyknvl@gmail.com>,
David Hildenbrand <david@redhat.com>,
David Rientjes <rientjes@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Florent Revest <revest@google.com>,
Harry Yoo <harry.yoo@oracle.com>, Jann Horn <jannh@google.com>,
Kees Cook <kees@kernel.org>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Matteo Rizzo <matteorizzo@google.com>,
Michal Hocko <mhocko@suse.com>, Mike Rapoport <rppt@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Roman Gushchin <roman.gushchin@linux.dev>,
Suren Baghdasaryan <surenb@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
<linux-hardening@vger.kernel.org>, <linux-mm@kvack.org>
Subject: Re: [PATCH RFC] slab: support for compiler-assisted type-based slab cache partitioning
Date: Tue, 26 Aug 2025 12:59:17 +0800 [thread overview]
Message-ID: <97dca868-dc8a-422a-aa47-ce2bb739e640@huawei.com> (raw)
In-Reply-To: <20250825154505.1558444-1-elver@google.com>
On 8/25/2025 11:44 PM, Marco Elver wrote:
> ...
>
> Introduce a new mode, TYPED_KMALLOC_CACHES, which leverages Clang's
> "allocation tokens" via __builtin_alloc_token_infer [1].
>
> This mechanism allows the compiler to pass a token ID derived from the
> allocation's type to the allocator. The compiler performs best-effort
> type inference, and recognizes idioms such as kmalloc(sizeof(T), ...).
> Unlike RANDOM_KMALLOC_CACHES, this mode deterministically assigns a slab
> cache to an allocation of type T, regardless of allocation site.
>
> Clang's default token ID calculation is described as [1]:
>
> TypeHashPointerSplit: This mode assigns a token ID based on the hash
> of the allocated type's name, where the top half ID-space is reserved
> for types that contain pointers and the bottom half for types that do
> not contain pointers.
>
Is a type's token id always the same across different builds? Or somehow
predictable? If so, the attacker could probably find out all types that
end up with the same id, and use some of them to exploit the buggy one.
-Ruiqi
next prev parent reply other threads:[~2025-08-26 4:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-25 15:44 Marco Elver
2025-08-25 16:48 ` Harry Yoo
2025-08-26 10:45 ` Marco Elver
2025-08-26 11:14 ` Matteo Rizzo
2025-08-25 20:17 ` Kees Cook
2025-08-26 10:50 ` Marco Elver
2025-08-26 4:59 ` GONG Ruiqi [this message]
2025-08-26 11:01 ` Marco Elver
2025-08-26 11:31 ` Florent Revest
2025-08-27 8:34 ` GONG Ruiqi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=97dca868-dc8a-422a-aa47-ce2bb739e640@huawei.com \
--to=gongruiqi1@huawei.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=david@redhat.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=gustavoars@kernel.org \
--cc=harry.yoo@oracle.com \
--cc=jannh@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=matteorizzo@google.com \
--cc=mhocko@suse.com \
--cc=nathan@kernel.org \
--cc=revest@google.com \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=rppt@kernel.org \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox