New attack against the SLUB allocator

Researchers from Graz University of Technology havepublished details of a new attackon the Linux kernel called SLUBStick. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.

We assume that an unprivileged user has code execution. Additionally, we consider the presence of a heap vulnerabilityin the Linux kernel. We assume that the Linux kernel incorporates all defense mechanisms available in version 6.4, themost recent Linux kernel version when we started our work.These mechanisms include features such as WX, KASLR,SMAP, and kCFI. We do not assume any microarchitectural vulnerabilities, e.g., transient execution, faultinjection, or hardware side channels.