Google Proposes "Page Table Check" For Fighting Some Types Of Linux Memory Corruption
Last week Google engineers uncovered a reference count underflow issue affecting all Linux kernels going back to v4.14 in 2017. This issue led to memory leaking from one process to another and only uncovered by accident. To address this class of memory corruption issues moving forward, Google is proposing a new "Page Table Check" feature moving forward.
That broken page reference counting issue that led to memory leaking on v4.14+ was merged for Linux 5.16 and now working its way back to prior stable series that are still maintained. There have also been other reference counting problems recently fixed too by multiple parties. The hope is this Page Table Check kernel feature will be able to prevent this class of memory corruption issues in the kernel moving forward -- it amounts to checking at insertion time of page table entries that there is no illegal sharing.
The Page Table Check feature will check for illegal sharing when pages are inserted/removed that there is no illegal sharing that stems from double mapping. If corruption is detected, the kernel will crash. As well, this extra checking does cause some performance implications as well as extra memory overhead.
Due to the performance/memory costs of the proposed Page Table Check, it would be off by default. Activation would require building with the PAGE_TABLE_CHECK build option enabled plus booting the kernel with the page_table_check=on parameter to enable it at run-time.
More details for those interested in this work that is currently out for review as a "request for comments" can be found via the kernel mailing list.
As part of a separate patch series, there was also sent out on Tuesday a set of pages hardening page _refcount by the same Google engineers involved with hopes of improving debugging around the reference counting code and reducing problems around it such as the memory corruption.