Memory Tagging Extension (MTE): Overview, Principles, and Usage in Android and Linux Kernel

MTE (Memory Tagging Extension) is a feature introduced in the ARM V8.5 architecture. It tags allocated memory with a tag (key) and stores a corresponding lock value in shadow memory. When a memory access occurs, the tag of the pointer is compared with the lock; a mismatch triggers an error.

Memory‑related bugs, especially in Android native code, account for over 50% of security vulnerabilities. To detect and prevent such bugs, Android adopts several memory‑checking tools: ASan/HWASan, KASAN, GWP‑ASan, KFENCE, and MTE. MTE support started with Android 12.

Compared with HWASan, MTE provides hardware‑assisted tag generation and checking. HWASan inserts detection code at compile time and stores tags in software‑generated shadow memory. MTE generates tags via dedicated instructions and stores lock values in a special region of physical memory, eliminating the need for software‑managed shadow memory.

MTE offers two detection modes:

1. Synchronous mode (Sync) – On each memory access (ldr/str), the hardware checks the tag immediately. A mismatch raises a SIGSEGV with code SEGV_MTESERR, terminating the process instantly. The kernel also records a stack trace, allowing classification of bugs such as use‑after‑free or buffer‑overflow.

2. Asynchronous mode (Async) – Tag mismatches are recorded in the TFSR_EL1 register. The actual SIGSEGV (code SEGV_MTEAERR) is delivered at the next user/kernel context switch, making this mode lighter weight.

Enabling MTE on Android S involves several steps:

Enable MTE for all native code via environment variables.

Add the required paths in BoardConfig.mk (e.g., PRODUCT_MEMTAG_HEAP_SYNC_INCLUDE_PATHS and PRODUCT_MEMTAG_HEAP_ASYNC_INCLUDE_PATHS ).

Configure the Android.bp setting to turn on MTE.

Control per‑process behavior with the sysctl arm64.memtag.process.<process_name>=off|async|sync (e.g., arm64.memtag.process.system_server ).

Use the NDK API mallopt(NONE|TBI|ASYNC|SYNC) to enable MTE at runtime.

Ensure the init rc file enables MTE (replace # export MEMTAG_OPTIONS off with sync or async ).

Kernel‑side support requires configuring the kernel:

CONFIG_ARM64_MTE – enables MTE in userspace.

CONFIG_KASAN and CONFIG_KASAN_HW_TAGS – enable MTE usage in the kernel.

The kernel stores tags in a dedicated tagging memory region; tag size is 4 bits, covering 16 bytes. Valid tag values for unallocated or freed memory are 0xF0‑0xFD, 0xFE.

Example detection cases in userspace:

Underflow:

std::unique_ptr<int[]> p = std::make_unique<int[]>(4);
volatile int oob = p[-1];
(void)oob;

Overflow:

std::unique_ptr<int[]> p = std::make_unique<int[]>(4);
volatile int oob = p[5];
(void)oob;

Use‑after‑free:

int *p = new int[16];
delete[] p;
p[3] = 9;

Kernel hwkasan example (kmalloc overflow):

ptr = kmalloc(234, GFP_KERNEL);
ptr[256] = 0;

The kernel logs show the pointer tag (e.g., fd ) and the memory tag (e.g., f4 ), indicating a tag mismatch and thus a memory‑access violation.

Limitations: MTE cannot detect overflows smaller than 16 bytes or accesses that are 16‑byte aligned, because the tag granularity is 16 bytes. Approximately 1/16 of allocations may have identical tags, reducing detection probability unless adjacent allocations have distinct tags.

Overall, MTE provides low‑overhead, hardware‑based memory safety for Android and Linux, complementing existing tools like ASan and KASAN. As platform support expands, traditional allocators are expected to integrate MTE for broader protection.