From: Qian Cai <cai@lca.pw>
To: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linux Memory Management List <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH -next v2] mm/page_alloc: fix a false memory corruption
Date: Fri, 21 Jun 2019 10:56:07 -0400 [thread overview]
Message-ID: <1561128967.5154.45.camel@lca.pw> (raw)
In-Reply-To: <CAG_fn=WGdFZNrUCeMtbx4wbHhxWqM2s7Vq_GvnMC-9WJZ_mioQ@mail.gmail.com>
On Fri, 2019-06-21 at 16:37 +0200, Alexander Potapenko wrote:
> On Fri, Jun 21, 2019 at 2:26 PM Qian Cai <cai@lca.pw> wrote:
> >
> > On Fri, 2019-06-21 at 12:39 +0200, Alexander Potapenko wrote:
> > > On Fri, Jun 21, 2019 at 3:01 AM Kees Cook <keescook@chromium.org> wrote:
> > > >
> > > > On Thu, Jun 20, 2019 at 04:46:06PM -0400, Qian Cai wrote:
> > > > > The linux-next commit "mm: security: introduce init_on_alloc=1 and
> > > > > init_on_free=1 boot options" [1] introduced a false positive when
> > > > > init_on_free=1 and page_poison=on, due to the page_poison expects the
> > > > > pattern 0xaa when allocating pages which were overwritten by
> > > > > init_on_free=1 with 0.
> > > > >
> > > > > Fix it by switching the order between kernel_init_free_pages() and
> > > > > kernel_poison_pages() in free_pages_prepare().
> > > >
> > > > Cool; this seems like the right approach. Alexander, what do you think?
> > >
> > > Can using init_on_free together with page_poison bring any value at all?
> > > Isn't it better to decide at boot time which of the two features we're
> > > going to enable?
> >
> > I think the typical use case is people are using init_on_free=1, and then
> > decide
> > to debug something by enabling page_poison=on. Definitely, don't want
> > init_on_free=1 to disable page_poison as the later has additional checking
> > in
> > the allocation time to make sure that poison pattern set in the free time is
> > still there.
>
> In addition to information lifetime reduction the idea of init_on_free
> is to ensure the newly allocated objects have predictable contents.
> Therefore it's handy (although not strictly necessary) to keep them
> zero-initialized regardless of other boot-time flags.
> Right now free_pages_prezeroed() relies on that, though this can be changed.
>
> On the other hand, since page_poison already initializes freed memory,
> we can probably make want_init_on_free() return false in that case to
> avoid extra initialization.
>
> Side note: if we make it possible to switch betwen 0x00 and 0xAA in
> init_on_free mode, we can merge it with page_poison, performing the
> initialization depending on a boot-time flag and doing heavyweight
> checks under a separate config.
Yes, that would be great which will reduce code duplication.
next prev parent reply other threads:[~2019-06-21 14:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 20:46 [PATCH -next v2] mm/page_alloc: fix a false memory corruption Qian Cai
2019-06-21 1:01 ` Kees Cook
2019-06-21 10:39 ` Alexander Potapenko
2019-06-21 12:26 ` Qian Cai
2019-06-21 14:37 ` Alexander Potapenko
2019-06-21 14:56 ` Qian Cai [this message]
2019-06-21 15:26 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1561128967.5154.45.camel@lca.pw \
--to=cai@lca.pw \
--cc=akpm@linux-foundation.org \
--cc=glider@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.