From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Arnd Bergmann <arnd@arndb.de>,
Christoph Lameter <cl@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>, Matt Mackall <mpm@selenic.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-mm@kvack.org
Subject: Re: [kernel-hardening] Re: [RFC v1] implement SL*B and stack usercopy runtime checks
Date: Sun, 3 Jul 2011 23:24:42 +0400 [thread overview]
Message-ID: <20110703192442.GA9504@albatros> (raw)
In-Reply-To: <CA+55aFwuvk7xifqCX=E3DtV=JCJEzyODcF4o6xLL0U1N_P-Rbg@mail.gmail.com>
On Sun, Jul 03, 2011 at 12:10 -0700, Linus Torvalds wrote:
> On Sun, Jul 3, 2011 at 11:57 AM, Vasiliy Kulikov <segoon@openwall.com> wrote:
> >> If you seriously clean it up (that at a minimum includes things like
> >> making it configurable using some pretty helper function that just
> >> compiles away for all the normal cases,
> >
> > Hm, it is not as simple as it looks at the first glance - even if the
> > object size is known at the compile time (__compiletime_object_size), it
> > might be a field of a structure, which crosses the slab object
> > boundaries because of an overflow.
>
> No, I was more talking about having something like
>
> #ifdef CONFIG_EXPENSIVE_CHECK_USERCOPY
> extern int check_user_copy(const void *kptr, unsigned long size);
> #else
> static inline int check_user_copy(const void *kptr, unsigned long size)
> { return 0; }
> #endif
Sure, will do. This is what I mean by kernel_access_ok() as it is a
weak equivalent of access_ok(), check_user_copy() is a bit confusing
name IMO.
> so that the actual user-copy routines end up being clean and not have
> #ifdefs in them or any implementation details like what you check
> (stack, slab, page cache - whatever)
>
> If you can also make it automatically not generate any code for cases
> that are somehow obviously safe, then that's an added bonus.
OK, then let's stop on "checks for overflows" and remove the check if
__compiletime_object_size() says something or length is constant. It
should remove most of the checks in fast pathes.
> But my concern is that performance is a real issue, and the strict
> user-copy checking sounds like mostly a "let's enable this for testing
> kernels when chasing some particular issue" feature, the way
> DEBUG_PAGEALLOC is.
I will measure the perfomance penalty tomorrow.
Btw, if the perfomance will be acceptable, what do you think about
logging/reacting on the spotted overflows?
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
WARNING: multiple messages have this Message-ID (diff)
From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Arnd Bergmann <arnd@arndb.de>,
Christoph Lameter <cl@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>, Matt Mackall <mpm@selenic.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-mm@kvack.org
Subject: Re: [kernel-hardening] Re: [RFC v1] implement SL*B and stack usercopy runtime checks
Date: Sun, 3 Jul 2011 23:24:42 +0400 [thread overview]
Message-ID: <20110703192442.GA9504@albatros> (raw)
In-Reply-To: <CA+55aFwuvk7xifqCX=E3DtV=JCJEzyODcF4o6xLL0U1N_P-Rbg@mail.gmail.com>
On Sun, Jul 03, 2011 at 12:10 -0700, Linus Torvalds wrote:
> On Sun, Jul 3, 2011 at 11:57 AM, Vasiliy Kulikov <segoon@openwall.com> wrote:
> >> If you seriously clean it up (that at a minimum includes things like
> >> making it configurable using some pretty helper function that just
> >> compiles away for all the normal cases,
> >
> > Hm, it is not as simple as it looks at the first glance - even if the
> > object size is known at the compile time (__compiletime_object_size), it
> > might be a field of a structure, which crosses the slab object
> > boundaries because of an overflow.
>
> No, I was more talking about having something like
>
> #ifdef CONFIG_EXPENSIVE_CHECK_USERCOPY
> extern int check_user_copy(const void *kptr, unsigned long size);
> #else
> static inline int check_user_copy(const void *kptr, unsigned long size)
> { return 0; }
> #endif
Sure, will do. This is what I mean by kernel_access_ok() as it is a
weak equivalent of access_ok(), check_user_copy() is a bit confusing
name IMO.
> so that the actual user-copy routines end up being clean and not have
> #ifdefs in them or any implementation details like what you check
> (stack, slab, page cache - whatever)
>
> If you can also make it automatically not generate any code for cases
> that are somehow obviously safe, then that's an added bonus.
OK, then let's stop on "checks for overflows" and remove the check if
__compiletime_object_size() says something or length is constant. It
should remove most of the checks in fast pathes.
> But my concern is that performance is a real issue, and the strict
> user-copy checking sounds like mostly a "let's enable this for testing
> kernels when chasing some particular issue" feature, the way
> DEBUG_PAGEALLOC is.
I will measure the perfomance penalty tomorrow.
Btw, if the perfomance will be acceptable, what do you think about
logging/reacting on the spotted overflows?
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-07-03 19:24 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-03 11:10 [kernel-hardening] [RFC v1] implement SL*B and stack usercopy runtime checks Vasiliy Kulikov
2011-07-03 11:10 ` Vasiliy Kulikov
2011-07-03 11:10 ` Vasiliy Kulikov
2011-07-03 18:27 ` [kernel-hardening] " Linus Torvalds
2011-07-03 18:27 ` Linus Torvalds
2011-07-03 18:27 ` Linus Torvalds
2011-07-03 18:57 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-03 18:57 ` Vasiliy Kulikov
2011-07-03 18:57 ` Vasiliy Kulikov
2011-07-03 19:10 ` [kernel-hardening] " Linus Torvalds
2011-07-03 19:10 ` Linus Torvalds
2011-07-03 19:10 ` Linus Torvalds
2011-07-03 19:24 ` Vasiliy Kulikov [this message]
2011-07-03 19:24 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-03 19:37 ` Joe Perches
2011-07-03 19:37 ` Joe Perches
2011-07-03 19:53 ` Vasiliy Kulikov
2011-07-03 19:53 ` Vasiliy Kulikov
2011-07-06 3:39 ` Jonathan Hawthorne
2011-07-06 3:39 ` Jonathan Hawthorne
2011-07-18 18:39 ` [kernel-hardening] [RFC v2] " Vasiliy Kulikov
2011-07-18 18:39 ` Vasiliy Kulikov
2011-07-18 18:39 ` Vasiliy Kulikov
2011-07-18 18:52 ` [kernel-hardening] " Andrew Morton
2011-07-18 18:52 ` Andrew Morton
2011-07-18 18:52 ` Andrew Morton
2011-07-18 19:33 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-18 19:33 ` Vasiliy Kulikov
2011-07-19 7:40 ` Vasiliy Kulikov
2011-07-19 7:40 ` Vasiliy Kulikov
2011-07-18 19:08 ` Matt Mackall
2011-07-18 19:08 ` Matt Mackall
2011-07-18 19:08 ` Matt Mackall
2011-07-18 19:24 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-18 19:24 ` Vasiliy Kulikov
2011-07-18 19:24 ` Vasiliy Kulikov
2011-07-18 21:18 ` [kernel-hardening] " Christoph Lameter
2011-07-18 21:18 ` Christoph Lameter
2011-07-18 21:18 ` Christoph Lameter
2011-07-19 6:53 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-19 6:53 ` Vasiliy Kulikov
2011-07-19 6:53 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110703192442.GA9504@albatros \
--to=segoon@openwall.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=cl@linux-foundation.org \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=mpm@selenic.com \
--cc=penberg@kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.