From: Ingo Molnar <mingo@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>,
Paul Mackerras <paulus@samba.org>,
"H. Peter Anvin" <hpa@zytor.com>,
sparclinux@vger.kernel.org,
Nicolas Dichtel <nicolas.dichtel@6wind.com>,
Alexei Starovoitov <ast@plumgrid.com>,
linux-s390@vger.kernel.org, Russell King <linux@arm.linux.org.uk>,
x86@kernel.org, James Morris <jmorris@namei.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Xi Wang <xi.wang@gmail.com>, Matt Evans <matt@ozlabs.org>,
Thomas Gleixner <tglx@linutronix.de>,
linux-arm-kernel@lists.infradead.org,
Stelian Nirlu <steliannirlu@gmail.com>,
Nicolas Schichan <nschichan@freebox.fr>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
netdev <netdev@vger.kernel.org>,
linux-kernel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>,
Mircea Gherzan <mgherzan@gmail.com>,
Daniel Borkmann <dborkman@redhat.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
linux390@de.ibm.com, linuxppc-dev@lists.ozlabs.org,
Patrick McHardy <kaber@trash.net>
Subject: Re: [PATCH v3 net-next] fix unsafe set_memory_rw from softirq
Date: Fri, 4 Oct 2013 19:35:40 +0200 [thread overview]
Message-ID: <20131004173540.GB15689@gmail.com> (raw)
In-Reply-To: <CANn89iKkbR0_HaofvC_OVvqRv_Hqj3rATx-Z_4xXeusOasa56g@mail.gmail.com>
* Eric Dumazet <edumazet@google.com> wrote:
> 1)
> >
> > I took a brief look at arch/x86/net/bpf_jit_comp.c while reviewing this
> > patch.
> >
> > You need to split up bpf_jit_compile(), it's an obscenely large, ~600
> > lines long function. We don't do that in modern, maintainable kernel code.
> >
> > 2)
> >
> > This 128 bytes extra padding:
> >
> > /* Most of BPF filters are really small,
> > * but if some of them fill a page, allow at least
> > * 128 extra bytes to insert a random section of int3
> > */
> > sz = round_up(proglen + sizeof(*header) + 128, PAGE_SIZE);
> >
> > why is it done? It's not clear to me from the comment.
> >
>
> commit 314beb9bcabfd6b4542ccbced2402af2c6f6142a
> Author: Eric Dumazet <edumazet@google.com>
> Date: Fri May 17 16:37:03 2013 +0000
>
> x86: bpf_jit_comp: secure bpf jit against spraying attacks
>
> hpa bringed into my attention some security related issues
> with BPF JIT on x86.
>
> This patch makes sure the bpf generated code is marked read only,
> as other kernel text sections.
>
> It also splits the unused space (we vmalloc() and only use a fraction of
> the page) in two parts, so that the generated bpf code not starts at a
> known offset in the page, but a pseudo random one.
Thanks for the explanation - that makes sense.
Ingo
WARNING: multiple messages have this Message-ID (diff)
From: mingo@kernel.org (Ingo Molnar)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v3 net-next] fix unsafe set_memory_rw from softirq
Date: Fri, 4 Oct 2013 19:35:40 +0200 [thread overview]
Message-ID: <20131004173540.GB15689@gmail.com> (raw)
In-Reply-To: <CANn89iKkbR0_HaofvC_OVvqRv_Hqj3rATx-Z_4xXeusOasa56g@mail.gmail.com>
* Eric Dumazet <edumazet@google.com> wrote:
> 1)
> >
> > I took a brief look at arch/x86/net/bpf_jit_comp.c while reviewing this
> > patch.
> >
> > You need to split up bpf_jit_compile(), it's an obscenely large, ~600
> > lines long function. We don't do that in modern, maintainable kernel code.
> >
> > 2)
> >
> > This 128 bytes extra padding:
> >
> > /* Most of BPF filters are really small,
> > * but if some of them fill a page, allow at least
> > * 128 extra bytes to insert a random section of int3
> > */
> > sz = round_up(proglen + sizeof(*header) + 128, PAGE_SIZE);
> >
> > why is it done? It's not clear to me from the comment.
> >
>
> commit 314beb9bcabfd6b4542ccbced2402af2c6f6142a
> Author: Eric Dumazet <edumazet@google.com>
> Date: Fri May 17 16:37:03 2013 +0000
>
> x86: bpf_jit_comp: secure bpf jit against spraying attacks
>
> hpa bringed into my attention some security related issues
> with BPF JIT on x86.
>
> This patch makes sure the bpf generated code is marked read only,
> as other kernel text sections.
>
> It also splits the unused space (we vmalloc() and only use a fraction of
> the page) in two parts, so that the generated bpf code not starts at a
> known offset in the page, but a pseudo random one.
Thanks for the explanation - that makes sense.
Ingo
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Paul Mackerras <paulus@samba.org>,
"H. Peter Anvin" <hpa@zytor.com>,
sparclinux@vger.kernel.org,
Nicolas Dichtel <nicolas.dichtel@6wind.com>,
Alexei Starovoitov <ast@plumgrid.com>,
linux-s390@vger.kernel.org, Russell King <linux@arm.linux.org.uk>,
x86@kernel.org, James Morris <jmorris@namei.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Xi Wang <xi.wang@gmail.com>, Matt Evans <matt@ozlabs.org>,
Thomas Gleixner <tglx@linutronix.de>,
linux-arm-kernel@lists.infradead.org,
Stelian Nirlu <steliannirlu@gmail.com>,
Nicolas Schichan <nschichan@freebox.fr>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
netdev <netdev@vger.kernel.org>,
linux-kernel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>,
Mi
Subject: Re: [PATCH v3 net-next] fix unsafe set_memory_rw from softirq
Date: Fri, 4 Oct 2013 19:35:40 +0200 [thread overview]
Message-ID: <20131004173540.GB15689@gmail.com> (raw)
In-Reply-To: <CANn89iKkbR0_HaofvC_OVvqRv_Hqj3rATx-Z_4xXeusOasa56g@mail.gmail.com>
* Eric Dumazet <edumazet@google.com> wrote:
> 1)
> >
> > I took a brief look at arch/x86/net/bpf_jit_comp.c while reviewing this
> > patch.
> >
> > You need to split up bpf_jit_compile(), it's an obscenely large, ~600
> > lines long function. We don't do that in modern, maintainable kernel code.
> >
> > 2)
> >
> > This 128 bytes extra padding:
> >
> > /* Most of BPF filters are really small,
> > * but if some of them fill a page, allow at least
> > * 128 extra bytes to insert a random section of int3
> > */
> > sz = round_up(proglen + sizeof(*header) + 128, PAGE_SIZE);
> >
> > why is it done? It's not clear to me from the comment.
> >
>
> commit 314beb9bcabfd6b4542ccbced2402af2c6f6142a
> Author: Eric Dumazet <edumazet@google.com>
> Date: Fri May 17 16:37:03 2013 +0000
>
> x86: bpf_jit_comp: secure bpf jit against spraying attacks
>
> hpa bringed into my attention some security related issues
> with BPF JIT on x86.
>
> This patch makes sure the bpf generated code is marked read only,
> as other kernel text sections.
>
> It also splits the unused space (we vmalloc() and only use a fraction of
> the page) in two parts, so that the generated bpf code not starts at a
> known offset in the page, but a pseudo random one.
Thanks for the explanation - that makes sense.
Ingo
next prev parent reply other threads:[~2013-10-04 17:35 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-04 2:24 [PATCH v3 net-next] fix unsafe set_memory_rw from softirq Alexei Starovoitov
2013-10-04 2:24 ` Alexei Starovoitov
2013-10-04 2:24 ` Alexei Starovoitov
2013-10-04 6:47 ` Heiko Carstens
2013-10-04 6:47 ` Heiko Carstens
2013-10-04 6:47 ` Heiko Carstens
2013-10-04 7:51 ` Ingo Molnar
2013-10-04 7:51 ` Ingo Molnar
2013-10-04 7:51 ` Ingo Molnar
2013-10-04 13:56 ` Eric Dumazet
2013-10-04 13:56 ` Eric Dumazet
2013-10-04 17:35 ` Ingo Molnar [this message]
2013-10-04 17:35 ` Ingo Molnar
2013-10-04 17:35 ` Ingo Molnar
2013-10-04 17:49 ` Alexei Starovoitov
2013-10-04 17:49 ` Alexei Starovoitov
2013-10-04 17:49 ` Alexei Starovoitov
2013-10-04 18:00 ` Ingo Molnar
2013-10-04 18:00 ` Ingo Molnar
2013-10-04 18:00 ` Ingo Molnar
-- strict thread matches above, loose matches on Subject: below --
2013-10-04 4:11 Alexei Starovoitov
2013-10-04 4:11 ` Alexei Starovoitov
2013-10-04 4:11 ` Alexei Starovoitov
2013-10-04 5:16 ` Eric Dumazet
2013-10-04 5:16 ` Eric Dumazet
2013-10-04 5:16 ` Eric Dumazet
2013-10-04 6:30 ` Alexei Starovoitov
2013-10-04 6:30 ` Alexei Starovoitov
2013-10-04 6:30 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131004173540.GB15689@gmail.com \
--to=mingo@kernel.org \
--cc=ast@plumgrid.com \
--cc=davem@davemloft.net \
--cc=dborkman@redhat.com \
--cc=edumazet@google.com \
--cc=heiko.carstens@de.ibm.com \
--cc=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux390@de.ibm.com \
--cc=linux@arm.linux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=matt@ozlabs.org \
--cc=mgherzan@gmail.com \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=nschichan@freebox.fr \
--cc=paulmck@linux.vnet.ibm.com \
--cc=paulus@samba.org \
--cc=schwidefsky@de.ibm.com \
--cc=sparclinux@vger.kernel.org \
--cc=steliannirlu@gmail.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=xi.wang@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.