From: Ingo Molnar <mingo@kernel.org>
To: PaX Team <pageexec@freemail.hu>
Cc: kernel-hardening@lists.openwall.com,
Mathias Krause <minipli@googlemail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>, x86-ml <x86@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Michael Ellerman <mpe@ellerman.id.au>,
linux-arch@vger.kernel.org, Emese Revfy <re.emese@gmail.com>
Subject: Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory
Date: Thu, 26 Nov 2015 11:42:29 +0100 [thread overview]
Message-ID: <20151126104229.GA8530@gmail.com> (raw)
In-Reply-To: <5656D779.17137.12A1EA53@pageexec.freemail.hu>
* PaX Team <pageexec@freemail.hu> wrote:
> On 26 Nov 2015 at 9:54, Ingo Molnar wrote:
>
> > * PaX Team <pageexec@freemail.hu> wrote:
> >
> > > actually the kernel could silently recover from this given how the page fault
> > > handler could easily determine that the fault address fell into the
> > > data..read_only section and just silently undo the read-only property, log the
> > > event to dmesg and retry the faulting access.
> >
> > So a safer method would be to decode the faulting instruction, to skip it by
> > fixing up the return RIP and to log the event. It would be mostly equivalent
> > to trying to write to ROM (which get ignored as well), so it's a recoverable
> > (and debuggable) event.
>
> if by skipping you mean ignoring the write attempt then it's not a good idea as
> it has a good chance to cause unexpected behaviour down the line.
>
> e.g., imagine that the write was to a function pointer (even an entire ops
> structure) or a boolean that controls some important feature for after-init
> code. ignoring/dropping such writes could cause all kinds of logic bugs (if not
> worse).
Well, the typical case is that it's a logic bug to _do_ the write: the structure
was marked readonly for a reason but some init code re-runs during suspend or so.
But yes, logic bugs might trigger - but that is true in the opposite case as well,
if we do the write despite it being marked readonly:
> my somewhat related war story is that i once tried to constify machine_ops (both
> the struct and the variable of the same name) directly and just forced the
> writes in kvm/xen/etc via type casts. now i knew it was all undefined behaviour
> but i didn't expect gcc to take advantage of it but it did (const propagated the
> *initial* fptr values into the indirect calls by turning them into direct calls)
> and which in turn prevented proper reboots for guests (an event which obviously
> happens much later after init/boot to the great puzzlement of end users and
> myself).
>
> misusing __read_only and ignoring write attempts would effectively produce the
> same misbehaviour as above so i strongly advise against it.
No, the difference to the GCC related aliasing bug is that with my technique the
kernel would immediately produce a very visible kernel warning, which is a very
clear sign that is wrong - and with a very clear backtrace in the warning that
points right to the problematic code - which signature shows us (and users) what
is wrong.
So your example is not comparable at all.
Plus the truly paranoid might panic/halt the system on such warnings, so for
highly secure systems there's a way to not even allow the possibility of logic
bugs. (at the cost of stopping the system when a bug triggers.)
Thanks,
Ingo
next prev parent reply other threads:[~2015-11-26 10:42 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-24 21:38 [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory Kees Cook
2015-11-24 21:38 ` Kees Cook
2015-11-24 21:38 ` [kernel-hardening] [PATCH 1/2] x86: " Kees Cook
2015-11-24 21:38 ` Kees Cook
2015-11-25 0:34 ` [kernel-hardening] " Andy Lutomirski
2015-11-25 0:34 ` Andy Lutomirski
2015-11-25 0:44 ` [kernel-hardening] " Kees Cook
2015-11-25 0:44 ` Kees Cook
2015-11-25 0:54 ` [kernel-hardening] " Michael Ellerman
2015-11-25 15:03 ` Kees Cook
2015-11-25 23:05 ` Michael Ellerman
2015-11-25 23:32 ` Kees Cook
2015-11-25 23:32 ` Kees Cook
2015-11-24 21:38 ` [kernel-hardening] [PATCH 2/2] x86, vdso: mark vDSO read-only after init Kees Cook
2015-11-24 21:38 ` Kees Cook
2015-11-25 9:13 ` [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory Mathias Krause
2015-11-25 9:13 ` Mathias Krause
2015-11-25 10:06 ` [kernel-hardening] " Clemens Ladisch
2015-11-25 11:14 ` PaX Team
2015-11-25 11:14 ` PaX Team
2015-11-26 15:23 ` [kernel-hardening] " Daniel Micay
2015-11-25 11:05 ` PaX Team
2015-11-25 11:05 ` PaX Team
2015-11-26 8:54 ` [kernel-hardening] " Ingo Molnar
2015-11-26 9:57 ` PaX Team
2015-11-26 9:57 ` PaX Team
2015-11-26 10:42 ` Ingo Molnar [this message]
2015-11-26 12:14 ` [kernel-hardening] " PaX Team
2015-11-26 12:14 ` PaX Team
2015-11-27 8:05 ` [kernel-hardening] " Ingo Molnar
2015-11-27 8:05 ` Ingo Molnar
2015-11-27 15:29 ` [kernel-hardening] " PaX Team
2015-11-27 15:29 ` PaX Team
2015-11-27 16:30 ` [kernel-hardening] " Andy Lutomirski
2015-11-29 8:08 ` Ingo Molnar
2015-11-29 11:15 ` PaX Team
2015-11-29 11:15 ` PaX Team
2015-11-29 15:39 ` [kernel-hardening] " Ingo Molnar
2015-11-29 18:05 ` Mathias Krause
2015-11-29 18:05 ` Mathias Krause
2015-11-30 8:01 ` [kernel-hardening] " Ingo Molnar
2015-11-30 8:01 ` Ingo Molnar
2015-11-26 16:11 ` [kernel-hardening] " Andy Lutomirski
2015-11-26 16:11 ` Andy Lutomirski
2015-11-27 7:59 ` [kernel-hardening] " Ingo Molnar
2015-11-27 7:59 ` Ingo Molnar
2015-11-27 18:00 ` [kernel-hardening] " Linus Torvalds
2015-11-27 18:03 ` Linus Torvalds
2015-11-27 18:03 ` Linus Torvalds
2015-11-27 20:03 ` [kernel-hardening] " Kees Cook
2015-11-27 20:03 ` Kees Cook
2015-11-27 20:09 ` [kernel-hardening] " Andy Lutomirski
2015-11-29 8:05 ` Ingo Molnar
2015-11-30 21:14 ` H. Peter Anvin
2015-11-30 21:14 ` H. Peter Anvin
2015-11-30 21:33 ` [kernel-hardening] " Kees Cook
2015-11-30 21:38 ` Andy Lutomirski
2015-11-30 21:43 ` H. Peter Anvin
2015-11-30 21:43 ` H. Peter Anvin
2015-11-25 17:26 ` [kernel-hardening] " Kees Cook
2015-11-25 17:26 ` Kees Cook
2015-11-25 17:31 ` [kernel-hardening] " H. Peter Anvin
2015-11-25 17:31 ` H. Peter Anvin
2015-11-25 18:54 ` [kernel-hardening] " Kees Cook
2015-11-25 19:06 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151126104229.GA8530@gmail.com \
--to=mingo@kernel.org \
--cc=arnd@arndb.de \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=minipli@googlemail.com \
--cc=mpe@ellerman.id.au \
--cc=pageexec@freemail.hu \
--cc=re.emese@gmail.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.