From: Masami Hiramatsu <mhiramat@kernel.org>
To: Nadav Amit <nadav.amit@gmail.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Andy Lutomirski <luto@kernel.org>, Ingo Molnar <mingo@redhat.com>,
LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Damian Tometzki <linux_dti@icloud.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Linux-MM <linux-mm@kvack.org>, Will Deacon <will.deacon@arm.com>,
ard.biesheuvel@linaro.org, kristen@linux.intel.com,
deneen.t.dock@intel.com
Subject: Re: [PATCH 17/17] module: Prevent module removal racing with text_poke()
Date: Fri, 18 Jan 2019 22:32:49 +0900 [thread overview]
Message-ID: <20190118223249.94436b58fbf5f9592d92dfca@kernel.org> (raw)
In-Reply-To: <69EA2C81-826F-46BA-8D80-241C39B0B70B@gmail.com>
On Thu, 17 Jan 2019 17:15:27 -0800
Nadav Amit <nadav.amit@gmail.com> wrote:
> > On Jan 17, 2019, at 3:58 PM, H. Peter Anvin <hpa@zytor.com> wrote:
> >
> > On 1/16/19 11:54 PM, Masami Hiramatsu wrote:
> >> On Wed, 16 Jan 2019 16:32:59 -0800
> >> Rick Edgecombe <rick.p.edgecombe@intel.com> wrote:
> >>
> >>> From: Nadav Amit <namit@vmware.com>
> >>>
> >>> It seems dangerous to allow code modifications to take place
> >>> concurrently with module unloading. So take the text_mutex while the
> >>> memory of the module is freed.
> >>
> >> At that point, since the module itself is removed from module list,
> >> it seems no actual harm. Or would you have any concern?
> >
> > The issue isn't the module list, but rather when it is safe to free the
> > contents, so we don't clobber anything. We absolutely need to enforce
> > that we can't text_poke() something that might have already been freed.
> >
> > That being said, we *also* really would prefer to enforce that we can't
> > text_poke() memory that doesn't actually contain code; as far as I can
> > tell we don't currently do that check.
>
> Yes, that what the mutex was supposed to achieve. It’s not supposed just
> to check whether it is a code page, but also that it is the same code
> page that you wanted to patch.
>
> > This, again, is a good use for a separate mm context. We can enforce
> > that that context will only ever contain valid page mappings for actual
> > code pages.
>
> This will not tell you that you have the *right* code-page. The module
> notifiers help to do so, since they synchronize the text poking with
> the module removal.
>
> > (Note: in my proposed algorithm, with a separate mm, replace INVLPG with
> > switching CR3 if we have to do a rollback or roll forward in the
> > breakpoint handler.)
>
> I really need to read your patches more carefully to see what you mean.
>
> Anyhow, so what do you prefer? I’m ok with either one:
> 1. Keep this patch
> 2. Remove this patch and change into a comment on text_poke()
> 3. Just drop the patch
I would prefer 2. so at least we should add a comment to text_poke().
Thank you,
--
Masami Hiramatsu <mhiramat@kernel.org>
next prev parent reply other threads:[~2019-01-18 13:32 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-17 0:32 [PATCH 00/17] Merge text_poke fixes and executable lockdowns Rick Edgecombe
2019-01-17 0:32 ` [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Rick Edgecombe
2019-01-17 6:47 ` Masami Hiramatsu
2019-01-17 21:15 ` hpa
2019-01-17 22:39 ` Nadav Amit
2019-01-17 22:59 ` hpa
2019-01-17 23:14 ` Nadav Amit
2019-01-17 23:19 ` H. Peter Anvin
2019-01-18 2:40 ` Nadav Amit
2019-01-25 9:30 ` Borislav Petkov
2019-01-25 18:28 ` Nadav Amit
2019-01-17 0:32 ` [PATCH 02/17] x86/jump_label: Use text_poke_early() during early init Rick Edgecombe
2019-01-17 0:32 ` [PATCH 03/17] x86/mm: temporary mm struct Rick Edgecombe
2019-01-17 0:32 ` [PATCH 04/17] fork: provide a function for copying init_mm Rick Edgecombe
2019-01-17 0:32 ` [PATCH 05/17] x86/alternative: initializing temporary mm for patching Rick Edgecombe
2019-01-17 0:32 ` [PATCH 06/17] x86/alternative: use temporary mm for text poking Rick Edgecombe
2019-01-17 20:27 ` Andy Lutomirski
2019-01-17 20:47 ` Andy Lutomirski
2019-01-17 21:43 ` Nadav Amit
2019-01-17 22:29 ` Nadav Amit
2019-01-17 22:31 ` hpa
2019-01-17 0:32 ` [PATCH 07/17] x86/kgdb: avoid redundant comparison of patched code Rick Edgecombe
2019-01-17 0:32 ` [PATCH 08/17] x86/ftrace: set trampoline pages as executable Rick Edgecombe
2019-02-06 16:22 ` Steven Rostedt
2019-02-06 17:33 ` Nadav Amit
2019-02-06 17:41 ` Steven Rostedt
2019-01-17 0:32 ` [PATCH 09/17] x86/kprobes: Instruction pages initialization enhancements Rick Edgecombe
2019-01-17 6:51 ` Masami Hiramatsu
2019-01-17 0:32 ` [PATCH 10/17] x86: avoid W^X being broken during modules loading Rick Edgecombe
2019-01-17 0:32 ` [PATCH 11/17] x86/jump-label: remove support for custom poker Rick Edgecombe
2019-01-17 0:32 ` [PATCH 12/17] x86/alternative: Remove the return value of text_poke_*() Rick Edgecombe
2019-01-17 0:32 ` [PATCH 13/17] Add set_alias_ function and x86 implementation Rick Edgecombe
2019-01-17 0:32 ` [PATCH 14/17] mm: Make hibernate handle unmapped pages Rick Edgecombe
2019-01-17 9:39 ` Pavel Machek
2019-01-17 22:16 ` Edgecombe, Rick P
2019-01-17 23:41 ` Pavel Machek
2019-01-17 23:48 ` Edgecombe, Rick P
2019-01-18 8:16 ` Pavel Machek
2019-01-17 0:32 ` [PATCH 15/17] vmalloc: New flags for safe vfree on special perms Rick Edgecombe
2019-01-17 0:32 ` [PATCH 16/17] Plug in new special vfree flag Rick Edgecombe
2019-02-06 16:23 ` Steven Rostedt
2019-02-07 17:33 ` Edgecombe, Rick P
2019-02-07 17:49 ` Steven Rostedt
2019-02-07 18:20 ` Edgecombe, Rick P
2019-01-17 0:32 ` [PATCH 17/17] module: Prevent module removal racing with text_poke() Rick Edgecombe
2019-01-17 7:54 ` Masami Hiramatsu
2019-01-17 18:07 ` Nadav Amit
2019-01-17 23:44 ` H. Peter Anvin
2019-01-18 8:23 ` Masami Hiramatsu
2019-01-17 23:58 ` H. Peter Anvin
2019-01-18 1:15 ` Nadav Amit
2019-01-18 13:32 ` Masami Hiramatsu [this message]
2019-01-17 13:21 ` [PATCH 00/17] Merge text_poke fixes and executable lockdowns Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190118223249.94436b58fbf5f9592d92dfca@kernel.org \
--to=mhiramat@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=deneen.t.dock@intel.com \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kristen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux_dti@icloud.com \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.