From: Laura Abbott <laura@labbott.name>
To: Christoph Lameter <cl@linux.com>
Cc: Kees Cook <keescook@chromium.org>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: [kernel-hardening] Re: [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX
Date: Thu, 7 Jan 2016 17:23:01 -0800 [thread overview]
Message-ID: <568F0F75.4090101@labbott.name> (raw)
In-Reply-To: <alpine.DEB.2.20.1601071020570.28979@east.gentwo.org>
On 1/7/16 8:26 AM, Christoph Lameter wrote:
> On Tue, 5 Jan 2016, Laura Abbott wrote:
>
>> It's not the poisoning per se that's incompatible, it's how the poisoning is
>> set up. At least for slub, the current poisoning is part of SLUB_DEBUG which
>> enables other consistency checks on the allocator. Trying to pull out just
>> the poisoning for use when SLUB_DEBUG isn't on would result in roughly what
>> would be here anyway. I looked at trying to reuse some of the existing
>> poisoning
>> and came to the conclusion it was less intrusive to the allocator to keep it
>> separate.
>
> SLUB_DEBUG does *not* enable any debugging features. It builds the logic
> for debugging into the kernel but does not activate it. CONFIG_SLUB_DEBUG
> is set for production kernels. The poisoning is build in by default into
> any recent linux kernel out there. You can enable poisoning selectively
> (and no other debug feature) by specifying slub_debug=P on the Linux
> kernel command line right now.
>
> There is a SLAB_POISON flag for each kmem_cache that can be set to
> *only* enable poisoning and nothing else from code.
>
>
The slub_debug=P not only poisons it enables other consistency checks on the
slab as well, assuming my understanding of what check_object does is correct.
My hope was to have the poison part only and none of the consistency checks in
an attempt to mitigate performance issues. I misunderstood when the checks
actually run and how SLUB_DEBUG was used.
Another option would be to have a flag like SLAB_NO_SANITY_CHECK.
sanitization enablement would just be that and SLAB_POISON
in the debug options. The disadvantage to this approach would be losing
the sanitization for ->ctor caches (the grsecurity version works around this
by re-initializing with ->ctor, I haven't heard any feedback if this actually
acceptable) and not having some of the fast paths enabled
(assuming I'm understanding the code path correctly.) which would also
be a performance penalty
Thanks,
Laura
WARNING: multiple messages have this Message-ID (diff)
From: Laura Abbott <laura@labbott.name>
To: Christoph Lameter <cl@linux.com>
Cc: Kees Cook <keescook@chromium.org>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX
Date: Thu, 7 Jan 2016 17:23:01 -0800 [thread overview]
Message-ID: <568F0F75.4090101@labbott.name> (raw)
In-Reply-To: <alpine.DEB.2.20.1601071020570.28979@east.gentwo.org>
On 1/7/16 8:26 AM, Christoph Lameter wrote:
> On Tue, 5 Jan 2016, Laura Abbott wrote:
>
>> It's not the poisoning per se that's incompatible, it's how the poisoning is
>> set up. At least for slub, the current poisoning is part of SLUB_DEBUG which
>> enables other consistency checks on the allocator. Trying to pull out just
>> the poisoning for use when SLUB_DEBUG isn't on would result in roughly what
>> would be here anyway. I looked at trying to reuse some of the existing
>> poisoning
>> and came to the conclusion it was less intrusive to the allocator to keep it
>> separate.
>
> SLUB_DEBUG does *not* enable any debugging features. It builds the logic
> for debugging into the kernel but does not activate it. CONFIG_SLUB_DEBUG
> is set for production kernels. The poisoning is build in by default into
> any recent linux kernel out there. You can enable poisoning selectively
> (and no other debug feature) by specifying slub_debug=P on the Linux
> kernel command line right now.
>
> There is a SLAB_POISON flag for each kmem_cache that can be set to
> *only* enable poisoning and nothing else from code.
>
>
The slub_debug=P not only poisons it enables other consistency checks on the
slab as well, assuming my understanding of what check_object does is correct.
My hope was to have the poison part only and none of the consistency checks in
an attempt to mitigate performance issues. I misunderstood when the checks
actually run and how SLUB_DEBUG was used.
Another option would be to have a flag like SLAB_NO_SANITY_CHECK.
sanitization enablement would just be that and SLAB_POISON
in the debug options. The disadvantage to this approach would be losing
the sanitization for ->ctor caches (the grsecurity version works around this
by re-initializing with ->ctor, I haven't heard any feedback if this actually
acceptable) and not having some of the fast paths enabled
(assuming I'm understanding the code path correctly.) which would also
be a performance penalty
Thanks,
Laura
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Laura Abbott <laura@labbott.name>
To: Christoph Lameter <cl@linux.com>
Cc: Kees Cook <keescook@chromium.org>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX
Date: Thu, 7 Jan 2016 17:23:01 -0800 [thread overview]
Message-ID: <568F0F75.4090101@labbott.name> (raw)
In-Reply-To: <alpine.DEB.2.20.1601071020570.28979@east.gentwo.org>
On 1/7/16 8:26 AM, Christoph Lameter wrote:
> On Tue, 5 Jan 2016, Laura Abbott wrote:
>
>> It's not the poisoning per se that's incompatible, it's how the poisoning is
>> set up. At least for slub, the current poisoning is part of SLUB_DEBUG which
>> enables other consistency checks on the allocator. Trying to pull out just
>> the poisoning for use when SLUB_DEBUG isn't on would result in roughly what
>> would be here anyway. I looked at trying to reuse some of the existing
>> poisoning
>> and came to the conclusion it was less intrusive to the allocator to keep it
>> separate.
>
> SLUB_DEBUG does *not* enable any debugging features. It builds the logic
> for debugging into the kernel but does not activate it. CONFIG_SLUB_DEBUG
> is set for production kernels. The poisoning is build in by default into
> any recent linux kernel out there. You can enable poisoning selectively
> (and no other debug feature) by specifying slub_debug=P on the Linux
> kernel command line right now.
>
> There is a SLAB_POISON flag for each kmem_cache that can be set to
> *only* enable poisoning and nothing else from code.
>
>
The slub_debug=P not only poisons it enables other consistency checks on the
slab as well, assuming my understanding of what check_object does is correct.
My hope was to have the poison part only and none of the consistency checks in
an attempt to mitigate performance issues. I misunderstood when the checks
actually run and how SLUB_DEBUG was used.
Another option would be to have a flag like SLAB_NO_SANITY_CHECK.
sanitization enablement would just be that and SLAB_POISON
in the debug options. The disadvantage to this approach would be losing
the sanitization for ->ctor caches (the grsecurity version works around this
by re-initializing with ->ctor, I haven't heard any feedback if this actually
acceptable) and not having some of the fast paths enabled
(assuming I'm understanding the code path correctly.) which would also
be a performance penalty
Thanks,
Laura
next prev parent reply other threads:[~2016-01-08 1:23 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-22 3:40 [kernel-hardening] [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 1/7] mm/slab_common.c: Add common support for slab saniziation Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 20:48 ` [kernel-hardening] " Vlastimil Babka
2015-12-22 20:48 ` Vlastimil Babka
2015-12-22 20:48 ` Vlastimil Babka
2016-01-06 0:17 ` [kernel-hardening] " Kees Cook
2016-01-06 0:17 ` Kees Cook
2016-01-06 0:17 ` Kees Cook
2016-01-06 2:06 ` [kernel-hardening] " Laura Abbott
2016-01-06 2:06 ` Laura Abbott
2016-01-06 2:06 ` Laura Abbott
2016-01-06 0:19 ` [kernel-hardening] " Kees Cook
2016-01-06 0:19 ` Kees Cook
2016-01-06 0:19 ` Kees Cook
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 2/7] slub: Add support for sanitization Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 3/7] slab: " Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 4/7] slob: " Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 5/7] mm: Mark several cases as SLAB_NO_SANITIZE Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2016-01-06 0:21 ` [kernel-hardening] " Kees Cook
2016-01-06 0:21 ` Kees Cook
2016-01-06 0:21 ` Kees Cook
2016-01-06 2:11 ` [kernel-hardening] " Laura Abbott
2016-01-06 2:11 ` Laura Abbott
2016-01-06 2:11 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 6/7] mm: Add Kconfig option for slab sanitization Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 9:33 ` [kernel-hardening] " Mathias Krause
2015-12-22 9:33 ` Mathias Krause
2015-12-22 17:51 ` Laura Abbott
2015-12-22 17:51 ` Laura Abbott
2015-12-22 18:37 ` Mathias Krause
2015-12-22 18:37 ` Mathias Krause
2015-12-22 19:18 ` Laura Abbott
2015-12-22 19:18 ` Laura Abbott
2015-12-22 20:01 ` Christoph Lameter
2015-12-22 20:01 ` Christoph Lameter
2015-12-22 20:06 ` Mathias Krause
2015-12-22 20:06 ` Mathias Krause
2015-12-22 14:57 ` Dave Hansen
2015-12-22 14:57 ` Dave Hansen
2015-12-22 16:25 ` Christoph Lameter
2015-12-22 16:25 ` Christoph Lameter
2015-12-22 17:22 ` Dave Hansen
2015-12-22 17:24 ` Christoph Lameter
2015-12-22 17:28 ` Dave Hansen
2015-12-22 17:28 ` Dave Hansen
2015-12-22 18:08 ` Christoph Lameter
2015-12-22 18:08 ` Christoph Lameter
2015-12-22 18:19 ` Dave Hansen
2015-12-22 18:19 ` Dave Hansen
2015-12-22 19:13 ` Laura Abbott
2015-12-22 19:13 ` Laura Abbott
2015-12-22 19:32 ` Dave Hansen
2015-12-22 19:32 ` Dave Hansen
2016-01-06 0:29 ` Kees Cook
2016-01-06 0:29 ` Kees Cook
2016-01-06 2:46 ` Laura Abbott
2016-01-06 2:46 ` Laura Abbott
2015-12-22 3:40 ` [kernel-hardening] [RFC][PATCH 7/7] lkdtm: Add READ_AFTER_FREE test Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2015-12-22 3:40 ` Laura Abbott
2016-01-06 0:15 ` [kernel-hardening] " Kees Cook
2016-01-06 0:15 ` Kees Cook
2016-01-06 0:15 ` Kees Cook
2016-01-06 2:49 ` [kernel-hardening] " Laura Abbott
2016-01-06 2:49 ` Laura Abbott
2016-01-06 2:49 ` Laura Abbott
2015-12-22 16:08 ` [kernel-hardening] Re: [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX Christoph Lameter
2015-12-22 16:08 ` Christoph Lameter
2015-12-22 16:08 ` Christoph Lameter
2015-12-22 16:15 ` [kernel-hardening] " Dave Hansen
2015-12-22 16:15 ` Dave Hansen
2015-12-22 16:38 ` Daniel Micay
2015-12-22 20:04 ` Laura Abbott
2015-12-22 20:04 ` Laura Abbott
2015-12-22 20:04 ` Laura Abbott
2016-01-06 0:09 ` [kernel-hardening] " Kees Cook
2016-01-06 0:09 ` Kees Cook
2016-01-06 0:09 ` Kees Cook
2016-01-06 3:17 ` [kernel-hardening] " Laura Abbott
2016-01-06 3:17 ` Laura Abbott
2016-01-06 3:17 ` Laura Abbott
2016-01-07 16:26 ` [kernel-hardening] " Christoph Lameter
2016-01-07 16:26 ` Christoph Lameter
2016-01-07 16:26 ` Christoph Lameter
2016-01-08 1:23 ` Laura Abbott [this message]
2016-01-08 1:23 ` Laura Abbott
2016-01-08 1:23 ` Laura Abbott
2016-01-08 14:07 ` [kernel-hardening] " Christoph Lameter
2016-01-08 14:07 ` Christoph Lameter
2016-01-08 14:07 ` Christoph Lameter
2016-01-14 3:49 ` [kernel-hardening] " Laura Abbott
2016-01-14 3:49 ` Laura Abbott
2016-01-14 3:49 ` Laura Abbott
2016-01-21 3:35 ` [kernel-hardening] " Laura Abbott
2016-01-21 3:35 ` Laura Abbott
2016-01-21 3:35 ` Laura Abbott
2016-01-21 15:39 ` [kernel-hardening] " Christoph Lameter
2016-01-21 15:39 ` Christoph Lameter
2016-01-21 15:39 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=568F0F75.4090101@labbott.name \
--to=laura@labbott.name \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.