From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com References: <1453740953-18109-1-git-send-email-labbott@fedoraproject.org> From: Sasha Levin Message-ID: <56A70C9D.8060102@oracle.com> Date: Tue, 26 Jan 2016 01:05:17 -0500 MIME-Version: 1.0 In-Reply-To: <1453740953-18109-1-git-send-email-labbott@fedoraproject.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: [kernel-hardening] Re: [RFC][PATCH 0/3] Sanitization of buddy pages To: Laura Abbott , Andrew Morton , "Kirill A. Shutemov" , Vlastimil Babka , Michal Hocko Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Kees Cook , Andrey Ryabinin List-ID: On 01/25/2016 11:55 AM, Laura Abbott wrote: > Hi, > > This is an implementation of page poisoning/sanitization for all arches. It > takes advantage of the existing implementation for > !ARCH_SUPPORTS_DEBUG_PAGEALLOC arches. This is a different approach than what > the Grsecurity patches were taking but should provide equivalent functionality. > > For those who aren't familiar with this, the goal of sanitization is to reduce > the severity of use after free and uninitialized data bugs. Memory is cleared > on free so any sensitive data is no longer available. Discussion of > sanitization was brough up in a thread about CVEs > (lkml.kernel.org/g/<20160119112812.GA10818@mwanda>) > > I eventually expect Kconfig names will want to be changed and or moved if this > is going to be used for security but that can happen later. > > Credit to Mathias Krause for the version in grsecurity > > Laura Abbott (3): > mm/debug-pagealloc.c: Split out page poisoning from debug page_alloc > mm/page_poison.c: Enable PAGE_POISONING as a separate option > mm/page_poisoning.c: Allow for zero poisoning > > Documentation/kernel-parameters.txt | 5 ++ > include/linux/mm.h | 13 +++ > include/linux/poison.h | 4 + > mm/Kconfig.debug | 35 +++++++- > mm/Makefile | 5 +- > mm/debug-pagealloc.c | 127 +---------------------------- > mm/page_alloc.c | 10 ++- > mm/page_poison.c | 158 ++++++++++++++++++++++++++++++++++++ > 8 files changed, 228 insertions(+), 129 deletions(-) > create mode 100644 mm/page_poison.c > Should poisoning of this kind be using kasan rather than "old fashioned" poisoning? Thanks, Sasha From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f51.google.com (mail-pa0-f51.google.com [209.85.220.51]) by kanga.kvack.org (Postfix) with ESMTP id 49C7E6B0005 for ; Tue, 26 Jan 2016 01:06:39 -0500 (EST) Received: by mail-pa0-f51.google.com with SMTP id ho8so92800892pac.2 for ; Mon, 25 Jan 2016 22:06:39 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com. [156.151.31.81]) by mx.google.com with ESMTPS id q87si39072435pfa.197.2016.01.25.22.06.38 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Jan 2016 22:06:38 -0800 (PST) Subject: Re: [RFC][PATCH 0/3] Sanitization of buddy pages References: <1453740953-18109-1-git-send-email-labbott@fedoraproject.org> From: Sasha Levin Message-ID: <56A70C9D.8060102@oracle.com> Date: Tue, 26 Jan 2016 01:05:17 -0500 MIME-Version: 1.0 In-Reply-To: <1453740953-18109-1-git-send-email-labbott@fedoraproject.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Laura Abbott , Andrew Morton , "Kirill A. Shutemov" , Vlastimil Babka , Michal Hocko Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Kees Cook , Andrey Ryabinin On 01/25/2016 11:55 AM, Laura Abbott wrote: > Hi, > > This is an implementation of page poisoning/sanitization for all arches. It > takes advantage of the existing implementation for > !ARCH_SUPPORTS_DEBUG_PAGEALLOC arches. This is a different approach than what > the Grsecurity patches were taking but should provide equivalent functionality. > > For those who aren't familiar with this, the goal of sanitization is to reduce > the severity of use after free and uninitialized data bugs. Memory is cleared > on free so any sensitive data is no longer available. Discussion of > sanitization was brough up in a thread about CVEs > (lkml.kernel.org/g/<20160119112812.GA10818@mwanda>) > > I eventually expect Kconfig names will want to be changed and or moved if this > is going to be used for security but that can happen later. > > Credit to Mathias Krause for the version in grsecurity > > Laura Abbott (3): > mm/debug-pagealloc.c: Split out page poisoning from debug page_alloc > mm/page_poison.c: Enable PAGE_POISONING as a separate option > mm/page_poisoning.c: Allow for zero poisoning > > Documentation/kernel-parameters.txt | 5 ++ > include/linux/mm.h | 13 +++ > include/linux/poison.h | 4 + > mm/Kconfig.debug | 35 +++++++- > mm/Makefile | 5 +- > mm/debug-pagealloc.c | 127 +---------------------------- > mm/page_alloc.c | 10 ++- > mm/page_poison.c | 158 ++++++++++++++++++++++++++++++++++++ > 8 files changed, 228 insertions(+), 129 deletions(-) > create mode 100644 mm/page_poison.c > Should poisoning of this kind be using kasan rather than "old fashioned" poisoning? Thanks, Sasha -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754298AbcAZGIa (ORCPT ); Tue, 26 Jan 2016 01:08:30 -0500 Received: from aserp1050.oracle.com ([141.146.126.70]:23222 "EHLO aserp1050.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751040AbcAZGI2 (ORCPT ); Tue, 26 Jan 2016 01:08:28 -0500 Subject: Re: [RFC][PATCH 0/3] Sanitization of buddy pages To: Laura Abbott , Andrew Morton , "Kirill A. Shutemov" , Vlastimil Babka , Michal Hocko References: <1453740953-18109-1-git-send-email-labbott@fedoraproject.org> Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Kees Cook , Andrey Ryabinin From: Sasha Levin Message-ID: <56A70C9D.8060102@oracle.com> Date: Tue, 26 Jan 2016 01:05:17 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <1453740953-18109-1-git-send-email-labbott@fedoraproject.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Source-IP: userp1040.oracle.com [156.151.31.81] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01/25/2016 11:55 AM, Laura Abbott wrote: > Hi, > > This is an implementation of page poisoning/sanitization for all arches. It > takes advantage of the existing implementation for > !ARCH_SUPPORTS_DEBUG_PAGEALLOC arches. This is a different approach than what > the Grsecurity patches were taking but should provide equivalent functionality. > > For those who aren't familiar with this, the goal of sanitization is to reduce > the severity of use after free and uninitialized data bugs. Memory is cleared > on free so any sensitive data is no longer available. Discussion of > sanitization was brough up in a thread about CVEs > (lkml.kernel.org/g/<20160119112812.GA10818@mwanda>) > > I eventually expect Kconfig names will want to be changed and or moved if this > is going to be used for security but that can happen later. > > Credit to Mathias Krause for the version in grsecurity > > Laura Abbott (3): > mm/debug-pagealloc.c: Split out page poisoning from debug page_alloc > mm/page_poison.c: Enable PAGE_POISONING as a separate option > mm/page_poisoning.c: Allow for zero poisoning > > Documentation/kernel-parameters.txt | 5 ++ > include/linux/mm.h | 13 +++ > include/linux/poison.h | 4 + > mm/Kconfig.debug | 35 +++++++- > mm/Makefile | 5 +- > mm/debug-pagealloc.c | 127 +---------------------------- > mm/page_alloc.c | 10 ++- > mm/page_poison.c | 158 ++++++++++++++++++++++++++++++++++++ > 8 files changed, 228 insertions(+), 129 deletions(-) > create mode 100644 mm/page_poison.c > Should poisoning of this kind be using kasan rather than "old fashioned" poisoning? Thanks, Sasha