[kernel-hardening] Re: [PATCH v2 1/5] irq: set {msi_domain,syscore}_ops as __ro_after_init

public inbox for kernel-hardening@lists.openwall.com
 help / color / mirror / Atom feed

From: Thomas Gleixner <tglx@linutronix.de>
To: Jess Frazelle <me@jessfraz.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>,
	"open list:IRQ SUBSYSTEM" <linux-kernel@vger.kernel.org>,
	kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH v2 1/5] irq: set {msi_domain,syscore}_ops as __ro_after_init
Date: Sat, 11 Feb 2017 10:23:03 +0100 (CET)	[thread overview]
Message-ID: <alpine.DEB.2.20.1702111019110.3734@nanos> (raw)
In-Reply-To: <alpine.DEB.2.20.1702110948030.3734@nanos>



On Sat, 11 Feb 2017, Thomas Gleixner wrote:

> On Fri, 10 Feb 2017, Jess Frazelle wrote:
> 
> > Marked msi_domain_ops structs as __ro_after_init when called only during init.
> > Marked syscore_ops structs as __ro_after_init when register_syscore_ops was
> > called only during init. Most of the caller functions were already annotated as
> > __init.
> > unregister_syscore_ops() was never called on these syscore_ops.
> > This protects the data structure from accidental corruption.
> 
> Please be more careful with your changelogs. They should not start with
> telling WHAT you have done. The WHAT we can see from the patch.
> 
> The interesting information which belongs into the changelog is: WHY and
> which problem does it solve or which enhancement this is. Let me give you
> an example:
> 
>   Function pointers are a target for attacks especially when they are
>   located in statically allocated data structures. Some of these data
>   structures are only modified during init and therefor can be made read
>   only after init.
> 
>   struct msi_domain_ops can be made read only after init because they are
>   only updated in the registration case.
> 
>   struct syscore_ops can be made read only after init when they are only
>   registered, but never unregistered.
> 
> So this would be a proper change log explaning the patch.
> 
> Emphasis on WOULD, See below.
> 
> > -static struct syscore_ops irq_gc_syscore_ops = {
> > +static struct syscore_ops irq_gc_syscore_ops __ro_after_init = {
> >  	.suspend = irq_gc_suspend,
> >  	.resume = irq_gc_resume,
> >  	.shutdown = irq_gc_shutdown,
> 
> I seriously doubt that syscore_ops can be made __ro_after_init at all.
> 
> Assume the following:
> 
> last_init_function()
>   register_syscore_ops(&a_ops)
>     list_add(&a_ops->node, list);
> 
> apply_ro_after_init()
>   // a_ops are now read only
> 
> cpuhotplug happens
>   register_syscore_ops(&b_ops)
>     list_add(&b_ops->node, list);
> 
>     ===> Kernel crashes with a write access on RO memory because it tries
>     	 to link b_ops to a_ops.
> 
> The same is true for cpuhotunplug operations.

Sorry, cpuhotplug was the wrong example, but loading or unloading the KVM
modules will have that effect.

See vmx_init()/exit() and kvm_init()/exit() for reference.

Thanks,

	tglx

next prev parent reply	other threads:[~2017-02-11  9:23 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-11  1:37 [kernel-hardening] [PATCH v2 1/5] irq: set {msi_domain,syscore}_ops as __ro_after_init Jess Frazelle
2017-02-11  1:37 ` [kernel-hardening] [PATCH v2 2/5] time: mark syscore_ops " Jess Frazelle
2017-02-11  2:12   ` [kernel-hardening] " John Stultz
2017-02-11  9:23     ` Thomas Gleixner
2017-02-11  1:37 ` [kernel-hardening] [PATCH v2 3/5] pci: set msi_domain_ops " Jess Frazelle
2017-02-12  4:08   ` [kernel-hardening] " KY Srinivasan
2017-02-13 18:14   ` [kernel-hardening] " Keith Busch
2017-02-15 20:33   ` Bjorn Helgaas
2017-02-15 20:46     ` Kees Cook
2017-02-15 21:16     ` Thomas Gleixner
2017-02-16 14:35       ` Bjorn Helgaas
2017-02-16 14:38         ` Thomas Gleixner
2017-03-07 19:07           ` Bjorn Helgaas
2017-03-14 18:50             ` Jessica Frazelle
2017-03-14 19:24               ` Bjorn Helgaas
2017-02-11  1:37 ` [kernel-hardening] [PATCH v2 4/5] staging: " Jess Frazelle
2017-02-11  1:37 ` [kernel-hardening] [PATCH v2 5/5] x86: " Jess Frazelle
2017-02-11  9:14 ` [kernel-hardening] Re: [PATCH v2 1/5] irq: set {msi_domain,syscore}_ops " Thomas Gleixner
2017-02-11  9:23   ` Thomas Gleixner [this message]
2017-02-11 10:48   ` Jess Frazelle
2017-02-11 12:00     ` Thomas Gleixner
2017-02-11 12:17       ` Jessica Frazelle

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.20.1702111019110.3734@nanos \
    --to=tglx@linutronix.de \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marc.zyngier@arm.com \
    --cc=me@jessfraz.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox