From: "PaX Team" <pageexec@freemail.hu>
To: Ingo Molnar <mingo@kernel.org>
Cc: kernel-hardening@lists.openwall.com,
Mathias Krause <minipli@googlemail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>, x86-ml <x86@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Michael Ellerman <mpe@ellerman.id.au>,
linux-arch@vger.kernel.org, Emese Revfy <re.emese@gmail.com>
Subject: Re: [PATCH 0/2] introduce post-init read-only memory
Date: Thu, 26 Nov 2015 13:14:26 +0100 [thread overview]
Message-ID: <5656F7A2.738.131F89C0@pageexec.freemail.hu> (raw)
In-Reply-To: <20151126104229.GA8530@gmail.com>
On 26 Nov 2015 at 11:42, Ingo Molnar wrote:
> * PaX Team <pageexec@freemail.hu> wrote:
>
> > On 26 Nov 2015 at 9:54, Ingo Molnar wrote:
>
> > e.g., imagine that the write was to a function pointer (even an entire ops
> > structure) or a boolean that controls some important feature for after-init
> > code. ignoring/dropping such writes could cause all kinds of logic bugs (if not
> > worse).
>
> Well, the typical case is that it's a logic bug to _do_ the write: the structure
> was marked readonly for a reason but some init code re-runs during suspend or so.
that's actually not the typical case in my experience, but rather these two:
1. initial mistake: someone didn't actually check whether the given object can
be __read_only
2. code evolution: an object that was once written by __init code only (and
thus proactively subjected to __read_only) gets modified by non-init code
due to later changes
what you described above is a third case where there's a latent bug to begin
(unintended write) with that __read_only merely exposes but doesn't create
itself, unlike the two cases above (intended writes getting caught by wrong
use of __read_only).
> But yes, logic bugs might trigger - but that is true in the opposite case as well,
> if we do the write despite it being marked readonly:
not really, the two cases above are not a priori bugs, they become bugs due
to using __read_only without due care (which is why i suggested to detect
them at compile time).
> > misusing __read_only and ignoring write attempts would effectively produce the
> > same misbehaviour as above so i strongly advise against it.
>
> No, the difference to the GCC related aliasing bug is that with my technique the
> kernel would immediately produce a very visible kernel warning, which is a very
> clear sign that is wrong - and with a very clear backtrace in the warning that
> points right to the problematic code - which signature shows us (and users) what
> is wrong.
my proposal would produce the exact same reports, the difference is in letting
the write attempt succeed vs. skipping it. this latter step is what is wrong
since it introduces at least a logic bug the same way the constprop optimization
created a logic bug.
> Plus the truly paranoid might panic/halt the system on such warnings, so for
> highly secure systems there's a way to not even allow the possibility of logic
> bugs. (at the cost of stopping the system when a bug triggers.)
this would/should be the default behaviour, i.e., no attempt at being smart by
either allowing or skipping the faulting insn, just report the event and trigger
whatever fancy future exploit reaction mechanism will get into the kernel.
WARNING: multiple messages have this Message-ID (diff)
From: "PaX Team" <pageexec@freemail.hu>
To: Ingo Molnar <mingo@kernel.org>
Cc: kernel-hardening@lists.openwall.com,
Mathias Krause <minipli@googlemail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>, x86-ml <x86@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Michael Ellerman <mpe@ellerman.id.au>,
linux-arch@vger.kernel.org, Emese Revfy <re.emese@gmail.com>
Subject: Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory
Date: Thu, 26 Nov 2015 13:14:26 +0100 [thread overview]
Message-ID: <5656F7A2.738.131F89C0@pageexec.freemail.hu> (raw)
Message-ID: <20151126121426.LmwSGS_9PxN4hH0NMqngVLW3EXTntHFkZNQuxnUdoE4@z> (raw)
In-Reply-To: <20151126104229.GA8530@gmail.com>
On 26 Nov 2015 at 11:42, Ingo Molnar wrote:
> * PaX Team <pageexec@freemail.hu> wrote:
>
> > On 26 Nov 2015 at 9:54, Ingo Molnar wrote:
>
> > e.g., imagine that the write was to a function pointer (even an entire ops
> > structure) or a boolean that controls some important feature for after-init
> > code. ignoring/dropping such writes could cause all kinds of logic bugs (if not
> > worse).
>
> Well, the typical case is that it's a logic bug to _do_ the write: the structure
> was marked readonly for a reason but some init code re-runs during suspend or so.
that's actually not the typical case in my experience, but rather these two:
1. initial mistake: someone didn't actually check whether the given object can
be __read_only
2. code evolution: an object that was once written by __init code only (and
thus proactively subjected to __read_only) gets modified by non-init code
due to later changes
what you described above is a third case where there's a latent bug to begin
(unintended write) with that __read_only merely exposes but doesn't create
itself, unlike the two cases above (intended writes getting caught by wrong
use of __read_only).
> But yes, logic bugs might trigger - but that is true in the opposite case as well,
> if we do the write despite it being marked readonly:
not really, the two cases above are not a priori bugs, they become bugs due
to using __read_only without due care (which is why i suggested to detect
them at compile time).
> > misusing __read_only and ignoring write attempts would effectively produce the
> > same misbehaviour as above so i strongly advise against it.
>
> No, the difference to the GCC related aliasing bug is that with my technique the
> kernel would immediately produce a very visible kernel warning, which is a very
> clear sign that is wrong - and with a very clear backtrace in the warning that
> points right to the problematic code - which signature shows us (and users) what
> is wrong.
my proposal would produce the exact same reports, the difference is in letting
the write attempt succeed vs. skipping it. this latter step is what is wrong
since it introduces at least a logic bug the same way the constprop optimization
created a logic bug.
> Plus the truly paranoid might panic/halt the system on such warnings, so for
> highly secure systems there's a way to not even allow the possibility of logic
> bugs. (at the cost of stopping the system when a bug triggers.)
this would/should be the default behaviour, i.e., no attempt at being smart by
either allowing or skipping the faulting insn, just report the event and trigger
whatever fancy future exploit reaction mechanism will get into the kernel.
next prev parent reply other threads:[~2015-11-26 12:14 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-24 21:38 [PATCH 0/2] introduce post-init read-only memory Kees Cook
2015-11-24 21:38 ` Kees Cook
2015-11-24 21:38 ` [PATCH 1/2] x86: " Kees Cook
2015-11-24 21:38 ` Kees Cook
2015-11-25 0:34 ` Andy Lutomirski
2015-11-25 0:34 ` Andy Lutomirski
2015-11-25 0:44 ` Kees Cook
2015-11-25 0:54 ` [kernel-hardening] " Michael Ellerman
2015-11-25 15:03 ` Kees Cook
2015-11-25 23:05 ` Michael Ellerman
2015-11-25 23:32 ` Kees Cook
2015-11-25 23:32 ` [kernel-hardening] " Kees Cook
2015-11-24 21:38 ` [PATCH 2/2] x86, vdso: mark vDSO read-only after init Kees Cook
2015-11-24 21:38 ` Kees Cook
2015-11-25 9:13 ` [PATCH 0/2] introduce post-init read-only memory Mathias Krause
2015-11-25 9:13 ` [kernel-hardening] " Mathias Krause
2015-11-25 10:06 ` Clemens Ladisch
2015-11-25 10:06 ` Clemens Ladisch
2015-11-25 11:14 ` PaX Team
2015-11-25 11:14 ` [kernel-hardening] " PaX Team
2015-11-25 11:05 ` PaX Team
2015-11-25 11:05 ` [kernel-hardening] " PaX Team
2015-11-26 8:54 ` Ingo Molnar
2015-11-26 9:57 ` PaX Team
2015-11-26 9:57 ` [kernel-hardening] " PaX Team
2015-11-26 10:42 ` Ingo Molnar
2015-11-26 12:14 ` PaX Team [this message]
2015-11-26 12:14 ` PaX Team
2015-11-27 8:05 ` Ingo Molnar
2015-11-27 8:05 ` [kernel-hardening] " Ingo Molnar
2015-11-27 15:29 ` PaX Team
2015-11-27 15:29 ` [kernel-hardening] " PaX Team
2015-11-27 16:30 ` Andy Lutomirski
2015-11-29 8:08 ` Ingo Molnar
2015-11-29 8:08 ` Ingo Molnar
2015-11-29 11:15 ` PaX Team
2015-11-29 11:15 ` [kernel-hardening] " PaX Team
2015-11-29 15:39 ` Ingo Molnar
2015-11-29 18:05 ` Mathias Krause
2015-11-29 18:05 ` [kernel-hardening] " Mathias Krause
2015-11-30 8:01 ` Ingo Molnar
2015-11-30 8:01 ` [kernel-hardening] " Ingo Molnar
2015-11-26 16:11 ` Andy Lutomirski
2015-11-26 16:11 ` [kernel-hardening] " Andy Lutomirski
2015-11-27 7:59 ` Ingo Molnar
2015-11-27 7:59 ` [kernel-hardening] " Ingo Molnar
2015-11-27 18:00 ` Linus Torvalds
2015-11-27 18:03 ` Linus Torvalds
2015-11-27 18:03 ` [kernel-hardening] " Linus Torvalds
2015-11-27 20:03 ` Kees Cook
2015-11-27 20:03 ` [kernel-hardening] " Kees Cook
2015-11-27 20:09 ` Andy Lutomirski
2015-11-29 8:05 ` Ingo Molnar
2015-11-29 8:05 ` Ingo Molnar
2015-11-30 21:14 ` H. Peter Anvin
2015-11-30 21:14 ` [kernel-hardening] " H. Peter Anvin
2015-11-30 21:33 ` Kees Cook
2015-11-30 21:38 ` Andy Lutomirski
2015-11-30 21:38 ` Andy Lutomirski
2015-11-30 21:43 ` H. Peter Anvin
2015-11-30 21:43 ` [kernel-hardening] " H. Peter Anvin
2015-11-25 17:26 ` Kees Cook
2015-11-25 17:26 ` [kernel-hardening] " Kees Cook
2015-11-25 17:31 ` H. Peter Anvin
2015-11-25 17:31 ` [kernel-hardening] " H. Peter Anvin
2015-11-25 18:54 ` Kees Cook
2015-11-25 19:06 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5656F7A2.738.131F89C0@pageexec.freemail.hu \
--to=pageexec@freemail.hu \
--cc=arnd@arndb.de \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=minipli@googlemail.com \
--cc=mpe@ellerman.id.au \
--cc=re.emese@gmail.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).