From: mingo@kernel.org (Ingo Molnar)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode
Date: Mon, 8 May 2017 16:02:30 +0200 [thread overview]
Message-ID: <20170508140230.23kxf2kfeazeo4zr@gmail.com> (raw)
In-Reply-To: <CAGXu5jKZRESgGhZ6GEoO784Q1G8V0DPcwM1T2PpyTqvEAsrUdg@mail.gmail.com>
* Kees Cook <keescook@chromium.org> wrote:
> > And yes, I realize that there were other such bugs and that such bugs might
> > occur in the future - but why not push the overhead of the security check to
> > the kernel build phase? I.e. I'm wondering how well we could do static
> > analysis during kernel build - would a limited mode of Sparse be good enough
> > for that? Or we could add a new static checker to tools/, built from first
> > principles and used primarily for extended syntactical checking.
>
> Static analysis is just not going to cover all cases. We've had vulnerabilities
> where interrupt handlers left KERNEL_DS set, for example. [...]
Got any commit ID of that bug - was it because a function executed by the
interrupt handler leaked KERNEL_DS?
> [...] If there are performance concerns, let's put this behind a CONFIG. 2-5
> instructions is not an issue for most people that want this coverage.
That doesn't really _solve_ the performance concerns, it just forces most people
to enable it by creating a 'security or performance' false dichotomy ...
> [...] and it still won't catch everything. Bug-finding is different from making
> a bug class just unexploitable at all. As we've done before, it's the difference
> between trying to find format string attacks vs just removing %n from the format
> parser.
No, it does not make it unexploitable, it could still be exploitable if the
runtime check is buggy or if there's kernel execution outside of the regular
system call paths - there's plenty of such hardware functionality on x86 for
example.
Thanks,
Ingo
next prev parent reply other threads:[~2017-05-08 14:02 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-28 15:32 [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode Thomas Garnier
2017-04-28 15:32 ` [PATCH v9 2/4] x86/syscalls: Optimize address limit check Thomas Garnier
2017-04-28 15:32 ` [PATCH v9 3/4] arm/syscalls: " Thomas Garnier
2017-04-28 15:32 ` [PATCH v9 4/4] arm64/syscalls: " Thomas Garnier
2017-05-05 22:18 ` [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode Thomas Garnier
2017-05-08 7:33 ` Ingo Molnar
2017-05-08 7:52 ` Ingo Molnar
2017-05-08 15:22 ` [kernel-hardening] " Daniel Micay
2017-05-08 15:26 ` Kees Cook
2017-05-08 19:51 ` Thomas Garnier
2017-05-09 6:56 ` Ingo Molnar
2017-05-09 11:10 ` Greg KH
2017-05-09 14:29 ` Thomas Garnier
2017-05-11 23:17 ` Thomas Garnier
2017-05-11 23:44 ` Linus Torvalds
2017-05-12 5:28 ` Martin Schwidefsky
2017-05-12 5:34 ` Kees Cook
2017-05-12 5:54 ` Martin Schwidefsky
2017-05-12 19:01 ` Kees Cook
2017-05-12 19:08 ` Russell King - ARM Linux
2017-05-12 19:08 ` Linus Torvalds
2017-05-12 19:30 ` Kees Cook
2017-05-12 20:21 ` Russell King - ARM Linux
2017-05-12 20:30 ` Peter Zijlstra
2017-05-12 20:45 ` Russell King - ARM Linux
2017-05-12 21:00 ` Kees Cook
2017-05-12 21:04 ` Kees Cook
2017-05-13 7:21 ` Christoph Hellwig
2017-05-12 21:06 ` Al Viro
2017-05-12 21:16 ` Daniel Micay
2017-05-12 21:17 ` Kees Cook
2017-05-12 21:23 ` Daniel Micay
2017-05-12 21:41 ` Al Viro
2017-05-12 21:47 ` Rik van Riel
2017-05-12 22:57 ` Al Viro
2017-05-12 21:50 ` Kees Cook
2017-05-12 6:57 ` Ingo Molnar
2017-05-12 6:13 ` Andy Lutomirski
2017-05-12 6:58 ` Ingo Molnar
2017-05-12 17:05 ` Thomas Garnier
2017-05-09 16:30 ` Kees Cook
2017-05-08 12:46 ` Greg KH
2017-05-09 6:45 ` Ingo Molnar
2017-05-09 8:56 ` Christoph Hellwig
2017-05-09 13:00 ` Andy Lutomirski
2017-05-09 13:02 ` Christoph Hellwig
2017-05-09 16:03 ` Christoph Hellwig
2017-05-09 16:50 ` Kees Cook
2017-05-09 22:52 ` Andy Lutomirski
2017-05-09 23:31 ` Kees Cook
2017-05-10 1:59 ` Andy Lutomirski
2017-05-10 7:15 ` Christoph Hellwig
2017-05-11 11:22 ` Borislav Petkov
2017-05-10 6:46 ` Christoph Hellwig
2017-05-10 2:11 ` Al Viro
2017-05-10 2:45 ` Al Viro
2017-05-10 3:12 ` Al Viro
2017-05-10 3:21 ` Al Viro
2017-05-10 3:39 ` Al Viro
2017-05-10 6:54 ` Christoph Hellwig
2017-05-10 6:53 ` Christoph Hellwig
2017-05-10 7:27 ` Al Viro
2017-05-10 7:35 ` Christoph Hellwig
2017-05-10 6:49 ` Christoph Hellwig
2017-05-10 7:28 ` Arnd Bergmann
2017-05-10 7:35 ` Christoph Hellwig
2017-05-09 16:05 ` Brian Gerst
2017-05-10 7:37 ` Arnd Bergmann
2017-05-10 8:08 ` Al Viro
2017-05-10 8:14 ` Christoph Hellwig
2017-05-11 0:18 ` Andy Lutomirski
2017-05-12 7:00 ` Ingo Molnar
2017-05-12 7:15 ` Al Viro
2017-05-12 7:35 ` Christoph Hellwig
2017-05-12 8:07 ` Christoph Hellwig
2017-05-12 8:23 ` Greg KH
2017-05-12 7:43 ` Arnd Bergmann
2017-05-12 8:11 ` Christoph Hellwig
2017-05-12 8:16 ` Al Viro
2017-05-12 8:11 ` Al Viro
2017-05-12 8:20 ` Arnd Bergmann
2017-05-12 23:20 ` Andy Lutomirski
2017-05-08 13:09 ` Kees Cook
2017-05-08 14:02 ` Ingo Molnar [this message]
2017-05-08 14:06 ` Jann Horn
2017-05-08 20:48 ` Al Viro
2017-05-12 23:15 ` Andy Lutomirski
2017-05-08 15:24 ` Kees Cook
2017-05-09 6:34 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170508140230.23kxf2kfeazeo4zr@gmail.com \
--to=mingo@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).