From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f179.google.com (mail-pf0-f179.google.com [209.85.192.179]) by kanga.kvack.org (Postfix) with ESMTP id BFAEC6B0005 for ; Tue, 8 Mar 2016 04:33:49 -0500 (EST) Received: by mail-pf0-f179.google.com with SMTP id 63so9019347pfe.3 for ; Tue, 08 Mar 2016 01:33:49 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com. [141.146.126.69]) by mx.google.com with ESMTPS id qz9si3576556pab.94.2016.03.08.01.33.48 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Mar 2016 01:33:48 -0800 (PST) Message-ID: <56DE9C4D.8000709@oracle.com> Date: Tue, 08 Mar 2016 20:33:01 +1100 From: James Morris MIME-Version: 1.0 Subject: Re: [PATCH v2] sparc64: Add support for Application Data Integrity (ADI) References: <1456951177-23579-1-git-send-email-khalid.aziz@oracle.com> <20160305.230702.1325379875282120281.davem@davemloft.net> <56DD9949.1000106@oracle.com> <20160307.115626.807716799249471744.davem@davemloft.net> <56DDC2B6.6020009@oracle.com> <56DDC6E0.4000907@oracle.com> <56DDDA31.9090105@oracle.com> <56DE1341.4080206@oracle.com> In-Reply-To: <56DE1341.4080206@oracle.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Andy Lutomirski , Khalid Aziz Cc: David Miller , Jonathan Corbet , Andrew Morton , dingel@linux.vnet.ibm.com, bob.picco@oracle.com, "Kirill A. Shutemov" , "Aneesh Kumar K.V" , Andrea Arcangeli , Arnd Bergmann , sparclinux@vger.kernel.org, Rob Gardner , Michal Hocko , chris.hyser@oracle.com, Richard Weinberger , Vlastimil Babka , Konstantin Khlebnikov , Oleg Nesterov , Greg Thelen , Jan Kara , xiexiuqi@huawei.com, Vineet.Gupta1@synopsys.com, Andrew Lutomirski , "Eric W. Biederman" , Benjamin Segall , Geert Uytterhoeven , Davidlohr Bueso , Alexey Dobriyan , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-mm@kvack.org" , linux-arch , Linux API On 03/08/2016 10:48 AM, James Morris wrote: > On 03/08/2016 06:54 AM, Andy Lutomirski wrote: >> >> This makes sense, but I still think the design is poor. If the hacker >> gets code execution, then they can trivially brute force the ADI bits. >> > > ADI in this scenario is intended to prevent the attacker from gaining > code execution in the first place. Here's some more background from Enrico Perla (who literally wrote the book on kernel exploitation): https://blogs.oracle.com/enrico/entry/hardening_allocators_with_adi Probably the most significant advantage from a security point of view is the ability to eliminate an entire class of vulnerability: adjacent heap overflows, as discussed above, where, for example, adjacent heap objects are tagged differently. Classic linear buffer overflows can be eliminated. As Kees Cook outlined at the 2015 kernel summit, it's best to mitigate classes of vulnerabilities rather than patch each instance: https://outflux.net/slides/2011/defcon/kernel-exploitation.pdf The Linux ADI implementation is currently very rudimentary, and we definitely welcome continued feedback from the community and ideas as it evolves. - James -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org