From: Ingo Molnar <mingo@elte.hu>
To: "Larry H." <research@subreption.com>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Rik van Riel <riel@redhat.com>,
linux-kernel@vger.kernel.org, Linus Torvalds <torvalds@osdl.org>,
linux-mm@kvack.org, Ingo Molnar <mingo@redhat.com>,
pageexec@freemail.hu,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [patch 0/5] Support for sanitization flag in low-level page allocator
Date: Sat, 30 May 2009 20:21:13 +0200 [thread overview]
Message-ID: <20090530182113.GA25237@elte.hu> (raw)
In-Reply-To: <20090530180333.GH6535@oblivion.subreption.com>
* Larry H. <research@subreption.com> wrote:
> On 19:34 Sat 30 May , Ingo Molnar wrote:
> > You need to provide a more sufficient and more constructive answer
> > than that, if you propose upstream patches that impact the SLAB
> > subsystem.
>
> Impact? If you mean introducing changes, definitely. If the word
> has negative connotations in this context, definitely not ;)
i mean its most obvious meaning: if you change the SLAB subsystem,
it goes via Pekka. Also, changes to the page allocator impact the
SLAB subsystem too (which is the most common front-end to the page
allocator) so he has a say there too obviously ...
> > FYI Pekka is one of the SLAB subsystem maintainers so you need
> > to convince him that your patches are the right approach. Trying
> > to teach Pekka about SLAB internals in a condescending tone will
> > only cause your patches to be ignored.
>
> I've never tried to teach you anything but security matters, so
> far. And I've been quite unsuccessful at it, apparently. That
> said, please let me explain why kzfree was broken (as of 2.6.29.4,
> I've been told 30-rc2 already has users of it).
>
> The first issue is that SLOB has a broken ksize, which won't take
> into consideration compound pages AFAIK. To fix this you will need
> to introduce some changes in the way the slob_page structure is
> handled, and add real size tracking to it. You will find these
> problems if you try to implement a reliable kmem_ptr_validate for
> SLOB, too.
SLOB is a rarely used (and high overhead) allocator. But the right
answer there: fix kzalloc().
> The second is that I've experienced issues with kzfree on
> 2.6.29.4, in which something (apparently the freelist pointer) is
> overwritten and leads to a NULL pointer deference in the next
> allocation in the affected cache. I didn't fully analyze what was
> broken, besides that for sanitizing the objects on kfree I needed
> to rely on the inuse size and not the one reported by ksize, if I
> wanted to avoid hitting that trailing meta-data.
>
> I just noticed Johannes Weiner's patch from February 16.
if kzfree() is broken then a number of places in the kernel that
currently rely on it are potentially broken as well.
So as far as i'm concerned, your patchset is best expressed in the
following form: Cryto, WEP and other sensitive places should be
updated to use kzfree() to free keys.
This can be done unconditionally (without any Kconfig flag), as it's
all in slow-paths - and because there's a real security value in
sanitizing buffers that held sensitive keys, when they are freed.
Regarding a whole-sale 'clear everything on free' approach - that's
both pointless security wise (sensitive information can still leak
indefinitely [if you disagree i can provide an example]) and has a
very high cost so it's not acceptable to normal Linux distros.
> BTW, talking about branches and call depth, you are proposing
> using kzfree() which involves further test and call branches
> (including those inside the specific ksize implementation of the
> allocator being used) and it duplicates the check for
> ZERO_SIZE_PTR/NULL too. The function is so simple that it should
> be a static inline declared in slab.h. It also lacks any
> validation checks as performed in kfree (besides the zero
> size/null ptr one).
>
> Also, users of unconditional sanitization would see unnecessary
> duplication of the clearing, causing a real performance hit (which
> would be almost non existent otherwise). That will make kzfree
> unsuitable for most hot spots like the crypto api and the mac80211
> wep code.
>
> Honestly your proposed approach seems a little weak.
Unconditional honesty is definitely welcome ;-)
Freeing keys is an utter slow-path (if not then the clearing is the
least of our performance worries), so any clearing cost is in the
noise. Furthermore, kzfree() is an existing facility already in use.
If it's reused by your patches that brings further advantages:
kzfree(), if it has any bugs, will be fixed. While if you add a
parallel facility kzfree() stays broken.
So your examples about real or suspected kzfree() breakages only
strengthen the point that your patches should be using it. Keeping a
rarely used kernel facility (like kzfree) correct is hard -
splintering it by creating a parallel facility is actively harmful
for that reason.
Ingo
next prev parent reply other threads:[~2009-05-30 18:21 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-20 18:30 [patch 0/5] Support for sanitization flag in low-level page allocator Larry H.
2009-05-20 20:42 ` Peter Zijlstra
2009-05-20 21:24 ` Larry H.
2009-05-21 15:21 ` Robin Holt
2009-05-21 18:43 ` Larry H.
2009-05-29 22:58 ` Andrew Morton
2009-05-30 7:12 ` Pekka Enberg
2009-05-30 7:35 ` Larry H.
2009-05-30 7:39 ` Pekka Enberg
2009-05-21 19:08 ` Rik van Riel
2009-05-21 19:26 ` Alan Cox
2009-05-21 19:56 ` Larry H.
2009-05-21 20:47 ` Alan Cox
[not found] ` <20090521214638.GL10756@oblivion.subreption.com>
2009-05-21 22:47 ` Alan Cox
2009-05-22 11:22 ` Larry H.
2009-05-22 13:37 ` Alan Cox
2009-05-26 19:02 ` Pavel Machek
[not found] ` <4A15A8C7.2030505@redhat.com>
[not found] ` <20090522073436.GA3612@elte.hu>
2009-05-22 11:38 ` Larry H.
2009-05-22 13:39 ` Alan Cox
2009-05-22 18:03 ` Larry H.
2009-05-22 18:21 ` Alan Cox
[not found] ` <20090522234031.GH13971@oblivion.subreption.com>
2009-05-23 8:09 ` Alan Cox
2009-05-23 15:56 ` Arjan van de Ven
2009-05-23 18:21 ` [PATCH] Support for unconditional page sanitization Larry H.
2009-05-23 21:05 ` Arjan van de Ven
2009-05-24 10:19 ` pageexec
2009-05-24 16:38 ` Arjan van de Ven
2009-05-28 19:36 ` [patch 0/5] Support for sanitization flag in low-level page allocator Peter Zijlstra
2009-05-29 14:32 ` Arjan van de Ven
2009-05-30 5:48 ` Larry H.
2009-05-30 10:39 ` Peter Zijlstra
2009-05-30 10:43 ` Larry H.
2009-05-30 11:42 ` pageexec
2009-05-30 13:21 ` Peter Zijlstra
2009-05-30 13:24 ` Peter Zijlstra
2009-05-30 13:54 ` pageexec
2009-05-30 14:04 ` Larry H.
2009-05-30 14:13 ` Rik van Riel
2009-05-30 14:08 ` Rik van Riel
[not found] ` <20090530153023.45600fd2@lxorguk.ukuu.org.uk>
2009-05-30 14:45 ` Peter Zijlstra
2009-05-30 14:48 ` Rik van Riel
2009-05-30 17:00 ` Larry H.
2009-05-30 17:25 ` Larry H.
2009-05-30 18:32 ` Ingo Molnar
2009-05-31 14:38 ` Arjan van de Ven
2009-05-31 15:03 ` Arjan van de Ven
2009-05-22 18:37 ` Nai Xia
2009-05-22 19:18 ` Nai Xia
2009-05-23 12:49 ` Ingo Molnar
2009-05-23 22:28 ` Larry H.
2009-05-23 22:42 ` Rik van Riel
2009-05-25 1:17 ` [PATCH] Sanitize memory on kfree() and kmem_cache_free() Larry H.
2009-05-27 22:34 ` [patch 0/5] Support for sanitization flag in low-level page allocator Ingo Molnar
2009-05-28 6:27 ` Alan Cox
2009-05-28 7:00 ` Larry H.
2009-05-28 9:08 ` Ingo Molnar
2009-05-28 11:50 ` Alan Cox
2009-05-28 19:44 ` Peter Zijlstra
2009-05-30 7:35 ` Pekka Enberg
2009-05-30 7:50 ` Larry H.
2009-05-30 7:53 ` Pekka Enberg
2009-05-30 8:20 ` Larry H.
2009-05-30 8:33 ` Pekka Enberg
2009-05-30 15:05 ` Ray Lee
2009-05-30 17:34 ` Ingo Molnar
2009-05-30 18:03 ` Larry H.
2009-05-30 18:21 ` Ingo Molnar [this message]
2009-05-30 18:45 ` Larry H.
2009-05-30 19:08 ` Ingo Molnar
2009-05-30 20:39 ` Rik van Riel
2009-05-30 20:53 ` Pekka Enberg
2009-05-30 21:33 ` Larry H.
2009-05-30 23:13 ` Alan Cox
2009-05-30 23:18 ` Larry H.
2009-05-31 6:30 ` Pekka Enberg
2009-05-31 11:49 ` Larry H.
2009-05-31 7:17 ` Pekka Enberg
2009-05-31 11:58 ` Larry H.
2009-05-31 12:16 ` Pekka Enberg
2009-05-31 12:30 ` Larry H.
2009-05-31 12:35 ` Pekka Enberg
2009-05-30 23:10 ` Alan Cox
2009-05-31 6:14 ` Pekka Enberg
2009-05-31 10:24 ` Alan Cox
2009-05-31 10:24 ` Pekka Enberg
2009-05-31 12:16 ` Larry H.
2009-05-31 12:19 ` Pekka Enberg
2009-05-31 16:25 ` Alan Cox
2009-05-30 22:10 ` Ingo Molnar
2009-05-30 23:15 ` Alan Cox
2009-05-30 20:22 ` Pekka Enberg
2009-05-30 22:14 ` Ingo Molnar
2009-05-30 17:39 ` Ingo Molnar
2009-05-30 7:57 ` Pekka Enberg
2009-05-30 9:05 ` Larry H.
2009-05-30 17:46 ` Ingo Molnar
2009-05-30 18:09 ` Larry H.
2009-05-30 8:31 ` Alan Cox
2009-05-30 8:35 ` Pekka Enberg
2009-05-30 9:27 ` Larry H.
2009-05-28 18:48 ` pageexec
2009-05-30 17:50 ` Ingo Molnar
2009-05-28 12:48 ` Pavel Machek
2009-05-28 12:55 ` Larry H.
-- strict thread matches above, loose matches on Subject: below --
2009-05-28 18:56 pageexec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090530182113.GA25237@elte.hu \
--to=mingo@elte.hu \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=pageexec@freemail.hu \
--cc=penberg@cs.helsinki.fi \
--cc=research@subreption.com \
--cc=riel@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).