From: Ingo Molnar <mingo@kernel.org>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Richard Weinberger <richard.weinberger@gmail.com>,
"H. Peter Anvin" <hpa@linux.intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Cong Ding <dinggnu@gmail.com>, Ingo Molnar <mingo@elte.hu>,
Kees Cook <keescook@chromium.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Mathias Krause <minipli@googlemail.com>,
Michael Davidson <md@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Subject: Re: [GIT PULL] x86/kaslr for v3.14
Date: Mon, 27 Jan 2014 08:38:36 +0100 [thread overview]
Message-ID: <20140127073836.GB19617@gmail.com> (raw)
In-Reply-To: <52E601DA.7010605@zytor.com>
* H. Peter Anvin <hpa@zytor.com> wrote:
> On 01/26/2014 10:49 PM, Richard Weinberger wrote:
> >>
> >> No, because that information is available to user space unless we panic.
> >
> > Didn't you mean non-root?
> > I thought one has to set dmesg_restrict anyways if kASLR is used.
> >
> > And isn't the offset available to perf too?
> > Of course only for root, but still user space.
> >
>
> For certain system security levels one want to protect even from a
> rogue root. In those cases, leaking that information via dmesg and
> perf isn't going to work, either.
>
> With lower security settings, by all means...
The 'no' was categorical and unconditional though, so is the right
answer perhaps something more along the lines of:
'Yes, the random offset can be reported in an oops, as long as
high security setups can turn off the reporting of the offset,
in their idealistic attempt to protect the system against root.'
?
I also still think that in addition to reporting the offset,
automatically 'un-randomizing' the oopses and warnings would be useful
as well: with a clear to recognize indicator used for every value
unrandomized, such as capitalizing their first hexa digit.
Let me show a mockup of how I think it could work:
raw 64-bit original:
[ 246.085174] <IRQ> [<ffffffff8264fbf6>] dump_stack+0x46/0x58
[ 246.098352] [<ffffffff82054fb6>] warn_slowpath_fmt+0x46/0x50
[ 246.104786] [<ffffffff825710d6>] dev_watchdog+0x246/0x250
[ 246.110923] [<ffffffff82570e90>] ? dev_deactivate_queue.constprop.31+0x80/0x80
[ 246.119097] [<ffffffff8206092a>] call_timer_fn+0x3a/0x110
[ 246.125224] [<ffffffff8206280f>] ? update_process_times+0x6f/0x80
64-bit un-randomized:
[ 246.085174] <IRQ> [<FFFFFFFF8164fbf6>] dump_stack+0x46/0x58
[ 246.091633] [<FFFFFFFF81054ecc>] warn_slowpath_common+0x8c/0xc0
[ 246.098352] [<FFFFFFFF81054fb6>] warn_slowpath_fmt+0x46/0x50
[ 246.104786] [<FFFFFFFF815710d6>] dev_watchdog+0x246/0x250
[ 246.110923] [<FFFFFFFF81570e90>] ? dev_deactivate_queue.constprop.31+0x80/0x80
[ 246.119097] [<FFFFFFFF8106092a>] call_timer_fn+0x3a/0x110
[ 246.125224] [<FFFFFFFF8106280f>] ? update_process_times+0x6f/0x80
Note how the hex values of unrandomized kernel text start with capital
letters, and how their values match up System.map and vmlinux symbol
values.
raw 32-bit randomized:
[ 39.054098] [<c20ded55>] ? __jump_label_update+0x45/0x60
[ 39.064852] [<c2057aa2>] ? queue_work_on+0x32/0x70
[ 39.074570] [<c20085b1>] ? mark_tsc_unstable+0x21/0x60
[ 39.084980] [<c2f03af6>] ? tsc_init+0x326/0x344
[ 39.094175] [<c2eff9c5>] ? start_kernel+0x2c7/0x356
32-bit un-randomized:
[ 39.054098] [<C10ded55>] ? __jump_label_update+0x45/0x60
[ 39.064852] [<C1057aa2>] ? queue_work_on+0x32/0x70
[ 39.074570] [<C10085b1>] ? mark_tsc_unstable+0x21/0x60
[ 39.084980] [<C1f03af6>] ? tsc_init+0x326/0x344
[ 39.094175] [<C1eff9c5>] ? start_kernel+0x2c7/0x356
This looks eminently useful to me, I could plug those hexa values into
gdb straight away to look up a symbol instead of having to subtract
the random offset first.
This would do 99% of the unrandomizing job for the user/developer (and
not the least, for tooling), without obfuscating oopses as it would be
clear on which values the unrandomizing was performed, without losing
information.
But only reporting the random offset with every raw oops and stack
dump would lead to equivalent information as well. We can tweak this
as we go, it's not like these details are ABIs - I just still think
that the KASLR feature isn't nearly as utility oriented as it should
be.
Thanks,
Ingo
next prev parent reply other threads:[~2014-01-27 7:38 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-20 16:47 [GIT PULL] x86/kaslr for v3.14 H. Peter Anvin
2014-01-20 22:54 ` Linus Torvalds
2014-01-20 23:00 ` H. Peter Anvin
2014-01-20 23:12 ` Linus Torvalds
2014-01-20 23:13 ` H. Peter Anvin
2014-01-21 9:00 ` Peter Zijlstra
2014-01-21 14:20 ` H. Peter Anvin
2014-01-21 14:39 ` Ingo Molnar
2014-01-21 14:51 ` H. Peter Anvin
2014-01-21 14:56 ` Ingo Molnar
2014-01-21 18:37 ` Kees Cook
2014-01-21 10:27 ` Ingo Molnar
2014-01-21 13:55 ` H. Peter Anvin
2014-01-21 14:03 ` Ingo Molnar
2014-01-21 14:05 ` H. Peter Anvin
2014-01-21 14:14 ` Ingo Molnar
2014-01-21 14:17 ` H. Peter Anvin
2014-01-21 5:18 ` Kees Cook
2014-01-23 9:39 ` Pavel Machek
2014-01-26 10:16 ` Richard Weinberger
2014-01-27 5:33 ` H. Peter Anvin
2014-01-27 6:49 ` Richard Weinberger
2014-01-27 6:51 ` H. Peter Anvin
2014-01-27 7:38 ` Ingo Molnar [this message]
2014-01-27 7:43 ` Ingo Molnar
2014-01-27 7:59 ` Richard Weinberger
2014-01-30 22:07 ` Vivek Goyal
2014-01-31 16:57 ` Kees Cook
2014-02-07 14:49 ` Vivek Goyal
2014-02-07 16:04 ` H. Peter Anvin
2014-02-07 16:24 ` Vivek Goyal
2014-02-07 23:16 ` Dave Young
2014-02-07 23:20 ` H. Peter Anvin
2014-02-07 23:28 ` Dave Young
2014-02-07 19:07 ` H. Peter Anvin
2014-02-07 19:44 ` Kees Cook
2014-01-27 6:52 ` H. Peter Anvin
2014-01-27 7:34 ` Richard Weinberger
2014-01-27 17:05 ` Kees Cook
2014-01-27 17:20 ` Richard Weinberger
2014-01-27 17:24 ` Kees Cook
2014-01-28 6:28 ` Ingo Molnar
2014-01-28 8:25 ` Richard Weinberger
2014-01-28 15:55 ` H. Peter Anvin
2014-01-28 16:25 ` Richard Weinberger
2014-01-28 16:30 ` H. Peter Anvin
2014-01-28 16:51 ` Linus Torvalds
2014-01-28 17:05 ` Ingo Molnar
2014-01-28 17:12 ` Linus Torvalds
2014-01-28 17:24 ` Richard Weinberger
2014-01-28 17:35 ` Linus Torvalds
2014-01-28 17:52 ` Richard Weinberger
2014-01-28 17:56 ` Linus Torvalds
2014-01-28 18:54 ` Richard Weinberger
2014-01-28 19:48 ` Ingo Molnar
2014-01-28 20:07 ` Linus Torvalds
2014-01-28 20:15 ` Borislav Petkov
2014-01-28 20:25 ` Linus Torvalds
2014-01-28 20:28 ` Richard Weinberger
2014-01-28 20:38 ` H. Peter Anvin
2014-01-29 8:25 ` Ingo Molnar
2014-01-29 10:40 ` Borislav Petkov
2014-01-28 20:49 ` Borislav Petkov
2014-01-28 23:37 ` Borislav Petkov
2014-01-28 21:08 ` Dave Jones
2014-01-29 6:36 ` Mike Galbraith
2014-01-29 8:11 ` Ingo Molnar
2014-01-29 8:27 ` Mathias Krause
2014-01-30 9:23 ` Ingo Molnar
2014-01-30 18:15 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140127073836.GB19617@gmail.com \
--to=mingo@kernel.org \
--cc=dinggnu@gmail.com \
--cc=hpa@linux.intel.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=md@google.com \
--cc=mingo@elte.hu \
--cc=minipli@googlemail.com \
--cc=richard.weinberger@gmail.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=yongjun_wei@trendmicro.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).