Option to clear allocated kernel memory before freeing it?

Option to clear allocated kernel memory before freeing it?

[Michael Opdenacker]

Hello,

Would it make sense to implement a kernel option that would clear kernel 
memory before freeing it (by kfree or free_page(s))?

Unless I'm missing something, uncleared memory previously used for 
kernel allocations could later be recycled for user allocations, making 
it possible for a user program to access sensitive driver data if it's 
lucky.

Tough clearing memory should be efficient (thanks to the use of 
memset(), optimized for each platform), there would of course be a 
significant performance hit. However, this could be acceptable for 
systems with strong security requirements...

What do you think? If this idea makes sense, I'll be glad to help in 
implementing it.

    Thanks in advance,

    Cheers,

    Michael.

-- 
Michael Opdenacker, Free Electrons
Free Embedded Linux Training Materials
on http://free-electrons.com/training
(More than 1000 pages!)

Re: Option to clear allocated kernel memory before freeing it?

[Chase Venters]

On Mon, 19 Jun 2006, Michael Opdenacker wrote:

> Hello,
>
> Would it make sense to implement a kernel option that would clear kernel 
> memory before freeing it (by kfree or free_page(s))?
>
> Unless I'm missing something, uncleared memory previously used for kernel 
> allocations could later be recycled for user allocations, making it possible 
> for a user program to access sensitive driver data if it's lucky.

No sane operating system lets user-space have access to pages that haven't 
been cleared.

> Tough clearing memory should be efficient (thanks to the use of memset(), 
> optimized for each platform), there would of course be a significant 
> performance hit. However, this could be acceptable for systems with strong 
> security requirements...

A better way (and I believe the way Linux does it) is to map new pages to 
the zero page, read-only. If the process attempts to write to the zero 
page, we take a page fault and set up a new zeroed page, change the 
mapping, and return control back to that process.

> What do you think? If this idea makes sense, I'll be glad to help in 
> implementing it.
>
>   Thanks in advance,
>
>   Cheers,
>
>   Michael.
>

Thanks,
Chase

Re: Option to clear allocated kernel memory before freeing it?

[linux-os (Dick Johnson)]

On Mon, 19 Jun 2006, Michael Opdenacker wrote:

> Hello,
>
> Would it make sense to implement a kernel option that would clear kernel
> memory before freeing it (by kfree or free_page(s))?
>

No. Memory is cleared before being mapped to user-space. Memory
that is allocated for use by the kernel is never cleared by default.
To do so would waste valuable time for nothing gained.

> Unless I'm missing something, uncleared memory previously used for
> kernel allocations could later be recycled for user allocations, making
> it possible for a user program to access sensitive driver data if it's
> lucky.

Wrong. You are missing a lot.

>
> Tough clearing memory should be efficient (thanks to the use of
> memset(), optimized for each platform), there would of course be a
> significant performance hit. However, this could be acceptable for
> systems with strong security requirements...
>

Clearing, using the CPU is never efficient. That's why demand-zero
paging is used by many operating systems.

> What do you think? If this idea makes sense, I'll be glad to help in
> implementing it.
>
>    Thanks in advance,
>    Cheers,
>    Michael.
> --
> Michael Opdenacker, Free Electrons
> Free Embedded Linux Training Materials
> on http://free-electrons.com/training
> (More than 1000 pages!)

Cheers,
Dick Johnson
Penguin : Linux version 2.6.16.4 on an i686 machine (5592.72 BogoMips).
New book: http://www.AbominableFirebug.com/
_
\x1a\x04

****************************************************************
The information transmitted in this message is confidential and may be privileged.  Any review, retransmission, dissemination, or other use of this information by persons or entities other than the intended recipient is prohibited.  If you are not the intended recipient, please notify Analogic Corporation immediately - by replying to this message or by sending an email to DeliveryErrors@analogic.com - and destroy all copies of this information, including any attachments, without reading or disclosing them.

Thank you.

Re: Option to clear allocated kernel memory before freeing it?

[Michael Opdenacker]

Chase, Dick,
> No. Memory is cleared before being mapped to user-space. Memory
> that is allocated for use by the kernel is never cleared by default.
> To do so would waste valuable time for nothing gained.
>
>   
>> Unless I'm missing something, uncleared memory previously used for
>> kernel allocations could later be recycled for user allocations, making
>> it possible for a user program to access sensitive driver data if it's
>> lucky.
>>     
>
> Wrong. You are missing a lot.
>   
Oops, I realize I was really missing a lot! Thank you very much for 
leading me to the right path!

    Cheers,

    Michael.

-- 
Michael Opdenacker, Free Electrons
Free Embedded Linux Training Materials
on http://free-electrons.com/training
(More than 1000 pages!)..