From: Eric Biggers <ebiggers@kernel.org>
To: Waiman Long <longman@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Joe Perches <joe@perches.com>,
Matthew Wilcox <willy@infradead.org>,
David Rientjes <rientjes@google.com>,
Michal Hocko <mhocko@suse.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Dan Carpenter <dan.carpenter@oracle.com>,
David Sterba <dsterba@suse.cz>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
linux-mm@kvack.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-pm@vger.kernel.org,
linux-stm32@st-md-mailman.stormreply.com,
linux-amlogic@lists.infradead.org,
linux-mediatek@lists.infradead.org,
linuxppc-dev@lists.ozlabs.org,
virtualization@lists.linux-foundation.org,
netdev@vger.kernel.org, linux-ppp@vger.kernel.org,
wireguard@lists.zx2c4.com, linux-wireless@vger.kernel.org,
devel@driverdev.osuosl.org, linux-scsi@vger.kernel.org,
target-devel@vger.kernel.org, linux-btrfs@vger.kernel.org,
linux-cifs@vger.kernel.org, linux-fscrypt@vger.kernel.org,
ecryptfs@vger.kernel.org, kasan-dev@googlegroups.com,
linux-bluetooth@vger.kernel.org, linux-wpan@vger.kernel.org,
linux-sctp@vger.kernel.org, linux-nfs@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree()
Date: Mon, 15 Jun 2020 20:30:35 -0700 [thread overview]
Message-ID: <20200616033035.GB902@sol.localdomain> (raw)
In-Reply-To: <20200616015718.7812-2-longman@redhat.com>
On Mon, Jun 15, 2020 at 09:57:16PM -0400, Waiman Long wrote:
> The kzfree() function is normally used to clear some sensitive
> information, like encryption keys, in the buffer before freeing it back
> to the pool. Memset() is currently used for the buffer clearing. However,
> it is entirely possible that the compiler may choose to optimize away the
> memory clearing especially if LTO is being used. To make sure that this
> optimization will not happen, memzero_explicit(), which is introduced
> in v3.18, is now used in kzfree() to do the clearing.
>
> Fixes: 3ef0e5ba4673 ("slab: introduce kzfree()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Waiman Long <longman@redhat.com>
> ---
> mm/slab_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index 9e72ba224175..37d48a56431d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1726,7 +1726,7 @@ void kzfree(const void *p)
> if (unlikely(ZERO_OR_NULL_PTR(mem)))
> return;
> ks = ksize(mem);
> - memset(mem, 0, ks);
> + memzero_explicit(mem, ks);
> kfree(mem);
> }
> EXPORT_SYMBOL(kzfree);
This is a good change, but the commit message isn't really accurate. AFAIK, no
one has found any case where this memset() gets optimized out. And even with
LTO, it would be virtually impossible due to all the synchronization and global
data structures that kfree() uses. (Remember that this isn't the C standard
function "free()", so the compiler can't assign it any special meaning.)
Not to mention that LTO support isn't actually upstream yet.
I still agree with the change, but it might be helpful if the commit message
were honest that this is really a hardening measure and about properly conveying
the intent. As-is this sounds like a critical fix, which might confuse people.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Waiman Long <longman@redhat.com>
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>,
Michal Hocko <mhocko@suse.com>,
linux-btrfs@vger.kernel.org,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
David Sterba <dsterba@suse.cz>,
David Howells <dhowells@redhat.com>,
linux-mm@kvack.org, linux-sctp@vger.kernel.org,
keyrings@vger.kernel.org, kasan-dev@googlegroups.com,
linux-stm32@st-md-mailman.stormreply.com,
devel@driverdev.osuosl.org, linux-cifs@vger.kernel.org,
linux-scsi@vger.kernel.org, James Morris <jmorris@namei.org>,
Matthew Wilcox <willy@infradead.org>,
linux-wpan@vger.kernel.org, David Rientjes <rientjes@google.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
linux-pm@vger.kernel.org, ecryptfs@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
linux-mediatek@lists.infradead.org,
linux-amlogic@lists.infradead.org,
virtualization@lists.linux-foundation.org,
linux-integrity@vger.kernel.org, linux-nfs@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
linux-bluetooth@vger.kernel.org,
linux-security-module@vger.kernel.org,
target-devel@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-crypto@vger.kernel.org,
Johannes Weiner <hannes@cmpxchg.org>,
Joe Perches <joe@perches.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
netdev@vger.kernel.org, wireguard@lists.zx2c4.com,
linux-ppp@vger.kernel.org
Subject: Re: [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree()
Date: Tue, 16 Jun 2020 03:30:35 +0000 [thread overview]
Message-ID: <20200616033035.GB902@sol.localdomain> (raw)
In-Reply-To: <20200616015718.7812-2-longman@redhat.com>
On Mon, Jun 15, 2020 at 09:57:16PM -0400, Waiman Long wrote:
> The kzfree() function is normally used to clear some sensitive
> information, like encryption keys, in the buffer before freeing it back
> to the pool. Memset() is currently used for the buffer clearing. However,
> it is entirely possible that the compiler may choose to optimize away the
> memory clearing especially if LTO is being used. To make sure that this
> optimization will not happen, memzero_explicit(), which is introduced
> in v3.18, is now used in kzfree() to do the clearing.
>
> Fixes: 3ef0e5ba4673 ("slab: introduce kzfree()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Waiman Long <longman@redhat.com>
> ---
> mm/slab_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index 9e72ba224175..37d48a56431d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1726,7 +1726,7 @@ void kzfree(const void *p)
> if (unlikely(ZERO_OR_NULL_PTR(mem)))
> return;
> ks = ksize(mem);
> - memset(mem, 0, ks);
> + memzero_explicit(mem, ks);
> kfree(mem);
> }
> EXPORT_SYMBOL(kzfree);
This is a good change, but the commit message isn't really accurate. AFAIK, no
one has found any case where this memset() gets optimized out. And even with
LTO, it would be virtually impossible due to all the synchronization and global
data structures that kfree() uses. (Remember that this isn't the C standard
function "free()", so the compiler can't assign it any special meaning.)
Not to mention that LTO support isn't actually upstream yet.
I still agree with the change, but it might be helpful if the commit message
were honest that this is really a hardening measure and about properly conveying
the intent. As-is this sounds like a critical fix, which might confuse people.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Waiman Long <longman@redhat.com>
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>,
Michal Hocko <mhocko@suse.com>,
linux-btrfs@vger.kernel.org,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
David Sterba <dsterba@suse.cz>,
David Howells <dhowells@redhat.com>,
linux-mm@kvack.org, linux-sctp@vger.kernel.org,
keyrings@vger.kernel.org, kasan-dev@googlegroups.com,
linux-stm32@st-md-mailman.stormreply.com,
devel@driverdev.osuosl.org, linux-cifs@vger.kernel.org,
linux-scsi@vger.kernel.org, James Morris <jmorris@namei.org>,
Matthew Wilcox <willy@infradead.org>,
linux-wpan@vger.kernel.org, David Rientjes <rientjes@google.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
linux-pm@vger.kernel.org, ecryptfs@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
linux-mediatek@lists.infradead.org,
linux-amlogic@lists.infradead.org,
virtualization@lists.linux-foundation.org,
linux-integrity@vger.kernel.org, linux-nfs@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
linux-bluetooth@vger.kernel.org,
linux-security-module@vger.kernel.org,
target-devel@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-crypto@vger.kernel.org,
Johannes Weiner <hannes@cmpxchg.org>,
Joe Perches <joe@perches.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
netdev@vger.kernel.org, wireguard@lists.zx2c4.com,
linux-ppp@vger.kernel.org
Subject: Re: [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree()
Date: Mon, 15 Jun 2020 20:30:35 -0700 [thread overview]
Message-ID: <20200616033035.GB902@sol.localdomain> (raw)
In-Reply-To: <20200616015718.7812-2-longman@redhat.com>
On Mon, Jun 15, 2020 at 09:57:16PM -0400, Waiman Long wrote:
> The kzfree() function is normally used to clear some sensitive
> information, like encryption keys, in the buffer before freeing it back
> to the pool. Memset() is currently used for the buffer clearing. However,
> it is entirely possible that the compiler may choose to optimize away the
> memory clearing especially if LTO is being used. To make sure that this
> optimization will not happen, memzero_explicit(), which is introduced
> in v3.18, is now used in kzfree() to do the clearing.
>
> Fixes: 3ef0e5ba4673 ("slab: introduce kzfree()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Waiman Long <longman@redhat.com>
> ---
> mm/slab_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index 9e72ba224175..37d48a56431d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1726,7 +1726,7 @@ void kzfree(const void *p)
> if (unlikely(ZERO_OR_NULL_PTR(mem)))
> return;
> ks = ksize(mem);
> - memset(mem, 0, ks);
> + memzero_explicit(mem, ks);
> kfree(mem);
> }
> EXPORT_SYMBOL(kzfree);
This is a good change, but the commit message isn't really accurate. AFAIK, no
one has found any case where this memset() gets optimized out. And even with
LTO, it would be virtually impossible due to all the synchronization and global
data structures that kfree() uses. (Remember that this isn't the C standard
function "free()", so the compiler can't assign it any special meaning.)
Not to mention that LTO support isn't actually upstream yet.
I still agree with the change, but it might be helpful if the commit message
were honest that this is really a hardening measure and about properly conveying
the intent. As-is this sounds like a critical fix, which might confuse people.
- Eric
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Waiman Long <longman@redhat.com>
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>,
Michal Hocko <mhocko@suse.com>,
linux-btrfs@vger.kernel.org,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
David Sterba <dsterba@suse.cz>,
David Howells <dhowells@redhat.com>,
linux-mm@kvack.org, linux-sctp@vger.kernel.org,
keyrings@vger.kernel.org, kasan-dev@googlegroups.com,
linux-stm32@st-md-mailman.stormreply.com,
devel@driverdev.osuosl.org, linux-cifs@vger.kernel.org,
linux-scsi@vger.kernel.org, James Morris <jmorris@namei.org>,
Matthew Wilcox <willy@infradead.org>,
linux-wpan@vger.kernel.org, David Rientjes <rientjes@google.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-pm@vger.kernel.org, ecryptfs@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
linux-mediatek@lists.infradead.org,
linux-amlogic@lists.infradead.org,
virtualization@lists.linux-foundation.org,
linux-integrity@vger.kernel.org, linux-nfs@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
linux-bluetooth@vger.kernel.org,
linux-security-module@vger.kernel.org,
target-devel@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-crypto@vger.kernel.org,
Johannes Weiner <hannes@cmpxchg.org>,
Joe Perches <joe@perches.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
netdev@vger.kernel.org, wireguard@lists.zx2c4.com,
linux-ppp@vger.kernel.org
Subject: Re: [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree()
Date: Mon, 15 Jun 2020 20:30:35 -0700 [thread overview]
Message-ID: <20200616033035.GB902@sol.localdomain> (raw)
In-Reply-To: <20200616015718.7812-2-longman@redhat.com>
On Mon, Jun 15, 2020 at 09:57:16PM -0400, Waiman Long wrote:
> The kzfree() function is normally used to clear some sensitive
> information, like encryption keys, in the buffer before freeing it back
> to the pool. Memset() is currently used for the buffer clearing. However,
> it is entirely possible that the compiler may choose to optimize away the
> memory clearing especially if LTO is being used. To make sure that this
> optimization will not happen, memzero_explicit(), which is introduced
> in v3.18, is now used in kzfree() to do the clearing.
>
> Fixes: 3ef0e5ba4673 ("slab: introduce kzfree()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Waiman Long <longman@redhat.com>
> ---
> mm/slab_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index 9e72ba224175..37d48a56431d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1726,7 +1726,7 @@ void kzfree(const void *p)
> if (unlikely(ZERO_OR_NULL_PTR(mem)))
> return;
> ks = ksize(mem);
> - memset(mem, 0, ks);
> + memzero_explicit(mem, ks);
> kfree(mem);
> }
> EXPORT_SYMBOL(kzfree);
This is a good change, but the commit message isn't really accurate. AFAIK, no
one has found any case where this memset() gets optimized out. And even with
LTO, it would be virtually impossible due to all the synchronization and global
data structures that kfree() uses. (Remember that this isn't the C standard
function "free()", so the compiler can't assign it any special meaning.)
Not to mention that LTO support isn't actually upstream yet.
I still agree with the change, but it might be helpful if the commit message
were honest that this is really a hardening measure and about properly conveying
the intent. As-is this sounds like a critical fix, which might confuse people.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Waiman Long <longman@redhat.com>
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>,
Michal Hocko <mhocko@suse.com>,
linux-btrfs@vger.kernel.org,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
David Sterba <dsterba@suse.cz>,
David Howells <dhowells@redhat.com>,
linux-mm@kvack.org, linux-sctp@vger.kernel.org,
keyrings@vger.kernel.org, kasan-dev@googlegroups.com,
linux-stm32@st-md-mailman.stormreply.com,
devel@driverdev.osuosl.org, linux-cifs@vger.kernel.org,
linux-scsi@vger.kernel.org, James Morris <jmorris@namei.org>,
Matthew Wilcox <willy@infradead.org>,
linux-wpan@vger.kernel.org, David Rientjes <rientjes@google.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-pm@vger.kernel.org, ecryptfs@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
linux-mediatek@lists.infradead.org,
linux-amlogic@lists.infradead.org,
virtualization@lists.linux-foundation.org,
linux-integrity@vger.kernel.org, linux-nfs@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
linux-bluetooth@vger.kernel.org,
linux-security-module@vger.kernel.org,
target-devel@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-crypto@vger.kernel.org,
Johannes Weiner <hannes@cmpxchg.org>,
Joe Perches <joe@perches.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
netdev@vger.kernel.org, wireguard@lists.zx2c4.com,
linux-ppp@vger.kernel.org
Subject: Re: [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree()
Date: Mon, 15 Jun 2020 20:30:35 -0700 [thread overview]
Message-ID: <20200616033035.GB902@sol.localdomain> (raw)
In-Reply-To: <20200616015718.7812-2-longman@redhat.com>
On Mon, Jun 15, 2020 at 09:57:16PM -0400, Waiman Long wrote:
> The kzfree() function is normally used to clear some sensitive
> information, like encryption keys, in the buffer before freeing it back
> to the pool. Memset() is currently used for the buffer clearing. However,
> it is entirely possible that the compiler may choose to optimize away the
> memory clearing especially if LTO is being used. To make sure that this
> optimization will not happen, memzero_explicit(), which is introduced
> in v3.18, is now used in kzfree() to do the clearing.
>
> Fixes: 3ef0e5ba4673 ("slab: introduce kzfree()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Waiman Long <longman@redhat.com>
> ---
> mm/slab_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index 9e72ba224175..37d48a56431d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1726,7 +1726,7 @@ void kzfree(const void *p)
> if (unlikely(ZERO_OR_NULL_PTR(mem)))
> return;
> ks = ksize(mem);
> - memset(mem, 0, ks);
> + memzero_explicit(mem, ks);
> kfree(mem);
> }
> EXPORT_SYMBOL(kzfree);
This is a good change, but the commit message isn't really accurate. AFAIK, no
one has found any case where this memset() gets optimized out. And even with
LTO, it would be virtually impossible due to all the synchronization and global
data structures that kfree() uses. (Remember that this isn't the C standard
function "free()", so the compiler can't assign it any special meaning.)
Not to mention that LTO support isn't actually upstream yet.
I still agree with the change, but it might be helpful if the commit message
were honest that this is really a hardening measure and about properly conveying
the intent. As-is this sounds like a critical fix, which might confuse people.
- Eric
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Waiman Long <longman@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Joe Perches <joe@perches.com>,
Matthew Wilcox <willy@infradead.org>,
David Rientjes <rientjes@google.com>,
Michal Hocko <mhocko@suse.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Dan Carpenter <dan.carpenter@oracle.com>,
David Sterba <dsterba@suse.cz>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
linux-mm@kvack.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-pm@vger.kernel.org,
linux-stm32@st-md-mailman.stormreply.com,
linux-amlogic@lists.infradead.org
Subject: Re: [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree()
Date: Mon, 15 Jun 2020 20:30:35 -0700 [thread overview]
Message-ID: <20200616033035.GB902@sol.localdomain> (raw)
In-Reply-To: <20200616015718.7812-2-longman@redhat.com>
On Mon, Jun 15, 2020 at 09:57:16PM -0400, Waiman Long wrote:
> The kzfree() function is normally used to clear some sensitive
> information, like encryption keys, in the buffer before freeing it back
> to the pool. Memset() is currently used for the buffer clearing. However,
> it is entirely possible that the compiler may choose to optimize away the
> memory clearing especially if LTO is being used. To make sure that this
> optimization will not happen, memzero_explicit(), which is introduced
> in v3.18, is now used in kzfree() to do the clearing.
>
> Fixes: 3ef0e5ba4673 ("slab: introduce kzfree()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Waiman Long <longman@redhat.com>
> ---
> mm/slab_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index 9e72ba224175..37d48a56431d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1726,7 +1726,7 @@ void kzfree(const void *p)
> if (unlikely(ZERO_OR_NULL_PTR(mem)))
> return;
> ks = ksize(mem);
> - memset(mem, 0, ks);
> + memzero_explicit(mem, ks);
> kfree(mem);
> }
> EXPORT_SYMBOL(kzfree);
This is a good change, but the commit message isn't really accurate. AFAIK, no
one has found any case where this memset() gets optimized out. And even with
LTO, it would be virtually impossible due to all the synchronization and global
data structures that kfree() uses. (Remember that this isn't the C standard
function "free()", so the compiler can't assign it any special meaning.)
Not to mention that LTO support isn't actually upstream yet.
I still agree with the change, but it might be helpful if the commit message
were honest that this is really a hardening measure and about properly conveying
the intent. As-is this sounds like a critical fix, which might confuse people.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Waiman Long <longman@redhat.com>
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>,
Michal Hocko <mhocko@suse.com>,
linux-btrfs@vger.kernel.org,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
David Sterba <dsterba@suse.cz>,
David Howells <dhowells@redhat.com>,
linux-mm@kvack.org, linux-sctp@vger.kernel.org,
keyrings@vger.kernel.org, kasan-dev@googlegroups.com,
linux-stm32@st-md-mailman.stormreply.com,
devel@driverdev.osuosl.org, linux-cifs@vger.kernel.org,
linux-scsi@vger.kernel.org, James Morris <jmorris@namei.org>,
Matthew Wilcox <willy@infradead.org>,
linux-wpan@vger.kernel.org, David Rientjes <rientjes@google.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-pm@vger.kernel.org, ecryptfs@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
linux-mediatek@lists.infradead.org,
linux-amlogic@lists.infradead.org,
virtualization@lists.linux-foundation.org,
linux-integrity@vger.kernel.org, linux-nfs@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
linux-bluetooth@vger.kernel.org,
linux-security-module@vger.kernel.org,
target-devel@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-crypto@vger.kernel.org,
Johannes Weiner <hannes@cmpxchg.org>,
Joe Perches <joe@perches.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
netdev@vger.kernel.org, wireguard@lists.zx2c4.com,
linux-ppp@vger.kernel.org
Subject: Re: [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree()
Date: Mon, 15 Jun 2020 20:30:35 -0700 [thread overview]
Message-ID: <20200616033035.GB902@sol.localdomain> (raw)
In-Reply-To: <20200616015718.7812-2-longman@redhat.com>
On Mon, Jun 15, 2020 at 09:57:16PM -0400, Waiman Long wrote:
> The kzfree() function is normally used to clear some sensitive
> information, like encryption keys, in the buffer before freeing it back
> to the pool. Memset() is currently used for the buffer clearing. However,
> it is entirely possible that the compiler may choose to optimize away the
> memory clearing especially if LTO is being used. To make sure that this
> optimization will not happen, memzero_explicit(), which is introduced
> in v3.18, is now used in kzfree() to do the clearing.
>
> Fixes: 3ef0e5ba4673 ("slab: introduce kzfree()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Waiman Long <longman@redhat.com>
> ---
> mm/slab_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index 9e72ba224175..37d48a56431d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1726,7 +1726,7 @@ void kzfree(const void *p)
> if (unlikely(ZERO_OR_NULL_PTR(mem)))
> return;
> ks = ksize(mem);
> - memset(mem, 0, ks);
> + memzero_explicit(mem, ks);
> kfree(mem);
> }
> EXPORT_SYMBOL(kzfree);
This is a good change, but the commit message isn't really accurate. AFAIK, no
one has found any case where this memset() gets optimized out. And even with
LTO, it would be virtually impossible due to all the synchronization and global
data structures that kfree() uses. (Remember that this isn't the C standard
function "free()", so the compiler can't assign it any special meaning.)
Not to mention that LTO support isn't actually upstream yet.
I still agree with the change, but it might be helpful if the commit message
were honest that this is really a hardening measure and about properly conveying
the intent. As-is this sounds like a critical fix, which might confuse people.
- Eric
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2020-06-16 3:30 UTC|newest]
Thread overview: 203+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 1:57 [PATCH v4 0/3] mm, treewide: Rename kzfree() to kfree_sensitive() Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree() Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 3:30 ` Eric Biggers [this message]
2020-06-16 3:30 ` Eric Biggers
2020-06-16 3:30 ` Eric Biggers
2020-06-16 3:30 ` Eric Biggers
2020-06-16 3:30 ` Eric Biggers
2020-06-16 3:30 ` Eric Biggers
2020-06-16 3:30 ` Eric Biggers
2020-06-16 13:05 ` Waiman Long
2020-06-16 13:05 ` Waiman Long
2020-06-16 13:05 ` Waiman Long
2020-06-16 13:05 ` Waiman Long
2020-06-16 13:05 ` Waiman Long
2020-06-16 13:05 ` Waiman Long
2020-06-16 13:05 ` Waiman Long
2020-06-16 15:46 ` David Howells
2020-06-16 15:46 ` David Howells
2020-06-16 15:46 ` David Howells
2020-06-16 15:46 ` David Howells
2020-06-16 15:46 ` David Howells
2020-06-16 15:46 ` David Howells
2020-06-16 15:46 ` David Howells
2020-06-16 6:42 ` Michal Hocko
2020-06-16 6:42 ` Michal Hocko
2020-06-16 6:42 ` Michal Hocko
2020-06-16 6:42 ` Michal Hocko
2020-06-16 6:42 ` Michal Hocko
2020-06-16 6:42 ` Michal Hocko
2020-06-16 6:42 ` Michal Hocko
2020-06-16 9:08 ` Dan Carpenter
2020-06-16 9:08 ` Dan Carpenter
2020-06-16 9:08 ` Dan Carpenter
2020-06-16 9:08 ` Dan Carpenter
2020-06-16 9:08 ` Dan Carpenter
2020-06-16 9:08 ` Dan Carpenter
2020-06-16 9:08 ` Dan Carpenter
2020-06-16 9:08 ` Dan Carpenter
2020-06-16 1:57 ` [PATCH v4 2/3] mm, treewide: Rename kzfree() to kfree_sensitive() Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 14:26 ` Dan Carpenter
2020-06-16 14:26 ` Dan Carpenter
2020-06-16 14:26 ` Dan Carpenter
2020-06-16 14:26 ` Dan Carpenter
2020-06-16 14:26 ` Dan Carpenter
2020-06-16 14:26 ` Dan Carpenter
2020-06-16 14:26 ` Dan Carpenter
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 1:57 ` [PATCH v4 3/3] btrfs: Use kfree() in btrfs_ioctl_get_subvol_info() Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 1:57 ` Waiman Long
2020-06-16 14:48 ` David Sterba
2020-06-16 14:48 ` David Sterba
2020-06-16 14:48 ` David Sterba
2020-06-16 14:48 ` David Sterba
2020-06-16 14:48 ` David Sterba
2020-06-16 14:48 ` David Sterba
2020-06-16 14:48 ` David Sterba
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 15:05 ` Waiman Long
2020-06-16 18:53 ` [PATCH v4 0/3] mm, treewide: Rename kzfree() to kfree_sensitive() Joe Perches
2020-06-16 18:53 ` Joe Perches
2020-06-16 18:53 ` Joe Perches
2020-06-16 18:53 ` Joe Perches
2020-06-16 18:53 ` Joe Perches
2020-06-16 18:53 ` Joe Perches
2020-06-16 18:53 ` Joe Perches
2020-06-16 18:53 ` Joe Perches
2020-06-16 19:43 ` Waiman Long
2020-06-16 19:43 ` Waiman Long
2020-06-16 19:43 ` Waiman Long
2020-06-16 19:43 ` Waiman Long
2020-06-16 19:43 ` Waiman Long
2020-06-16 19:43 ` Waiman Long
2020-06-16 19:43 ` Waiman Long
2020-06-16 19:43 ` Waiman Long
2020-06-16 19:46 ` Jason A. Donenfeld
2020-06-16 19:46 ` Jason A. Donenfeld
2020-06-16 19:46 ` Jason A. Donenfeld
2020-06-16 19:46 ` Jason A. Donenfeld
2020-06-16 19:46 ` Jason A. Donenfeld
2020-06-16 19:46 ` Jason A. Donenfeld
2020-06-16 19:46 ` Jason A. Donenfeld
2020-06-16 19:46 ` Jason A. Donenfeld
2020-06-16 19:46 ` Jason A. Donenfeld
2020-06-16 20:01 ` Waiman Long
2020-06-16 20:01 ` Waiman Long
2020-06-16 20:01 ` Waiman Long
2020-06-16 20:01 ` Waiman Long
2020-06-16 20:01 ` Waiman Long
2020-06-16 20:01 ` Waiman Long
2020-06-16 20:01 ` Waiman Long
2020-06-16 20:01 ` Waiman Long
2020-06-16 21:14 ` Matthew Wilcox
2020-06-16 21:14 ` Matthew Wilcox
2020-06-16 21:14 ` Matthew Wilcox
2020-06-16 21:14 ` Matthew Wilcox
2020-06-16 21:14 ` Matthew Wilcox
2020-06-16 21:14 ` Matthew Wilcox
2020-06-16 21:14 ` Matthew Wilcox
2020-06-16 23:01 ` David Sterba
2020-06-16 23:01 ` David Sterba
2020-06-16 23:01 ` David Sterba
2020-06-16 23:01 ` David Sterba
2020-06-16 23:01 ` David Sterba
2020-06-16 23:01 ` David Sterba
2020-06-16 23:01 ` David Sterba
2020-06-17 0:37 ` Matthew Wilcox
2020-06-17 0:37 ` Matthew Wilcox
2020-06-17 0:37 ` Matthew Wilcox
2020-06-17 0:37 ` Matthew Wilcox
2020-06-17 0:37 ` Matthew Wilcox
2020-06-17 0:37 ` Matthew Wilcox
2020-06-17 0:37 ` Matthew Wilcox
2020-06-17 7:12 ` Michal Hocko
2020-06-17 7:12 ` Michal Hocko
2020-06-17 7:12 ` Michal Hocko
2020-06-17 7:12 ` Michal Hocko
2020-06-17 7:12 ` Michal Hocko
2020-06-17 7:12 ` Michal Hocko
2020-06-17 7:12 ` Michal Hocko
2020-06-17 11:08 ` Matthew Wilcox
2020-06-17 11:08 ` Matthew Wilcox
2020-06-17 11:08 ` Matthew Wilcox
2020-06-17 11:08 ` Matthew Wilcox
2020-06-17 11:08 ` Matthew Wilcox
2020-06-17 11:08 ` Matthew Wilcox
2020-06-17 11:08 ` Matthew Wilcox
2020-06-17 11:31 ` Michal Hocko
2020-06-17 11:31 ` Michal Hocko
2020-06-17 11:31 ` Michal Hocko
2020-06-17 11:31 ` Michal Hocko
2020-06-17 11:31 ` Michal Hocko
2020-06-17 11:31 ` Michal Hocko
2020-06-17 11:31 ` Michal Hocko
2020-06-17 12:23 ` Matthew Wilcox
2020-06-17 12:23 ` Matthew Wilcox
2020-06-17 12:23 ` Matthew Wilcox
2020-06-17 12:23 ` Matthew Wilcox
2020-06-17 12:23 ` Matthew Wilcox
2020-06-17 12:23 ` Matthew Wilcox
2020-06-17 12:23 ` Matthew Wilcox
2020-06-17 12:55 ` Michal Hocko
2020-06-17 12:55 ` Michal Hocko
2020-06-17 12:55 ` Michal Hocko
2020-06-17 12:55 ` Michal Hocko
2020-06-17 12:55 ` Michal Hocko
2020-06-17 12:55 ` Michal Hocko
2020-06-17 12:55 ` Michal Hocko
2020-06-17 8:03 ` Jo -l
2020-06-17 8:03 ` Jo -l
2020-06-17 8:03 ` Jo -l
2020-06-17 8:03 ` Jo -l
2020-06-17 8:03 ` Jo -l
2020-06-17 8:03 ` Jo -l
2020-06-17 8:03 ` Jo -l
2020-06-17 21:31 ` Denis Efremov
2020-06-17 21:31 ` Denis Efremov
2020-06-17 21:31 ` Denis Efremov
2020-06-17 21:31 ` Denis Efremov
2020-06-17 21:31 ` Denis Efremov
2020-06-17 21:31 ` Denis Efremov
2020-06-17 21:31 ` Denis Efremov
2020-06-17 23:12 ` Joe Perches
2020-06-17 23:12 ` Joe Perches
2020-06-17 23:12 ` Joe Perches
2020-06-17 23:12 ` Joe Perches
2020-06-17 23:12 ` Joe Perches
2020-06-17 23:12 ` Joe Perches
2020-06-17 23:12 ` Joe Perches
2020-06-17 23:12 ` Joe Perches
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200616033035.GB902@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=akpm@linux-foundation.org \
--cc=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=dhowells@redhat.com \
--cc=dsterba@suse.cz \
--cc=ecryptfs@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jmorris@namei.org \
--cc=joe@perches.com \
--cc=kasan-dev@googlegroups.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-ppp@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-stm32@st-md-mailman.stormreply.com \
--cc=linux-wireless@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=longman@redhat.com \
--cc=mhocko@suse.com \
--cc=netdev@vger.kernel.org \
--cc=rientjes@google.com \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
--cc=target-devel@vger.kernel.org \
--cc=tipc-discussion@lists.sourceforge.net \
--cc=torvalds@linux-foundation.org \
--cc=virtualization@lists.linux-foundation.org \
--cc=willy@infradead.org \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.