From: "PaX Team" <pageexec@freemail.hu> To: Ingo Molnar <mingo@kernel.org> Cc: kernel-hardening@lists.openwall.com, Mathias Krause <minipli@googlemail.com>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, Kees Cook <keescook@chromium.org>, Andy Lutomirski <luto@amacapital.net>, Ingo Molnar <mingo@redhat.com>, Thomas Gleixner <tglx@linutronix.de>, "H. Peter Anvin" <hpa@zytor.com>, x86-ml <x86@kernel.org>, Arnd Bergmann <arnd@arndb.de>, Michael Ellerman <mpe@ellerman.id.au>, linux-arch@vger.kernel.org, Emese Revfy <re.emese@gmail.com> Subject: Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory Date: Thu, 26 Nov 2015 13:14:26 +0100 [thread overview] Message-ID: <5656F7A2.738.131F89C0@pageexec.freemail.hu> (raw) In-Reply-To: <20151126104229.GA8530@gmail.com> On 26 Nov 2015 at 11:42, Ingo Molnar wrote: > * PaX Team <pageexec@freemail.hu> wrote: > > > On 26 Nov 2015 at 9:54, Ingo Molnar wrote: > > > e.g., imagine that the write was to a function pointer (even an entire ops > > structure) or a boolean that controls some important feature for after-init > > code. ignoring/dropping such writes could cause all kinds of logic bugs (if not > > worse). > > Well, the typical case is that it's a logic bug to _do_ the write: the structure > was marked readonly for a reason but some init code re-runs during suspend or so. that's actually not the typical case in my experience, but rather these two: 1. initial mistake: someone didn't actually check whether the given object can be __read_only 2. code evolution: an object that was once written by __init code only (and thus proactively subjected to __read_only) gets modified by non-init code due to later changes what you described above is a third case where there's a latent bug to begin (unintended write) with that __read_only merely exposes but doesn't create itself, unlike the two cases above (intended writes getting caught by wrong use of __read_only). > But yes, logic bugs might trigger - but that is true in the opposite case as well, > if we do the write despite it being marked readonly: not really, the two cases above are not a priori bugs, they become bugs due to using __read_only without due care (which is why i suggested to detect them at compile time). > > misusing __read_only and ignoring write attempts would effectively produce the > > same misbehaviour as above so i strongly advise against it. > > No, the difference to the GCC related aliasing bug is that with my technique the > kernel would immediately produce a very visible kernel warning, which is a very > clear sign that is wrong - and with a very clear backtrace in the warning that > points right to the problematic code - which signature shows us (and users) what > is wrong. my proposal would produce the exact same reports, the difference is in letting the write attempt succeed vs. skipping it. this latter step is what is wrong since it introduces at least a logic bug the same way the constprop optimization created a logic bug. > Plus the truly paranoid might panic/halt the system on such warnings, so for > highly secure systems there's a way to not even allow the possibility of logic > bugs. (at the cost of stopping the system when a bug triggers.) this would/should be the default behaviour, i.e., no attempt at being smart by either allowing or skipping the faulting insn, just report the event and trigger whatever fancy future exploit reaction mechanism will get into the kernel.
WARNING: multiple messages have this Message-ID (diff)
From: "PaX Team" <pageexec@freemail.hu> To: Ingo Molnar <mingo@kernel.org> Cc: kernel-hardening@lists.openwall.com, Mathias Krause <minipli@googlemail.com>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, Kees Cook <keescook@chromium.org>, Andy Lutomirski <luto@amacapital.net>, Ingo Molnar <mingo@redhat.com>, Thomas Gleixner <tglx@linutronix.de>, "H. Peter Anvin" <hpa@zytor.com>, x86-ml <x86@kernel.org>, Arnd Bergmann <arnd@arndb.de>, Michael Ellerman <mpe@ellerman.id.au>, linux-arch@vger.kernel.org, Emese Revfy <re.emese@gmail.com> Subject: Re: [PATCH 0/2] introduce post-init read-only memory Date: Thu, 26 Nov 2015 13:14:26 +0100 [thread overview] Message-ID: <5656F7A2.738.131F89C0@pageexec.freemail.hu> (raw) In-Reply-To: <20151126104229.GA8530@gmail.com> On 26 Nov 2015 at 11:42, Ingo Molnar wrote: > * PaX Team <pageexec@freemail.hu> wrote: > > > On 26 Nov 2015 at 9:54, Ingo Molnar wrote: > > > e.g., imagine that the write was to a function pointer (even an entire ops > > structure) or a boolean that controls some important feature for after-init > > code. ignoring/dropping such writes could cause all kinds of logic bugs (if not > > worse). > > Well, the typical case is that it's a logic bug to _do_ the write: the structure > was marked readonly for a reason but some init code re-runs during suspend or so. that's actually not the typical case in my experience, but rather these two: 1. initial mistake: someone didn't actually check whether the given object can be __read_only 2. code evolution: an object that was once written by __init code only (and thus proactively subjected to __read_only) gets modified by non-init code due to later changes what you described above is a third case where there's a latent bug to begin (unintended write) with that __read_only merely exposes but doesn't create itself, unlike the two cases above (intended writes getting caught by wrong use of __read_only). > But yes, logic bugs might trigger - but that is true in the opposite case as well, > if we do the write despite it being marked readonly: not really, the two cases above are not a priori bugs, they become bugs due to using __read_only without due care (which is why i suggested to detect them at compile time). > > misusing __read_only and ignoring write attempts would effectively produce the > > same misbehaviour as above so i strongly advise against it. > > No, the difference to the GCC related aliasing bug is that with my technique the > kernel would immediately produce a very visible kernel warning, which is a very > clear sign that is wrong - and with a very clear backtrace in the warning that > points right to the problematic code - which signature shows us (and users) what > is wrong. my proposal would produce the exact same reports, the difference is in letting the write attempt succeed vs. skipping it. this latter step is what is wrong since it introduces at least a logic bug the same way the constprop optimization created a logic bug. > Plus the truly paranoid might panic/halt the system on such warnings, so for > highly secure systems there's a way to not even allow the possibility of logic > bugs. (at the cost of stopping the system when a bug triggers.) this would/should be the default behaviour, i.e., no attempt at being smart by either allowing or skipping the faulting insn, just report the event and trigger whatever fancy future exploit reaction mechanism will get into the kernel.
next prev parent reply other threads:[~2015-11-26 12:15 UTC|newest] Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-11-24 21:38 [PATCH 0/2] introduce post-init read-only memory Kees Cook 2015-11-24 21:38 ` [kernel-hardening] " Kees Cook 2015-11-24 21:38 ` [PATCH 1/2] x86: " Kees Cook 2015-11-24 21:38 ` [kernel-hardening] " Kees Cook 2015-11-25 0:34 ` Andy Lutomirski 2015-11-25 0:34 ` [kernel-hardening] " Andy Lutomirski 2015-11-25 0:34 ` Andy Lutomirski 2015-11-25 0:44 ` Kees Cook 2015-11-25 0:44 ` [kernel-hardening] " Kees Cook 2015-11-25 0:44 ` Kees Cook 2015-11-25 0:54 ` [kernel-hardening] " Michael Ellerman 2015-11-25 15:03 ` Kees Cook 2015-11-25 15:03 ` Kees Cook 2015-11-25 23:05 ` Michael Ellerman 2015-11-25 23:32 ` Kees Cook 2015-11-25 23:32 ` Kees Cook 2015-11-25 23:32 ` Kees Cook 2015-11-24 21:38 ` [PATCH 2/2] x86, vdso: mark vDSO read-only after init Kees Cook 2015-11-24 21:38 ` [kernel-hardening] " Kees Cook 2015-11-25 9:13 ` [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory Mathias Krause 2015-11-25 9:13 ` Mathias Krause 2015-11-25 10:06 ` [kernel-hardening] " Clemens Ladisch 2015-11-25 11:14 ` PaX Team 2015-11-25 11:14 ` PaX Team 2015-11-26 15:23 ` [kernel-hardening] " Daniel Micay 2015-11-25 11:05 ` PaX Team 2015-11-25 11:05 ` PaX Team 2015-11-26 8:54 ` [kernel-hardening] " Ingo Molnar 2015-11-26 9:57 ` PaX Team 2015-11-26 9:57 ` PaX Team 2015-11-26 10:42 ` [kernel-hardening] " Ingo Molnar 2015-11-26 12:14 ` PaX Team [this message] 2015-11-26 12:14 ` PaX Team 2015-11-27 8:05 ` [kernel-hardening] " Ingo Molnar 2015-11-27 8:05 ` Ingo Molnar 2015-11-27 15:29 ` [kernel-hardening] " PaX Team 2015-11-27 15:29 ` PaX Team 2015-11-27 16:30 ` [kernel-hardening] " Andy Lutomirski 2015-11-27 16:30 ` Andy Lutomirski 2015-11-29 8:08 ` Ingo Molnar 2015-11-29 11:15 ` PaX Team 2015-11-29 11:15 ` PaX Team 2015-11-29 15:39 ` [kernel-hardening] " Ingo Molnar 2015-11-29 18:05 ` Mathias Krause 2015-11-29 18:05 ` Mathias Krause 2015-11-30 8:01 ` [kernel-hardening] " Ingo Molnar 2015-11-30 8:01 ` Ingo Molnar 2015-11-26 16:11 ` [kernel-hardening] " Andy Lutomirski 2015-11-26 16:11 ` Andy Lutomirski 2015-11-26 16:11 ` Andy Lutomirski 2015-11-27 7:59 ` [kernel-hardening] " Ingo Molnar 2015-11-27 7:59 ` Ingo Molnar 2015-11-27 7:59 ` Ingo Molnar 2015-11-27 18:00 ` [kernel-hardening] " Linus Torvalds 2015-11-27 18:00 ` Linus Torvalds 2015-11-27 18:03 ` Linus Torvalds 2015-11-27 18:03 ` Linus Torvalds 2015-11-27 18:03 ` Linus Torvalds 2015-11-27 20:03 ` [kernel-hardening] " Kees Cook 2015-11-27 20:03 ` Kees Cook 2015-11-27 20:03 ` Kees Cook 2015-11-27 20:09 ` [kernel-hardening] " Andy Lutomirski 2015-11-27 20:09 ` Andy Lutomirski 2015-11-29 8:05 ` Ingo Molnar 2015-11-29 8:05 ` Ingo Molnar 2015-11-30 21:14 ` H. Peter Anvin 2015-11-30 21:14 ` H. Peter Anvin 2015-11-30 21:14 ` H. Peter Anvin 2015-11-30 21:33 ` [kernel-hardening] " Kees Cook 2015-11-30 21:33 ` Kees Cook 2015-11-30 21:38 ` Andy Lutomirski 2015-11-30 21:38 ` Andy Lutomirski 2015-11-30 21:43 ` H. Peter Anvin 2015-11-30 21:43 ` H. Peter Anvin 2015-11-30 21:43 ` H. Peter Anvin 2015-11-25 17:26 ` [kernel-hardening] " Kees Cook 2015-11-25 17:26 ` Kees Cook 2015-11-25 17:26 ` Kees Cook 2015-11-25 17:31 ` [kernel-hardening] " H. Peter Anvin 2015-11-25 17:31 ` H. Peter Anvin 2015-11-25 18:54 ` [kernel-hardening] " Kees Cook 2015-11-25 18:54 ` Kees Cook 2015-11-25 19:06 ` H. Peter Anvin 2015-11-25 19:06 ` H. Peter Anvin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=5656F7A2.738.131F89C0@pageexec.freemail.hu \ --to=pageexec@freemail.hu \ --cc=arnd@arndb.de \ --cc=hpa@zytor.com \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-arch@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=mingo@kernel.org \ --cc=mingo@redhat.com \ --cc=minipli@googlemail.com \ --cc=mpe@ellerman.id.au \ --cc=re.emese@gmail.com \ --cc=tglx@linutronix.de \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.