From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752174AbcAFA3Z (ORCPT ); Tue, 5 Jan 2016 19:29:25 -0500 Received: from mail-ig0-f171.google.com ([209.85.213.171]:37058 "EHLO mail-ig0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751663AbcAFA3W (ORCPT ); Tue, 5 Jan 2016 19:29:22 -0500 MIME-Version: 1.0 In-Reply-To: <5679A0CB.3060707@labbott.name> References: <1450755641-7856-1-git-send-email-laura@labbott.name> <1450755641-7856-7-git-send-email-laura@labbott.name> <567964F3.2020402@intel.com> <567986E7.50107@intel.com> <56798851.60906@intel.com> <5679943C.1050604@intel.com> <5679A0CB.3060707@labbott.name> Date: Tue, 5 Jan 2016 16:29:21 -0800 X-Google-Sender-Auth: oPiW1uQ6tlixVm370R08pC_eHwg Message-ID: Subject: Re: [kernel-hardening] [RFC][PATCH 6/7] mm: Add Kconfig option for slab sanitization From: Kees Cook To: Laura Abbott Cc: Dave Hansen , Christoph Lameter , "kernel-hardening@lists.openwall.com" , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , LKML Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 22, 2015 at 11:13 AM, Laura Abbott wrote: > On 12/22/15 10:19 AM, Dave Hansen wrote: >> >> On 12/22/2015 10:08 AM, Christoph Lameter wrote: >>> >>> On Tue, 22 Dec 2015, Dave Hansen wrote: >>>>> >>>>> Why would you use zeros? The point is just to clear the information >>>>> right? >>>>> The regular poisoning does that. >>>> >>>> >>>> It then allows you to avoid the zeroing at allocation time. >>> >>> >>> Well much of the code is expecting a zeroed object from the allocator and >>> its zeroed at that time. Zeroing makes the object cache hot which is an >>> important performance aspect. >> >> >> Yes, modifying this behavior has a performance impact. It absolutely >> needs to be evaluated, and I wouldn't want to speculate too much on how >> good or bad any of the choices are. >> >> Just to reiterate, I think we have 3 real choices here: >> >> 1. Zero at alloc, only when __GFP_ZERO >> (behavior today) >> 2. Poison at free, also Zero at alloc (when __GFP_ZERO) >> (this patch's proposed behavior, also what current poisoning does, >> doubles writes) >> 3. Zero at free, *don't* Zero at alloc (when __GFP_ZERO) >> (what I'm suggesting, possibly less perf impact vs. #2) >> >> > > poisoning with non-zero memory makes it easier to determine that the error > came from accessing the sanitized memory vs. some other case. I don't think > the feature would be as strong if the memory was only zeroed vs. some other > data value. I would tend to agree. If there are significant perf improvements for "3" above, that should be easy to add on later as another choice. -Kees -- Kees Cook Chrome OS & Brillo Security From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) by kanga.kvack.org (Postfix) with ESMTP id 8823F800C7 for ; Tue, 5 Jan 2016 19:29:22 -0500 (EST) Received: by mail-io0-f170.google.com with SMTP id g73so4566858ioe.3 for ; Tue, 05 Jan 2016 16:29:22 -0800 (PST) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com. [2607:f8b0:4001:c05::22a]) by mx.google.com with ESMTPS id h10si8958959igq.87.2016.01.05.16.29.21 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Jan 2016 16:29:21 -0800 (PST) Received: by mail-ig0-x22a.google.com with SMTP id z14so18826665igp.0 for ; Tue, 05 Jan 2016 16:29:21 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <5679A0CB.3060707@labbott.name> References: <1450755641-7856-1-git-send-email-laura@labbott.name> <1450755641-7856-7-git-send-email-laura@labbott.name> <567964F3.2020402@intel.com> <567986E7.50107@intel.com> <56798851.60906@intel.com> <5679943C.1050604@intel.com> <5679A0CB.3060707@labbott.name> Date: Tue, 5 Jan 2016 16:29:21 -0800 Message-ID: Subject: Re: [kernel-hardening] [RFC][PATCH 6/7] mm: Add Kconfig option for slab sanitization From: Kees Cook Content-Type: text/plain; charset=UTF-8 Sender: owner-linux-mm@kvack.org List-ID: To: Laura Abbott Cc: Dave Hansen , Christoph Lameter , "kernel-hardening@lists.openwall.com" , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , LKML On Tue, Dec 22, 2015 at 11:13 AM, Laura Abbott wrote: > On 12/22/15 10:19 AM, Dave Hansen wrote: >> >> On 12/22/2015 10:08 AM, Christoph Lameter wrote: >>> >>> On Tue, 22 Dec 2015, Dave Hansen wrote: >>>>> >>>>> Why would you use zeros? The point is just to clear the information >>>>> right? >>>>> The regular poisoning does that. >>>> >>>> >>>> It then allows you to avoid the zeroing at allocation time. >>> >>> >>> Well much of the code is expecting a zeroed object from the allocator and >>> its zeroed at that time. Zeroing makes the object cache hot which is an >>> important performance aspect. >> >> >> Yes, modifying this behavior has a performance impact. It absolutely >> needs to be evaluated, and I wouldn't want to speculate too much on how >> good or bad any of the choices are. >> >> Just to reiterate, I think we have 3 real choices here: >> >> 1. Zero at alloc, only when __GFP_ZERO >> (behavior today) >> 2. Poison at free, also Zero at alloc (when __GFP_ZERO) >> (this patch's proposed behavior, also what current poisoning does, >> doubles writes) >> 3. Zero at free, *don't* Zero at alloc (when __GFP_ZERO) >> (what I'm suggesting, possibly less perf impact vs. #2) >> >> > > poisoning with non-zero memory makes it easier to determine that the error > came from accessing the sanitized memory vs. some other case. I don't think > the feature would be as strong if the memory was only zeroed vs. some other > data value. I would tend to agree. If there are significant perf improvements for "3" above, that should be easy to add on later as another choice. -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com MIME-Version: 1.0 Sender: keescook@google.com In-Reply-To: <5679A0CB.3060707@labbott.name> References: <1450755641-7856-1-git-send-email-laura@labbott.name> <1450755641-7856-7-git-send-email-laura@labbott.name> <567964F3.2020402@intel.com> <567986E7.50107@intel.com> <56798851.60906@intel.com> <5679943C.1050604@intel.com> <5679A0CB.3060707@labbott.name> Date: Tue, 5 Jan 2016 16:29:21 -0800 Message-ID: From: Kees Cook Content-Type: text/plain; charset=UTF-8 Subject: Re: [kernel-hardening] [RFC][PATCH 6/7] mm: Add Kconfig option for slab sanitization To: Laura Abbott Cc: Dave Hansen , Christoph Lameter , "kernel-hardening@lists.openwall.com" , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , LKML List-ID: On Tue, Dec 22, 2015 at 11:13 AM, Laura Abbott wrote: > On 12/22/15 10:19 AM, Dave Hansen wrote: >> >> On 12/22/2015 10:08 AM, Christoph Lameter wrote: >>> >>> On Tue, 22 Dec 2015, Dave Hansen wrote: >>>>> >>>>> Why would you use zeros? The point is just to clear the information >>>>> right? >>>>> The regular poisoning does that. >>>> >>>> >>>> It then allows you to avoid the zeroing at allocation time. >>> >>> >>> Well much of the code is expecting a zeroed object from the allocator and >>> its zeroed at that time. Zeroing makes the object cache hot which is an >>> important performance aspect. >> >> >> Yes, modifying this behavior has a performance impact. It absolutely >> needs to be evaluated, and I wouldn't want to speculate too much on how >> good or bad any of the choices are. >> >> Just to reiterate, I think we have 3 real choices here: >> >> 1. Zero at alloc, only when __GFP_ZERO >> (behavior today) >> 2. Poison at free, also Zero at alloc (when __GFP_ZERO) >> (this patch's proposed behavior, also what current poisoning does, >> doubles writes) >> 3. Zero at free, *don't* Zero at alloc (when __GFP_ZERO) >> (what I'm suggesting, possibly less perf impact vs. #2) >> >> > > poisoning with non-zero memory makes it easier to determine that the error > came from accessing the sanitized memory vs. some other case. I don't think > the feature would be as strong if the memory was only zeroed vs. some other > data value. I would tend to agree. If there are significant perf improvements for "3" above, that should be easy to add on later as another choice. -Kees -- Kees Cook Chrome OS & Brillo Security