From: Andy Lutomirski <luto@amacapital.net>
To: Ingo Molnar <mingo@kernel.org>
Cc: PaX Team <pageexec@freemail.hu>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Mathias Krause <minipli@googlemail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Kees Cook <keescook@chromium.org>, Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>, x86-ml <x86@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Michael Ellerman <mpe@ellerman.id.au>,
linux-arch <linux-arch@vger.kernel.org>,
Emese Revfy <re.emese@gmail.com>
Subject: Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory
Date: Thu, 26 Nov 2015 08:11:41 -0800 [thread overview]
Message-ID: <CALCETrXrvAY+mXx+JULw7W+xokcSPFgWm5-McJf9EKhYehPhbA@mail.gmail.com> (raw)
In-Reply-To: <20151126085425.GA29848@gmail.com>
On Thu, Nov 26, 2015 at 12:54 AM, Ingo Molnar <mingo@kernel.org> wrote:
>
> * PaX Team <pageexec@freemail.hu> wrote:
>
>> On 25 Nov 2015 at 10:13, Mathias Krause wrote:
>>
>> > I myself had some educating experience seeing my machine triple fault
>> > when resuming from a S3 sleep. The root cause was a variable that was
>> > annotated __read_only but that was (unnecessarily) modified during CPU
>> > bring-up phase. Debugging that kind of problems is sort of a PITA, you
>> > could imagine.
>
> ( Sidenote: I don't think a ro-faults typically result in triple faults, but yeah,
> even having a regular oops (followed by a hang or reboot) during such an
> undebuggable state of the system is a major PITA. )
>
>> actually the kernel could silently recover from this given how the page fault
>> handler could easily determine that the fault address fell into the
>> data..read_only section and just silently undo the read-only property, log the
>> event to dmesg and retry the faulting access.
>
> So a safer method would be to decode the faulting instruction, to skip it by
> fixing up the return RIP and to log the event. It would be mostly equivalent to
> trying to write to ROM (which get ignored as well), so it's a recoverable (and
> debuggable) event.
>
> We have all the necessary code in place in the kprobes code, see
> arch/x86/lib/insn.c, it's a simplified x86 decoder that knows about instruction
> length (but not about semantics).
>
> Simple skipping plus setting arithmetic flags to init value should be enough I
> think: I don't think we use fancy instructions to write to ro variables, such as
> PUSH/POP with other side effects. If such instructions exist we could minimally
> extend the decoder to do those fixups as well - in addition to double checking
> that we skip simple instructions only with no side effects.
>
> Can you see any fragility in such a technique?
>
After Linus shot down my rdmsr/rwmsr decoding patch, good luck...
More seriously, though, I think this is mostly just like any other
in-kernel fault. We failed, me might be under attack, let's oops. In
the particular case of suspend/resume, we could consider a debug flag
to allow writes to these variables during suspend/resume. In fact,
that might even be a reasonable default. We might want to allow
writes during module unload as well.
For everything else, we should probably focus more on getting OOPSes
to display reliably, which is supposed to work but, on my shiny new
i915-based laptop, is clearly not ready yet (I oopsed it yesterday due
to my own bug and all I had to show for it was a blinking capslock
key, and yes, modesetting works).
--Andy
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto@amacapital.net>
To: Ingo Molnar <mingo@kernel.org>
Cc: PaX Team <pageexec@freemail.hu>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Mathias Krause <minipli@googlemail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Kees Cook <keescook@chromium.org>, Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>, x86-ml <x86@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Michael Ellerman <mpe@ellerman.id.au>,
linux-arch <linux-arch@vger.kernel.org>,
Emese Revfy <re.emese@gmail.com>
Subject: Re: [PATCH 0/2] introduce post-init read-only memory
Date: Thu, 26 Nov 2015 08:11:41 -0800 [thread overview]
Message-ID: <CALCETrXrvAY+mXx+JULw7W+xokcSPFgWm5-McJf9EKhYehPhbA@mail.gmail.com> (raw)
In-Reply-To: <20151126085425.GA29848@gmail.com>
On Thu, Nov 26, 2015 at 12:54 AM, Ingo Molnar <mingo@kernel.org> wrote:
>
> * PaX Team <pageexec@freemail.hu> wrote:
>
>> On 25 Nov 2015 at 10:13, Mathias Krause wrote:
>>
>> > I myself had some educating experience seeing my machine triple fault
>> > when resuming from a S3 sleep. The root cause was a variable that was
>> > annotated __read_only but that was (unnecessarily) modified during CPU
>> > bring-up phase. Debugging that kind of problems is sort of a PITA, you
>> > could imagine.
>
> ( Sidenote: I don't think a ro-faults typically result in triple faults, but yeah,
> even having a regular oops (followed by a hang or reboot) during such an
> undebuggable state of the system is a major PITA. )
>
>> actually the kernel could silently recover from this given how the page fault
>> handler could easily determine that the fault address fell into the
>> data..read_only section and just silently undo the read-only property, log the
>> event to dmesg and retry the faulting access.
>
> So a safer method would be to decode the faulting instruction, to skip it by
> fixing up the return RIP and to log the event. It would be mostly equivalent to
> trying to write to ROM (which get ignored as well), so it's a recoverable (and
> debuggable) event.
>
> We have all the necessary code in place in the kprobes code, see
> arch/x86/lib/insn.c, it's a simplified x86 decoder that knows about instruction
> length (but not about semantics).
>
> Simple skipping plus setting arithmetic flags to init value should be enough I
> think: I don't think we use fancy instructions to write to ro variables, such as
> PUSH/POP with other side effects. If such instructions exist we could minimally
> extend the decoder to do those fixups as well - in addition to double checking
> that we skip simple instructions only with no side effects.
>
> Can you see any fragility in such a technique?
>
After Linus shot down my rdmsr/rwmsr decoding patch, good luck...
More seriously, though, I think this is mostly just like any other
in-kernel fault. We failed, me might be under attack, let's oops. In
the particular case of suspend/resume, we could consider a debug flag
to allow writes to these variables during suspend/resume. In fact,
that might even be a reasonable default. We might want to allow
writes during module unload as well.
For everything else, we should probably focus more on getting OOPSes
to display reliably, which is supposed to work but, on my shiny new
i915-based laptop, is clearly not ready yet (I oopsed it yesterday due
to my own bug and all I had to show for it was a blinking capslock
key, and yes, modesetting works).
--Andy
next prev parent reply other threads:[~2015-11-26 16:12 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-24 21:38 [PATCH 0/2] introduce post-init read-only memory Kees Cook
2015-11-24 21:38 ` [kernel-hardening] " Kees Cook
2015-11-24 21:38 ` [PATCH 1/2] x86: " Kees Cook
2015-11-24 21:38 ` [kernel-hardening] " Kees Cook
2015-11-25 0:34 ` Andy Lutomirski
2015-11-25 0:34 ` [kernel-hardening] " Andy Lutomirski
2015-11-25 0:34 ` Andy Lutomirski
2015-11-25 0:44 ` Kees Cook
2015-11-25 0:44 ` [kernel-hardening] " Kees Cook
2015-11-25 0:44 ` Kees Cook
2015-11-25 0:54 ` [kernel-hardening] " Michael Ellerman
2015-11-25 15:03 ` Kees Cook
2015-11-25 15:03 ` Kees Cook
2015-11-25 23:05 ` Michael Ellerman
2015-11-25 23:32 ` Kees Cook
2015-11-25 23:32 ` Kees Cook
2015-11-25 23:32 ` Kees Cook
2015-11-24 21:38 ` [PATCH 2/2] x86, vdso: mark vDSO read-only after init Kees Cook
2015-11-24 21:38 ` [kernel-hardening] " Kees Cook
2015-11-25 9:13 ` [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory Mathias Krause
2015-11-25 9:13 ` Mathias Krause
2015-11-25 10:06 ` [kernel-hardening] " Clemens Ladisch
2015-11-25 11:14 ` PaX Team
2015-11-25 11:14 ` PaX Team
2015-11-26 15:23 ` [kernel-hardening] " Daniel Micay
2015-11-25 11:05 ` PaX Team
2015-11-25 11:05 ` PaX Team
2015-11-26 8:54 ` [kernel-hardening] " Ingo Molnar
2015-11-26 9:57 ` PaX Team
2015-11-26 9:57 ` PaX Team
2015-11-26 10:42 ` [kernel-hardening] " Ingo Molnar
2015-11-26 12:14 ` PaX Team
2015-11-26 12:14 ` PaX Team
2015-11-27 8:05 ` [kernel-hardening] " Ingo Molnar
2015-11-27 8:05 ` Ingo Molnar
2015-11-27 15:29 ` [kernel-hardening] " PaX Team
2015-11-27 15:29 ` PaX Team
2015-11-27 16:30 ` [kernel-hardening] " Andy Lutomirski
2015-11-27 16:30 ` Andy Lutomirski
2015-11-29 8:08 ` Ingo Molnar
2015-11-29 11:15 ` PaX Team
2015-11-29 11:15 ` PaX Team
2015-11-29 15:39 ` [kernel-hardening] " Ingo Molnar
2015-11-29 18:05 ` Mathias Krause
2015-11-29 18:05 ` Mathias Krause
2015-11-30 8:01 ` [kernel-hardening] " Ingo Molnar
2015-11-30 8:01 ` Ingo Molnar
2015-11-26 16:11 ` Andy Lutomirski [this message]
2015-11-26 16:11 ` [kernel-hardening] " Andy Lutomirski
2015-11-26 16:11 ` Andy Lutomirski
2015-11-27 7:59 ` [kernel-hardening] " Ingo Molnar
2015-11-27 7:59 ` Ingo Molnar
2015-11-27 7:59 ` Ingo Molnar
2015-11-27 18:00 ` [kernel-hardening] " Linus Torvalds
2015-11-27 18:00 ` Linus Torvalds
2015-11-27 18:03 ` Linus Torvalds
2015-11-27 18:03 ` Linus Torvalds
2015-11-27 18:03 ` Linus Torvalds
2015-11-27 20:03 ` [kernel-hardening] " Kees Cook
2015-11-27 20:03 ` Kees Cook
2015-11-27 20:03 ` Kees Cook
2015-11-27 20:09 ` [kernel-hardening] " Andy Lutomirski
2015-11-27 20:09 ` Andy Lutomirski
2015-11-29 8:05 ` Ingo Molnar
2015-11-29 8:05 ` Ingo Molnar
2015-11-30 21:14 ` H. Peter Anvin
2015-11-30 21:14 ` H. Peter Anvin
2015-11-30 21:14 ` H. Peter Anvin
2015-11-30 21:33 ` [kernel-hardening] " Kees Cook
2015-11-30 21:33 ` Kees Cook
2015-11-30 21:38 ` Andy Lutomirski
2015-11-30 21:38 ` Andy Lutomirski
2015-11-30 21:43 ` H. Peter Anvin
2015-11-30 21:43 ` H. Peter Anvin
2015-11-30 21:43 ` H. Peter Anvin
2015-11-25 17:26 ` [kernel-hardening] " Kees Cook
2015-11-25 17:26 ` Kees Cook
2015-11-25 17:26 ` Kees Cook
2015-11-25 17:31 ` [kernel-hardening] " H. Peter Anvin
2015-11-25 17:31 ` H. Peter Anvin
2015-11-25 18:54 ` [kernel-hardening] " Kees Cook
2015-11-25 18:54 ` Kees Cook
2015-11-25 19:06 ` H. Peter Anvin
2015-11-25 19:06 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrXrvAY+mXx+JULw7W+xokcSPFgWm5-McJf9EKhYehPhbA@mail.gmail.com \
--to=luto@amacapital.net \
--cc=arnd@arndb.de \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=minipli@googlemail.com \
--cc=mpe@ellerman.id.au \
--cc=pageexec@freemail.hu \
--cc=re.emese@gmail.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.