linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Richard Weinberger <richard.weinberger@gmail.com>
Cc: "H. Peter Anvin" <hpa@linux.intel.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Cong Ding <dinggnu@gmail.com>, Ingo Molnar <mingo@elte.hu>,
	Ingo Molnar <mingo@kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Mathias Krause <minipli@googlemail.com>,
	Michael Davidson <md@google.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Subject: Re: [GIT PULL] x86/kaslr for v3.14
Date: Mon, 27 Jan 2014 09:05:25 -0800	[thread overview]
Message-ID: <CAGXu5jLcy9R_N_FQHMFheVTYSB9uobd-Orh7spEmpMaMXDtwEQ@mail.gmail.com> (raw)
In-Reply-To: <CAFLxGvxJ0A6hZ52RWffkg_zXXScyPn10P4HcKvdAXfE43h32Eg@mail.gmail.com>

On Sun, Jan 26, 2014 at 10:49 PM, Richard Weinberger
<richard.weinberger@gmail.com> wrote:
> On Mon, Jan 27, 2014 at 6:33 AM, H. Peter Anvin <hpa@linux.intel.com> wrote:
>> On 01/26/2014 02:16 AM, Richard Weinberger wrote:
>>>
>>> Currently we print the kernel offset only upon a panic() using the
>>> panic notifier list.
>>> This way it does not show up if the kernel hits a BUG() in process
>>> context or something less critical.
>>> Wouldn't make more sense to report the offset in every dump_stack() or
>>> show_regs() call?
>>
>> No, because that information is available to user space unless we panic.
>
> Didn't you mean non-root?
> I thought one has to set dmesg_restrict anyways if kASLR is used.
>
> And isn't the offset available to perf too?
> Of course only for root, but still user space.

Setting dmesg_restrict is done mostly in an effort to try to lock down
access to dmesg since it'll likely contain enough clues to help an
attacker. System owners need to avoid dmesg getting sprayed into
/var/log world-readable, or available via privileged debugging
daemons, etc. Since keeping dmesg secret from non-root users is going
to be error-prone, I had a goal of keeping the offset out of dmesg
while the system is still running -- hence doing it only at panic
time.

Finding the offset as the (unconfined) root user is extremely easy, so
I personally see no reason to hide it from root (and it would be very
irritating for things like perf, too). I view kASLR as a tool for
statistical defense against confined processes or remote attacks.

I would argue that decoding a non-panic oops on a running system is
entirely possible as-is, since the offset can be found from
/proc/kallsyms as root. It was the dead system that needed the offset
exported: via text in the panic, or via an ELF note in a core.

-Kees

-- 
Kees Cook
Chrome OS Security

  parent reply	other threads:[~2014-01-27 17:05 UTC|newest]

Thread overview: 70+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-20 16:47 [GIT PULL] x86/kaslr for v3.14 H. Peter Anvin
2014-01-20 22:54 ` Linus Torvalds
2014-01-20 23:00   ` H. Peter Anvin
2014-01-20 23:12   ` Linus Torvalds
2014-01-20 23:13     ` H. Peter Anvin
2014-01-21  9:00       ` Peter Zijlstra
2014-01-21 14:20         ` H. Peter Anvin
2014-01-21 14:39           ` Ingo Molnar
2014-01-21 14:51             ` H. Peter Anvin
2014-01-21 14:56               ` Ingo Molnar
2014-01-21 18:37           ` Kees Cook
2014-01-21 10:27     ` Ingo Molnar
2014-01-21 13:55       ` H. Peter Anvin
2014-01-21 14:03         ` Ingo Molnar
2014-01-21 14:05           ` H. Peter Anvin
2014-01-21 14:14             ` Ingo Molnar
2014-01-21 14:17               ` H. Peter Anvin
2014-01-21  5:18   ` Kees Cook
2014-01-23  9:39   ` Pavel Machek
2014-01-26 10:16 ` Richard Weinberger
2014-01-27  5:33   ` H. Peter Anvin
2014-01-27  6:49     ` Richard Weinberger
2014-01-27  6:51       ` H. Peter Anvin
2014-01-27  7:38         ` Ingo Molnar
2014-01-27  7:43           ` Ingo Molnar
2014-01-27  7:59           ` Richard Weinberger
2014-01-30 22:07         ` Vivek Goyal
2014-01-31 16:57           ` Kees Cook
2014-02-07 14:49             ` Vivek Goyal
2014-02-07 16:04               ` H. Peter Anvin
2014-02-07 16:24                 ` Vivek Goyal
2014-02-07 23:16                   ` Dave Young
2014-02-07 23:20                     ` H. Peter Anvin
2014-02-07 23:28                       ` Dave Young
2014-02-07 19:07               ` H. Peter Anvin
2014-02-07 19:44                 ` Kees Cook
2014-01-27  6:52       ` H. Peter Anvin
2014-01-27  7:34         ` Richard Weinberger
2014-01-27 17:05       ` Kees Cook [this message]
2014-01-27 17:20         ` Richard Weinberger
2014-01-27 17:24           ` Kees Cook
2014-01-28  6:28             ` Ingo Molnar
2014-01-28  8:25               ` Richard Weinberger
2014-01-28 15:55                 ` H. Peter Anvin
2014-01-28 16:25                   ` Richard Weinberger
2014-01-28 16:30                     ` H. Peter Anvin
2014-01-28 16:51                       ` Linus Torvalds
2014-01-28 17:05                         ` Ingo Molnar
2014-01-28 17:12                           ` Linus Torvalds
2014-01-28 17:24                             ` Richard Weinberger
2014-01-28 17:35                               ` Linus Torvalds
2014-01-28 17:52                                 ` Richard Weinberger
2014-01-28 17:56                                   ` Linus Torvalds
2014-01-28 18:54                                     ` Richard Weinberger
2014-01-28 19:48                             ` Ingo Molnar
2014-01-28 20:07                               ` Linus Torvalds
2014-01-28 20:15                                 ` Borislav Petkov
2014-01-28 20:25                                   ` Linus Torvalds
2014-01-28 20:28                                     ` Richard Weinberger
2014-01-28 20:38                                       ` H. Peter Anvin
2014-01-29  8:25                                         ` Ingo Molnar
2014-01-29 10:40                                           ` Borislav Petkov
2014-01-28 20:49                                     ` Borislav Petkov
2014-01-28 23:37                                       ` Borislav Petkov
2014-01-28 21:08                                     ` Dave Jones
2014-01-29  6:36                                       ` Mike Galbraith
2014-01-29  8:11                                 ` Ingo Molnar
2014-01-29  8:27                                   ` Mathias Krause
2014-01-30  9:23                                     ` Ingo Molnar
2014-01-30 18:15                                       ` Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5jLcy9R_N_FQHMFheVTYSB9uobd-Orh7spEmpMaMXDtwEQ@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=dinggnu@gmail.com \
    --cc=hpa@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=md@google.com \
    --cc=mingo@elte.hu \
    --cc=mingo@kernel.org \
    --cc=minipli@googlemail.com \
    --cc=richard.weinberger@gmail.com \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=yongjun_wei@trendmicro.com.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).