From: Ingo Molnar <mingo@elte.hu>
To: "Larry H." <research@subreption.com>
Cc: Rik van Riel <riel@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
pageexec@freemail.hu, Arjan van de Ven <arjan@infradead.org>,
linux-kernel@vger.kernel.org, Linus Torvalds <torvalds@osdl.org>,
linux-mm@kvack.org, Ingo Molnar <mingo@redhat.com>
Subject: Re: [patch 0/5] Support for sanitization flag in low-level page allocator
Date: Sat, 30 May 2009 20:32:57 +0200 [thread overview]
Message-ID: <20090530183257.GB25237@elte.hu> (raw)
In-Reply-To: <20090530172515.GE6535@oblivion.subreption.com>
* Larry H. <research@subreption.com> wrote:
> Done. I just tested with different 'leak' sizes on a kernel
> patched with the latest memory sanitization patch and the
> kfree/kmem_cache_free one:
>
> 10M - no occurrences with immediate scanmem
> 40M - no occurrences with immediate scanmem
> 80M - no occurrences with immediate scanmem
> 160M - no occurrences with immediate scanmem
> 250M - no occurrences with immediate scanmem
> 300M - no occurrences with immediate scanmem
> 500M - no occurrences with immediate scanmem
> 600M - with immediate zeromem 600 and scanmem afterwards,
> no occurrences.
Is the sensitive data (or portions/transformations of it) copied to
the kernel stack and used there?
If not then this isnt a complete/sufficient/fair test of how
sensitive data like crypto keys gets used by the kernel.
In reality sensitive data, if it's relied upon by the kernel, can
(and does) make it to the kernel stack. We see it happen every day
with function return values. Let me quote the example i mentioned
earlier today:
[ 96.138788] [<ffffffff810ab62e>] perf_counter_exit_task+0x10e/0x3f3
[ 96.145464] [<ffffffff8104cf46>] do_exit+0x2e7/0x722
[ 96.150837] [<ffffffff810630cf>] ? up_read+0x9/0xb
[ 96.156036] [<ffffffff8151cc0b>] ? do_page_fault+0x27d/0x2a5
[ 96.162141] [<ffffffff8104d3f4>] do_group_exit+0x73/0xa0
[ 96.167860] [<ffffffff8104d433>] sys_exit_group+0x12/0x16
[ 96.173665] [<ffffffff8100bb2b>] system_call_fastpath+0x16/0x1b
This is a real stackdump and the 'ffffffff8151cc0b' 64-bit word is
actually a leftover from a previous system entry. ( And this is at
the bottom of the stack that gets cleared all the time - the top of
the kernel stack is a lot more more persistent in practice and
crypto calls tend to have a healthy stack footprint. )
Similarly, other sensitive data can be leaked via the kernel stack
too.
So IMO the GFP_SENSITIVE facility (beyond being a technical misnomer
- it should be something like GFP_NON_PERSISTENT instead) actually
results in subtly _worse_ security in the end: because people (and
organizations) 'think' that their keys are safe against information
leaks via this space, while they are not.
The kernel stack can be freed, be reused by something else partially
and then written out to disk (say as part of hibernation) where it's
recoverable from the disk image.
Furthermore, there's no guarantee at all that a task wont stay
around for a long time - with sensitive data still on its kernel
stack.
Ingo
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2009-05-30 18:32 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-20 18:30 Larry H.
2009-05-20 20:42 ` Peter Zijlstra
2009-05-20 21:24 ` Larry H.
2009-05-21 15:21 ` Robin Holt
2009-05-21 18:43 ` Larry H.
2009-05-29 22:58 ` Andrew Morton
2009-05-30 7:00 ` Larry H.
2009-05-30 7:12 ` Pekka Enberg
2009-05-30 7:35 ` Larry H.
2009-05-30 7:39 ` Pekka Enberg
2009-05-21 19:08 ` Rik van Riel
2009-05-21 19:26 ` Alan Cox
2009-05-21 19:56 ` Larry H.
2009-05-21 20:47 ` Alan Cox
2009-05-21 21:46 ` Larry H.
2009-05-21 22:47 ` Alan Cox
2009-05-22 11:22 ` Larry H.
2009-05-22 13:37 ` Alan Cox
2009-05-26 19:02 ` Pavel Machek
2009-05-21 19:17 ` Rik van Riel
2009-05-21 19:30 ` Larry H.
2009-05-22 7:34 ` Ingo Molnar
2009-05-22 11:38 ` Larry H.
2009-05-22 13:39 ` Alan Cox
2009-05-22 18:03 ` Larry H.
2009-05-22 18:21 ` Alan Cox
2009-05-22 23:25 ` [PATCH] Support for kernel memory sanitization Larry H.
2009-05-22 23:52 ` Randy Dunlap
2009-05-22 23:40 ` [patch 0/5] Support for sanitization flag in low-level page allocator Larry H.
2009-05-23 8:09 ` Alan Cox
2009-05-23 15:56 ` Arjan van de Ven
2009-05-23 18:21 ` [PATCH] Support for unconditional page sanitization Larry H.
2009-05-23 21:05 ` Arjan van de Ven
2009-05-24 10:19 ` pageexec
2009-05-24 16:38 ` Arjan van de Ven
2009-05-28 19:36 ` [patch 0/5] Support for sanitization flag in low-level page allocator Peter Zijlstra
2009-05-29 14:32 ` Arjan van de Ven
2009-05-30 5:48 ` Larry H.
2009-05-30 10:39 ` Peter Zijlstra
2009-05-30 10:43 ` Larry H.
2009-05-30 11:42 ` pageexec
2009-05-30 13:21 ` Peter Zijlstra
2009-05-30 13:24 ` Peter Zijlstra
2009-05-30 13:54 ` pageexec
2009-05-30 14:04 ` Larry H.
2009-05-30 14:13 ` Rik van Riel
2009-05-30 14:08 ` Rik van Riel
2009-05-30 14:30 ` Alan Cox
2009-05-30 14:45 ` Peter Zijlstra
2009-05-30 14:48 ` Rik van Riel
2009-05-30 17:00 ` Larry H.
2009-05-30 17:25 ` Larry H.
2009-05-30 18:32 ` Ingo Molnar [this message]
2009-06-05 13:15 ` Pavel Machek
2009-05-31 14:38 ` Arjan van de Ven
2009-05-31 15:03 ` Arjan van de Ven
2009-05-22 18:37 ` Nai Xia
2009-05-22 19:18 ` Nai Xia
2009-05-23 12:49 ` Ingo Molnar
2009-05-23 22:28 ` Larry H.
2009-05-23 22:42 ` Rik van Riel
2009-05-25 1:17 ` [PATCH] Sanitize memory on kfree() and kmem_cache_free() Larry H.
2009-05-27 22:34 ` [patch 0/5] Support for sanitization flag in low-level page allocator Ingo Molnar
2009-05-28 6:27 ` Alan Cox
2009-05-28 7:00 ` Larry H.
2009-05-28 9:08 ` Ingo Molnar
2009-05-28 11:50 ` Alan Cox
2009-05-28 19:44 ` Peter Zijlstra
2009-05-30 7:35 ` Pekka Enberg
2009-05-30 7:50 ` Larry H.
2009-05-30 7:53 ` Pekka Enberg
2009-05-30 8:20 ` Larry H.
2009-05-30 8:33 ` Pekka Enberg
2009-05-30 15:05 ` Ray Lee
2009-05-30 17:34 ` Ingo Molnar
2009-05-30 18:03 ` Larry H.
2009-05-30 18:21 ` Ingo Molnar
2009-05-30 18:45 ` Larry H.
2009-05-30 19:08 ` Ingo Molnar
2009-05-30 20:39 ` Rik van Riel
2009-05-30 20:53 ` Pekka Enberg
2009-05-30 21:33 ` Larry H.
2009-05-30 23:13 ` Alan Cox
2009-05-30 23:18 ` Larry H.
2009-05-31 6:30 ` Pekka Enberg
2009-05-31 11:49 ` Larry H.
2009-05-31 7:17 ` Pekka Enberg
2009-05-31 11:58 ` Larry H.
2009-05-31 12:16 ` Pekka Enberg
2009-05-31 12:30 ` Larry H.
2009-05-31 12:35 ` Pekka Enberg
2009-05-30 23:10 ` Alan Cox
2009-05-31 6:14 ` Pekka Enberg
2009-05-31 10:24 ` Alan Cox
2009-05-31 10:24 ` Pekka Enberg
2009-05-31 12:16 ` Larry H.
2009-05-31 12:19 ` Pekka Enberg
2009-05-31 16:25 ` Alan Cox
2009-05-30 22:10 ` Ingo Molnar
2009-05-30 23:15 ` Alan Cox
2009-05-30 20:22 ` Pekka Enberg
2009-05-30 22:14 ` Ingo Molnar
2009-05-30 17:39 ` Ingo Molnar
2009-05-30 7:57 ` Pekka Enberg
2009-05-30 9:05 ` Larry H.
2009-05-30 17:46 ` Ingo Molnar
2009-05-30 18:09 ` Larry H.
2009-05-30 8:31 ` Alan Cox
2009-05-30 8:35 ` Pekka Enberg
2009-05-30 9:27 ` Larry H.
2009-05-28 18:48 ` pageexec
2009-05-30 17:50 ` Ingo Molnar
2009-05-28 12:48 ` Pavel Machek
2009-05-28 12:55 ` Larry H.
2009-05-28 18:56 pageexec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090530183257.GB25237@elte.hu \
--to=mingo@elte.hu \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=pageexec@freemail.hu \
--cc=peterz@infradead.org \
--cc=research@subreption.com \
--cc=riel@redhat.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox