linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Laura Abbott <labbott@redhat.com>
Cc: Igor Stoppa <igor.stoppa@huawei.com>,
	Boris Lukashev <blukashev@sempervictus.com>,
	Christopher Lameter <cl@linux.com>,
	Matthew Wilcox <willy@infradead.org>,
	Jann Horn <jannh@google.com>, Jerome Glisse <jglisse@redhat.com>,
	Michal Hocko <mhocko@kernel.org>,
	Christoph Hellwig <hch@infradead.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	Linux-MM <linux-mm@kvack.org>,
	kernel list <linux-kernel@vger.kernel.org>,
	Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory
Date: Mon, 12 Feb 2018 17:25:25 -0800	[thread overview]
Message-ID: <CAGXu5j++igQD4tMh0J8nZ9jNji5mU16C7OygFJ5Td+Bq-KSMgw@mail.gmail.com> (raw)
In-Reply-To: <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com>

On Mon, Feb 12, 2018 at 4:40 PM, Laura Abbott <labbott@redhat.com> wrote:
> On 02/12/2018 03:27 PM, Kees Cook wrote:
>>
>> On Sun, Feb 4, 2018 at 7:05 AM, Igor Stoppa <igor.stoppa@huawei.com>
>> wrote:
>>>
>>> On 04/02/18 00:29, Boris Lukashev wrote:
>>>>
>>>> On Sat, Feb 3, 2018 at 3:32 PM, Igor Stoppa <igor.stoppa@huawei.com>
>>>> wrote:
>>>
>>>
>>> [...]
>>>
>>>>> What you are suggesting, if I have understood it correctly, is that,
>>>>> when the pool is protected, the addresses already given out, will
>>>>> become
>>>>> traps that get resolved through a lookup table that is built based on
>>>>> the content of each allocation.
>>>>>
>>>>> That seems to generate a lot of overhead, not to mention the fact that
>>>>> it might not play very well with the MMU.
>>>>
>>>>
>>>> That is effectively what i'm suggesting - as a form of protection for
>>>> consumers against direct reads of data which may have been corrupted
>>>> by some irrelevant means. In the context of pmalloc, it would probably
>>>> be a separate type of ro+verified pool
>>>
>>> ok, that seems more like an extension though.
>>>
>>> ATM I am having problems gaining traction to get even the basic merged
>>> :-)
>>>
>>> I would consider this as a possibility for future work, unless it is
>>> said that it's necessary for pmalloc to be accepted ...
>>
>>
>> I would agree: let's get basic functionality in first. Both
>> verification and the physmap part can be done separately, IMO.
>
>
> Skipping over physmap leaves a pretty big area of exposure that could
> be difficult to solve later. I appreciate this might block basic
> functionality but I don't think we should just gloss over it without
> at least some idea of what we would do.

What's our exposure on physmap for other regions? e.g. things that are
executable, or made read-only later (like __ro_after_init)?

-Kees

-- 
Kees Cook
Pixel Security

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

  reply	other threads:[~2018-02-13  1:25 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-24 17:56 [RFC PATCH v11 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-01-24 17:56 ` [PATCH 1/6] genalloc: track beginning of allocations Igor Stoppa
2018-01-24 17:56 ` [PATCH 2/6] genalloc: selftest Igor Stoppa
2018-01-24 17:56 ` [PATCH 3/6] struct page: add field for vm_struct Igor Stoppa
2018-01-24 17:56 ` [PATCH 4/6] Protectable Memory Igor Stoppa
2018-01-24 19:10   ` [kernel-hardening] " Jann Horn
2018-01-25 11:59     ` Igor Stoppa
2018-01-25 15:14       ` Boris Lukashev
2018-01-25 15:38         ` Jerome Glisse
2018-01-26 12:28           ` Igor Stoppa
2018-01-26 16:36             ` Boris Lukashev
2018-01-30 13:46               ` Igor Stoppa
2018-01-26  5:35     ` Matthew Wilcox
2018-01-26 11:46       ` Igor Stoppa
2018-02-02 18:39       ` Christopher Lameter
2018-02-03 15:38         ` Igor Stoppa
2018-02-03 19:57           ` Igor Stoppa
2018-02-03 20:12             ` Boris Lukashev
2018-02-03 20:32               ` Igor Stoppa
2018-02-03 22:29                 ` Boris Lukashev
2018-02-04 15:05                   ` Igor Stoppa
2018-02-12 23:27                     ` Kees Cook
2018-02-13  0:40                       ` Laura Abbott
2018-02-13  1:25                         ` Kees Cook [this message]
2018-02-13  3:39                           ` Jann Horn
2018-02-13 16:09                             ` Laura Abbott
2018-02-13 21:43                               ` Kees Cook
2018-02-14 19:06                                 ` arm64 physmap (was Re: [kernel-hardening] [PATCH 4/6] Protectable Memory) Laura Abbott
2018-02-14 19:28                                   ` Ard Biesheuvel
2018-02-14 20:13                                     ` Laura Abbott
2018-02-14 19:29                                   ` Kees Cook
2018-02-14 19:35                                     ` Kees Cook
2018-02-20 16:28                                     ` Igor Stoppa
2018-02-21 22:22                                       ` Kees Cook
2018-02-14 19:48                                   ` Kees Cook
2018-02-14 22:13                                     ` Tycho Andersen
2018-02-14 22:27                                       ` Kees Cook
2018-02-13 15:20                         ` [kernel-hardening] [PATCH 4/6] Protectable Memory Igor Stoppa
2018-02-13 15:20                         ` Igor Stoppa
     [not found]                         ` <5a83024c.64369d0a.a1e94.cdd6SMTPIN_ADDED_BROKEN@mx.google.com>
2018-02-13 18:10                           ` [kernel-hardening] " Laura Abbott
2018-02-20 17:16                             ` Igor Stoppa
2018-02-21 22:37                               ` Kees Cook
2018-02-05 15:40           ` Christopher Lameter
2018-02-09 11:17             ` Igor Stoppa
2018-01-26 19:41   ` Igor Stoppa
2018-01-24 17:56 ` [PATCH 5/6] Documentation for Pmalloc Igor Stoppa
2018-01-24 19:14   ` Ralph Campbell
2018-01-25  7:53     ` Igor Stoppa
2018-01-24 17:56 ` [PATCH 6/6] Pmalloc: self-test Igor Stoppa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5j++igQD4tMh0J8nZ9jNji5mU16C7OygFJ5Td+Bq-KSMgw@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=blukashev@sempervictus.com \
    --cc=cl@linux.com \
    --cc=hch@infradead.org \
    --cc=igor.stoppa@huawei.com \
    --cc=jannh@google.com \
    --cc=jglisse@redhat.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=labbott@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mhocko@kernel.org \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox