From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vk0-f72.google.com (mail-vk0-f72.google.com [209.85.213.72]) by kanga.kvack.org (Postfix) with ESMTP id E8BFC6B000A for ; Mon, 12 Feb 2018 20:25:28 -0500 (EST) Received: by mail-vk0-f72.google.com with SMTP id p2so10028465vke.6 for ; Mon, 12 Feb 2018 17:25:28 -0800 (PST) Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41]) by mx.google.com with SMTPS id m18sor3885942uab.288.2018.02.12.17.25.27 for (Google Transport Security); Mon, 12 Feb 2018 17:25:27 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> From: Kees Cook Date: Mon, 12 Feb 2018 17:25:25 -0800 Message-ID: Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Laura Abbott Cc: Igor Stoppa , Boris Lukashev , Christopher Lameter , Matthew Wilcox , Jann Horn , Jerome Glisse , Michal Hocko , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , Kernel Hardening On Mon, Feb 12, 2018 at 4:40 PM, Laura Abbott wrote: > On 02/12/2018 03:27 PM, Kees Cook wrote: >> >> On Sun, Feb 4, 2018 at 7:05 AM, Igor Stoppa >> wrote: >>> >>> On 04/02/18 00:29, Boris Lukashev wrote: >>>> >>>> On Sat, Feb 3, 2018 at 3:32 PM, Igor Stoppa >>>> wrote: >>> >>> >>> [...] >>> >>>>> What you are suggesting, if I have understood it correctly, is that, >>>>> when the pool is protected, the addresses already given out, will >>>>> become >>>>> traps that get resolved through a lookup table that is built based on >>>>> the content of each allocation. >>>>> >>>>> That seems to generate a lot of overhead, not to mention the fact that >>>>> it might not play very well with the MMU. >>>> >>>> >>>> That is effectively what i'm suggesting - as a form of protection for >>>> consumers against direct reads of data which may have been corrupted >>>> by some irrelevant means. In the context of pmalloc, it would probably >>>> be a separate type of ro+verified pool >>> >>> ok, that seems more like an extension though. >>> >>> ATM I am having problems gaining traction to get even the basic merged >>> :-) >>> >>> I would consider this as a possibility for future work, unless it is >>> said that it's necessary for pmalloc to be accepted ... >> >> >> I would agree: let's get basic functionality in first. Both >> verification and the physmap part can be done separately, IMO. > > > Skipping over physmap leaves a pretty big area of exposure that could > be difficult to solve later. I appreciate this might block basic > functionality but I don't think we should just gloss over it without > at least some idea of what we would do. What's our exposure on physmap for other regions? e.g. things that are executable, or made read-only later (like __ro_after_init)? -Kees -- Kees Cook Pixel Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org