From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC33AC46467 for ; Thu, 19 Jan 2023 20:19:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2C7066B0072; Thu, 19 Jan 2023 15:19:36 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 29D3C6B0073; Thu, 19 Jan 2023 15:19:36 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 165306B0074; Thu, 19 Jan 2023 15:19:36 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 0598A6B0072 for ; Thu, 19 Jan 2023 15:19:36 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id CDBCA807C4 for ; Thu, 19 Jan 2023 20:19:35 +0000 (UTC) X-FDA: 80372663910.27.DE6E8E5 Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) by imf12.hostedemail.com (Postfix) with ESMTP id E6BC540012 for ; Thu, 19 Jan 2023 20:19:33 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=Njq65P8q; spf=pass (imf12.hostedemail.com: domain of sethjenkins@google.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=sethjenkins@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674159574; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=DwALFcrEiKMJKQDtzjjSGBC+/S37AZnAdeZoHTjv71c=; b=Cd+H/EdGJGXJIMkZ9vcamD3H+f+WIVvkNgKTl7aJ6KgjbHO1EMBvE5oSfuJV0TdCrVehmh LFFPvMYymHwus8dnXMWuPFh1uRQ8Fd1I/sY7Y7sCuKGrLUYkGYomWbu6Co4efwlRaWW/Fi mC/sL843XKTcFrHzLdrTMs0yH8u7zYQ= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=Njq65P8q; spf=pass (imf12.hostedemail.com: domain of sethjenkins@google.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=sethjenkins@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674159574; a=rsa-sha256; cv=none; b=3Khja411lgXEgj1hyq9PVPJODu2jM6GSaOUholigZBeXHNwi7EztslL27wDoeo9xT8oCyh GJGf++ZTc91b5mD8fSpRdDqBctVCNf9/cuT/RhXtAwemKCX+rhGcXmIGEpiEfzM09MtXrT yYCMQndBCBV/sesp8O2ncNO6g+f8ZYo= Received: by mail-ed1-f51.google.com with SMTP id v5so4370148edc.3 for ; Thu, 19 Jan 2023 12:19:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DwALFcrEiKMJKQDtzjjSGBC+/S37AZnAdeZoHTjv71c=; b=Njq65P8qY5m18g3GH2t0w3dsUdB8sQH/p0VvLnd1DZqbHJBKfxVxoVI5v1paDuzb/G KPqS2O0x9KOHyCCYmGES4RgQONH23PeN4N3vTs4kZeT0sTKmNfouCv58lm8NTI0dhUnO 7oMO9lXt/jgJQH1QYvtMUAbvFu3FxNRZrkJSUI9JRS5cRCoMin+wqnXYMkEGV0o2egn9 7iw92WXeIX8e8jFT6Ap+GGe+6kDuTDN2eUMWHX6YqslL6cQ0QBGCSw7Dwca6JlG+4+eP FMpa2cP0EFWSr4vkrIgbwJgaeLENpsCrblmfhBcJNzq51ZZc6hbw2fPuF2yIgcCgx+6f DB/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DwALFcrEiKMJKQDtzjjSGBC+/S37AZnAdeZoHTjv71c=; b=Gv9ZItNKNuAvvzXuvzGWXVLUPWjOJKYYS+euFhQRDVdpsujE80x7HDZ2cu299YoCw7 HuPYom2R65ildAKVvuUXb848zAQfTxoq/CxiT35tCjAtrpdCDsxK1dmxIZf3BXOYdGHV IrIZoslzeZuzq6WHqmzIeuXr1Fb+0yeT23jLxEFzrbjSXwlppm/veyTAlGfgBw+ILzi4 +G/ZwPDNBEJsP8CCUvS+j04nTWH8MANvirNVF/gh2E4zLWvIhuvgHHxJ2qxDEpZ5opbI Nx+dnepDCrcqtckToXvgbqZ9Tbem3nmiI+YNyZqApFfo7bxc39kAuZ1jqiDhciWIYl66 QeiQ== X-Gm-Message-State: AFqh2krbxrAsxZhVRimWJXJPyEZ4C7KGSFJF7a2gvVZiQZh44bfayK1x e+Hr6LwYYl5AF0O4KQQGGOnu9Kon7s/byaAWQ1uzKw== X-Google-Smtp-Source: AMrXdXvmH0GRGbwaV7u5oSOSaoK0g9rea6G6setaQjtfKdKGn4KEEffOqbcap4UQW7bxQuTToTvUKrVZdkyR5Uxyv3s= X-Received: by 2002:a05:6402:221a:b0:49d:836e:21f9 with SMTP id cq26-20020a056402221a00b0049d836e21f9mr1588134edb.36.1674159572334; Thu, 19 Jan 2023 12:19:32 -0800 (PST) MIME-Version: 1.0 References: <20221117234328.594699-2-keescook@chromium.org> <20230119201023.4003-1-sj@kernel.org> In-Reply-To: <20230119201023.4003-1-sj@kernel.org> From: Seth Jenkins Date: Thu, 19 Jan 2023 15:19:21 -0500 Message-ID: Subject: Re: [PATCH v3 2/6] exit: Put an upper limit on how often we can oops To: SeongJae Park Cc: Kees Cook , Jann Horn , Luis Chamberlain , Greg KH , Linus Torvalds , Andy Lutomirski , Andrew Morton , tangmeng , "Guilherme G. Piccoli" , Tiezhu Yang , Sebastian Andrzej Siewior , "Eric W. Biederman" , Arnd Bergmann , Dmitry Vyukov , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Daniel Bristot de Oliveira , Valentin Schneider , Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Vincenzo Frascino , David Gow , "Paul E. McKenney" , Jonathan Corbet , Baolin Wang , "Jason A. Donenfeld" , Eric Biggers , Huang Ying , Anton Vorontsov , Mauro Carvalho Chehab , Laurent Dufour , Rob Herring , linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-doc@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Server: rspam03 X-Stat-Signature: y4mfrh1yf74p8biyfbmsec3oadwak9i9 X-Rspamd-Queue-Id: E6BC540012 X-HE-Tag: 1674159573-106090 X-HE-Meta: U2FsdGVkX19FEaQqNPht5ScQmleiKpNudrTloPhf696TbAUq6W610zUUXABxrzajYT66gAABksTW7czezQbZx/hqa8foG5b7Yxq9nQw6fBP+KdP5lvZtWRtTImTckdtBSoiCtXBV37nxvJ+VybDROIKDmWZWRACTdOxtM9rfyIwJQWJKV+28I73NFmbafgMq5uPMN3WKTl7D9Hm7xbeJjMFVkpkI1ZjGgfd4Pyz5sfNSqLlx6jz/vAzukPL1PPe0Nt5XQGWET+EZ971axop95PCV8mM+nyt+ajC3TGh9eTjwmFIka7uSrsyQVhDwBafLbu2SUTvbXOmxsIIyMg006n2NGrF4xkJi7o2pfS1CM9nuuT3Sgk1aR0MaIIT/UJ2ACJ8igk8Qc6RgS0vOrPJ3hlUwnTixwjd1xlUrUeULuXtDE2/VnL/Niv93yRS/wk1MSxiNAfLFixTUWOyzRw1iXlhqi9AT4noMfryZaJpvkUTwwUU+x2f7V/iN1YmmF0pzpBwKhMlA8Y8JeWnZ0znVXRR1adwV+ro8Y8GbzHHBziCLM1e8PFyCYZdOPsWqZMYyiMbqz7c6BE6q6eWKeW2Wm9aKQHfByUcKPctEKaGjEcy5sLyx2IUfzhySXZFSvVjQRTSKLaU4dBDDOlWXpxKbGeaufax2/QRtgWPHV15JW2IY7sqMVnEI/jMryd7k2kpsJ64qYFIuyv5zIJjYXSD8Gl9TjJKNzAImDZ1kwixq7uMACvcPYwXQ0Y1PbCj7OceKNKX6s/sWpCkehXWxtDbSZ4baxO1pJXMOqBze5pGXDyIvhSv4/uQmVkI5/GK2K/tBSuW5rdKpqPpwkLhA8OESdl8HODjPdwyKrrYR94aEUoh43gxlGBA7huOyPCzEaXMljRaJErsQBhu1jhGMUuVURKe+lTlGtCMA6IfpCxS7rzL4T5IPwnVlILkaYUPwlhfaDvDC+rSTfyuNKSldtY6 dHoQ0xuj mjn1HliNYNMDKUp2WaDyl17bVWKX0I/JrrC/SOgIeR6xoWYtPT3l4+aZMuBFvbJIIdfZhBI6KAO5WCGz7rB/nQxLoKx0tVQEZTKlT7EAzEGyQiSzB0WzrL9AwBD2rOm4tyWyxcRtRqpm8heHK35MIN61TfvCqzqbJCTwV0D7jAEpCHrCZteJOhK7zkPKBhtco4ORVWED2yOuzEdMdE1kpxMR/9aj6QjjBBFSbglslVHgZOrs7MOknpCeMXkM4/xqREbO+Zp163NA5O4VdSMxJLdLLvOfN5eTx+wx3VV8NuTcdJve0yqdrkwVyuARp036puuxDgDpeacE5UCsWRSiH0YtCTDhs0kwyS/Q4f8gHPVV+PE2ULm7KXZfEpvg+5cGinmouqHVyv8kp2+0OQNwGgtExxBo1J5K9XXbyhEn89odnNigHV4J64Oy99aIiKkOQYUZY9bo3C5mcvEqe/Rtr5f9MjyAPpEQ842kYVnEulQ8qTMP0wbjOgo6JygKy+tT+aKVpr3FjDZdz8VlM89nh3JYJ/mVh5Jos3tiVbbSa62vVm1mAA5mAP7zlPh2TFrgcOIPsRWdUPVk+GaZqn4IVZoyN1syceVFsGWoGt+crGBMSPSE= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: > Do you have a plan to backport this into upstream LTS kernels? As I understand, the answer is "hopefully yes" with the big presumption that all stakeholders are on board for the change. There is *definitely* a plan to *submit* backports to the stable trees, but ofc it will require some approvals. On Thu, Jan 19, 2023 at 3:10 PM SeongJae Park wrote: > > Hello, > > On Thu, 17 Nov 2022 15:43:22 -0800 Kees Cook wrote: > > > From: Jann Horn > > > > Many Linux systems are configured to not panic on oops; but allowing an > > attacker to oops the system **really** often can make even bugs that look > > completely unexploitable exploitable (like NULL dereferences and such) if > > each crash elevates a refcount by one or a lock is taken in read mode, and > > this causes a counter to eventually overflow. > > > > The most interesting counters for this are 32 bits wide (like open-coded > > refcounts that don't use refcount_t). (The ldsem reader count on 32-bit > > platforms is just 16 bits, but probably nobody cares about 32-bit platforms > > that much nowadays.) > > > > So let's panic the system if the kernel is constantly oopsing. > > > > The speed of oopsing 2^32 times probably depends on several factors, like > > how long the stack trace is and which unwinder you're using; an empirically > > important one is whether your console is showing a graphical environment or > > a text console that oopses will be printed to. > > In a quick single-threaded benchmark, it looks like oopsing in a vfork() > > child with a very short stack trace only takes ~510 microseconds per run > > when a graphical console is active; but switching to a text console that > > oopses are printed to slows it down around 87x, to ~45 milliseconds per > > run. > > (Adding more threads makes this faster, but the actual oops printing > > happens under &die_lock on x86, so you can maybe speed this up by a factor > > of around 2 and then any further improvement gets eaten up by lock > > contention.) > > > > It looks like it would take around 8-12 days to overflow a 32-bit counter > > with repeated oopsing on a multi-core X86 system running a graphical > > environment; both me (in an X86 VM) and Seth (with a distro kernel on > > normal hardware in a standard configuration) got numbers in that ballpark. > > > > 12 days aren't *that* short on a desktop system, and you'd likely need much > > longer on a typical server system (assuming that people don't run graphical > > desktop environments on their servers), and this is a *very* noisy and > > violent approach to exploiting the kernel; and it also seems to take orders > > of magnitude longer on some machines, probably because stuff like EFI > > pstore will slow it down a ton if that's active. > > I found a blog article[1] recommending LTS kernels to backport this as below. > > While this patch is already upstream, it is important that distributed > kernels also inherit this oops limit and backport it to LTS releases if we > want to avoid treating such null-dereference bugs as full-fledged security > issues in the future. > > Do you have a plan to backport this into upstream LTS kernels? > > [1] https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html > > > Thanks, > SJ > > > > > Signed-off-by: Jann Horn > > Link: https://lore.kernel.org/r/20221107201317.324457-1-jannh@google.com > > Reviewed-by: Luis Chamberlain > > Signed-off-by: Kees Cook