Re: [patch 0/5] Support for sanitization flag in low-level page allocator

From: Pekka Enberg
Date: Sat May 30 2009 - 04:39:37 EST

Hi Alan,

Alan Cox wrote:
The problem is that most sensitive data is user space anyway.
GFP_SENSITIVE or kzfree mean you have to get it right in the kernel and
you don't fix things like stack copies of sensitive data - its a quick
hack which doesn't meet goot security programming practice -it defaults
to insecure which is the wrong way around. Not saying its not a bad idea
to kzfree a few keys and things *but* it's not real security.

If you want to do real security you have a sysfs or build flag that turns
on clearing every page on free. Yes it costs performance (a lot less
nowdays with cache bypassing stores) but for the category of user who
wants to be sure nothing escapes it does the job while kzfree would be
like trying to plug leaks in a sieve.

Yup, your suggestion would make one simple patch, for sure. I wonder if anyone is actually prepared to enable the thing at run-time, though, which is why I suggested doing the "critical" kzfree() ones unconditionally.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at