Re: [PATCH v2 1/3] module: verify address is read-only

From: Kees Cook
Date: Tue Feb 21 2017 - 15:32:42 EST

Next message: Vladimir Zapolskiy: "Re: [PATCH v9 2/2] Add support for OV5647 sensor."
Previous message: Jason Baron: "Re: [RFC 0/3] fs,epoll: Add ability to call kcmp to find target files"
In reply to: Stephen Hemminger: "Re: [PATCH v2 1/3] module: verify address is read-only"
Next in thread: Stephen Hemminger: "Re: [PATCH v2 1/3] module: verify address is read-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 20, 2017 at 9:14 AM, Stephen Hemminger
<stephen@xxxxxxxxxxxxxxxxxx> wrote:
> On Fri, 17 Feb 2017 21:58:42 -0800
> "Eddie Kovsky" <ewk@xxxxxxxxxxxx> wrote:
>
>> Implement a mechanism to check if a module's address is in
>> the rodata or ro_after_init sections. It mimics the exsiting functions
>> that test if an address is inside a module's text section.
>>
>> Signed-off-by: Eddie Kovsky <ewk@xxxxxxxxxxxx>
>
> I don't see the point of this for many of the hyper-v functions.
> They are only called from a small number of places, and this can be validated
> by code inspection. Adding this seems just seems to be code bloat to me.

I think it has value in that it effectively blocks any way for
non-ro_after_init structures from being passed into these functions.
Since there are so few callers now, it's the perfect place to add
this.

-Kees

--
Kees Cook
Pixel Security

Next message: Vladimir Zapolskiy: "Re: [PATCH v9 2/2] Add support for OV5647 sensor."
Previous message: Jason Baron: "Re: [RFC 0/3] fs,epoll: Add ability to call kcmp to find target files"
In reply to: Stephen Hemminger: "Re: [PATCH v2 1/3] module: verify address is read-only"
Next in thread: Stephen Hemminger: "Re: [PATCH v2 1/3] module: verify address is read-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]