Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching

From: David Lang
Date: Wed May 07 2014 - 18:57:04 EST


On Wed, 7 May 2014, Ingo Molnar wrote:

* Josh Poimboeuf <jpoimboe@xxxxxxxxxx> wrote:

On Wed, May 07, 2014 at 02:24:44PM +0200, Ingo Molnar wrote:

* Josh Poimboeuf <jpoimboe@xxxxxxxxxx> wrote:

Ah this reminds me when we chased kprobes dangerous spots and we
tried to declare __kprobes the functions which were too dangerous
to hot patch.

We eventually gave up because it was impossible to fix everything.
And that was only for kprobes!

So you can never tell if a given patch will impact a given
kthread.

If the user (or the person creating the patch for them) doesn't
understand all impacts of the patch, they have no business patching
their kernel with it.

I think what is being somewhat lost is this discussion is the
distinction between:

1) is the patch safe
2) is the _live patching_ safe

It's really two different things. We should absolutely strive for live
patching to be safe under all circumstances, as long as the patch
being fed to it is safe in itself when building a new kernel the old
fashioned way.

I.e. it's natural that a kernel can be messed up via a patch, but this
subsystem should absolutely make sure that it will safely reject
totally fine patches that are unsafe to live patch.

Thanks, that's a very succinct way to put it. They are indeed two
different things, but at the same time they're interrelated: determining
whether a patch is safe requires making assumptions about how it will be
applied.

No!

A patch to the kernel source is 'safe' if it results in a correctly
patched kernel source. Full stop!

Live patching does not enter into this question, ever. The correctness
of a patch to the source does not depend on 'live patching'
considerations in any way, shape or form.

Any mechanism that tries to blur these lines is broken by design.

My claim is that if a patch is correct/safe in the old fashioned way,
then a fundamental principle is that a live patching subsystem must
either safely apply, or safely reject the live patching attempt,
independently from any user input.

It's similar to how kprobes (or ftrace) will safely reject or perform
a live patching of the kernel.

So for example, there's this recent upstream kernel fix:

3ca9e5d36afb agp: info leak in agpioc_info_wrap()

which fixes an information leak. The 'patch' is Git commit
3ca9e5d36afb (i.e. it patches a very specific incoming kernel source
tree that results in a specific outgoing source tree), and we know
it's safe and correct.

Any live patching subsystem must make sure that if this patch is
live-patched, that this attempt is either rejected safely or performed
safely.

"We think/hope it won't blow up in most cases and we automated some
checks halfways" or "the user must know what he is doing" is really
not something that I think is a good concept for something as fragile
as live patching.

In that case you will have to reject any kernel patch that changes any memory structure, because it's impossible as a general rule to say that changing memory structures is going to be safe (or even possible) to change.

that includes any access to memory that moves around a lock

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/