Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory
From: PaX Team
Date: Thu Nov 26 2015 - 07:15:11 EST
On 26 Nov 2015 at 11:42, Ingo Molnar wrote:
> * PaX Team <pageexec@xxxxxxxxxxx> wrote:
>
> > On 26 Nov 2015 at 9:54, Ingo Molnar wrote:
>
> > e.g., imagine that the write was to a function pointer (even an entire ops
> > structure) or a boolean that controls some important feature for after-init
> > code. ignoring/dropping such writes could cause all kinds of logic bugs (if not
> > worse).
>
> Well, the typical case is that it's a logic bug to _do_ the write: the structure
> was marked readonly for a reason but some init code re-runs during suspend or so.
that's actually not the typical case in my experience, but rather these two:
1. initial mistake: someone didn't actually check whether the given object can
be __read_only
2. code evolution: an object that was once written by __init code only (and
thus proactively subjected to __read_only) gets modified by non-init code
due to later changes
what you described above is a third case where there's a latent bug to begin
(unintended write) with that __read_only merely exposes but doesn't create
itself, unlike the two cases above (intended writes getting caught by wrong
use of __read_only).
> But yes, logic bugs might trigger - but that is true in the opposite case as well,
> if we do the write despite it being marked readonly:
not really, the two cases above are not a priori bugs, they become bugs due
to using __read_only without due care (which is why i suggested to detect
them at compile time).
> > misusing __read_only and ignoring write attempts would effectively produce the
> > same misbehaviour as above so i strongly advise against it.
>
> No, the difference to the GCC related aliasing bug is that with my technique the
> kernel would immediately produce a very visible kernel warning, which is a very
> clear sign that is wrong - and with a very clear backtrace in the warning that
> points right to the problematic code - which signature shows us (and users) what
> is wrong.
my proposal would produce the exact same reports, the difference is in letting
the write attempt succeed vs. skipping it. this latter step is what is wrong
since it introduces at least a logic bug the same way the constprop optimization
created a logic bug.
> Plus the truly paranoid might panic/halt the system on such warnings, so for
> highly secure systems there's a way to not even allow the possibility of logic
> bugs. (at the cost of stopping the system when a bug triggers.)
this would/should be the default behaviour, i.e., no attempt at being smart by
either allowing or skipping the faulting insn, just report the event and trigger
whatever fancy future exploit reaction mechanism will get into the kernel.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/