Re: [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX

From: Christoph Lameter
Date: Tue Dec 22 2015 - 11:08:35 EST

Next message: Felipe F. Tonello: "[PATCH 2/2] usb: gadget: f_midi: added spinlock on transmit function"
Previous message: Stefano Stabellini: "Re: [PATCH RESEND v4] arm: remove !CPU_V6 and !GENERIC_ATOMIC64 build dependencies for XEN"
In reply to: Vlastimil Babka: "Re: [RFC][PATCH 1/7] mm/slab_common.c: Add common support for slab saniziation"
Next in thread: Dave Hansen: "Re: [kernel-hardening] Re: [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 21 Dec 2015, Laura Abbott wrote:

> The biggest change from PAX_MEMORY_SANTIIZE is that this feature sanitizes
> the SL[AOU]B allocators only. My plan is to work on the buddy allocator
> santization after this series gets picked up. A side effect of this is
> that allocations which go directly to the buddy allocator (i.e. large
> allocations) aren't sanitized. I'd like feedback about whether it's worth
> it to add sanitization on that path directly or just use the page
> allocator sanitization when that comes in.

I am not sure what the point of this patchset is. We have a similar effect
to sanitization already in the allocators through two mechanisms:

1. Slab poisoning
2. Allocation with GFP_ZERO

I do not think we need a third one. You could accomplish your goals much
easier without this code churn by either

1. Improve the existing poisoning mechanism. Ensure that there are no
gaps. Security sensitive kernel slab caches can then be created with
the POISONING flag set. Maybe add a Kconfig flag that enables
POISONING for each cache? What was the issue when you tried using
posining for sanitization?

2. Add a mechanism that ensures that GFP_ZERO is set for each allocation.
That way every object you retrieve is zeroed and thus you have implied
sanitization. This also can be done in a rather simple way by changing
the GFP_KERNEL etc constants to include __GFP_ZERO depending on a
Kconfig option. Or add some runtime setting of the gfp flags somewhere.

Generally I would favor option #2 if you must have sanitization because
that is the only option to really give you a deterministic content of
object on each allocation. Any half way measures would not work I think.

Note also that most allocations are already either allocations that zero
the content or they are immediately initializing the content of the
allocated object. After all the object is not really usable if the
content is random. You may be able to avoid this whole endeavor by
auditing the kernel for locations where the object is not initialized
after allocation.

Once one recognizes the above it seems that sanitization is pretty
useless. Its just another pass of writing zeroes before the allocator or
uer of the allocated object sets up deterministic content of the object or
-- in most cases -- zeroes it again.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Felipe F. Tonello: "[PATCH 2/2] usb: gadget: f_midi: added spinlock on transmit function"
Previous message: Stefano Stabellini: "Re: [PATCH RESEND v4] arm: remove !CPU_V6 and !GENERIC_ATOMIC64 build dependencies for XEN"
In reply to: Vlastimil Babka: "Re: [RFC][PATCH 1/7] mm/slab_common.c: Add common support for slab saniziation"
Next in thread: Dave Hansen: "Re: [kernel-hardening] Re: [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]