Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <54dafdec825859afc85a3bd651f9e850e57a59dc.camel@intel.com>
Date: Tue, 27 Nov 2018 00:19:19 +0000
From: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
To: "jeyu@...nel.org" <jeyu@...nel.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"daniel@...earbox.net" <daniel@...earbox.net>, "jannh@...gle.com"
	<jannh@...gle.com>, "keescook@...omium.org" <keescook@...omium.org>,
	"willy@...radead.org" <willy@...radead.org>, "tglx@...utronix.de"
	<tglx@...utronix.de>, "linux-mm@...ck.org" <linux-mm@...ck.org>,
	"arjan@...ux.intel.com" <arjan@...ux.intel.com>, "x86@...nel.org"
	<x86@...nel.org>, "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
	"hpa@...or.com" <hpa@...or.com>, "kristen@...ux.intel.com"
	<kristen@...ux.intel.com>, "mingo@...hat.com" <mingo@...hat.com>,
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
	"Hansen, Dave" <dave.hansen@...el.com>
Subject: Re: [PATCH v9 RESEND 0/4] KASLR feature to randomize each loadable
 module

On Mon, 2018-11-26 at 16:36 +0100, Jessica Yu wrote:
> +++ Rick Edgecombe [20/11/18 15:23 -0800]:
[snip]
> Hi Rick!
> 
> Sorry for the delay. I'd like to take a step back and ask some broader
> questions -
> 
> - Is the end goal of this patchset to randomize loading kernel modules, or
> most/all
>    executable kernel memory allocations, including bpf, kprobes, etc?
Thanks for taking a look!

It started with the goal of just randomizing modules (hence the name), but I
think there is maybe value in randomizing the placement of all runtime added
executable code. Beyond just trying to make executable code placement less
deterministic in general, today all of the usages have the property of starting
with RW permissions and then becoming RO executable, so there is the benefit of
narrowing the chances a bug could successfully write to it during the RW window.

> - It seems that a lot of complexity and heuristics are introduced just to
>    accommodate the potential fragmentation that can happen when the module
> vmalloc
>    space starts to get fragmented with bpf filters. I'm partial to the idea of
>    splitting or having bpf own its own vmalloc space, similar to what Ard is
> already
>    implementing for arm64.
> 
>    So a question for the bpf and x86 folks, is having a dedicated vmalloc
> region
>    (as well as a seperate bpf_alloc api) for bpf feasible or desirable on
> x86_64?
I actually did some prototyping and testing on this. It seems there would be
some slowdown from the required changes to the JITed code to support calling
back from the vmalloc region into the kernel, and so module space would still be
the preferred region.

>    If bpf filters need to be within 2 GB of the core kernel, would it make
> sense
>    to carve out a portion of the current module region for bpf
> filters?  According
>    to Documentation/x86/x86_64/mm.txt, the module region is ~1.5 GB. I am
> doubtful
>    that any real system will actually have 1.5 GB worth of kernel modules
> loaded.
>    Is there a specific reason why that much space is dedicated to kernel
> modules,
>    and would it be feasible to split that region cleanly with bpf?
Hopefully someone from BPF side of things will chime in, but my understanding
was that they would like even more space than today if possible and so they may
not like the reduced space.

Also with KASLR on x86 its actually only 1GB, so it would only be 500MB per
section (assuming kprobes, etc would share the non-module region, so just two
sections).

> - If bpf gets its own dedicated vmalloc space, and we stick to the single task
>    of randomizing *just* kernel modules, could the vmalloc optimizations and
> the
>    "backup" area be dropped? The benefits of the vmalloc optimizations seem to
>    only be noticeable when we get to thousands of module_alloc allocations -
>    again, a concern caused by bpf filters sharing the same space with kernel
>    modules.
I think the backup area may still be needed, for example if you have 200 modules
evenly spaced inside 500MB there is only average ~2.5MB gap between them. So a
late added large module could still get blocked.

>    So tldr, it seems to me that the concern of fragmentation, the vmalloc
>    optimizations, and the main purpose of the backup area - basically, the
> more
>    complex parts of this patchset - stems squarely from the fact that bpf
> filters
>    share the same space as modules on x86. If we were to focus on randomizing
>    *just* kernel modules, and if bpf and modules had their own dedicated
> regions,
>    then I *think* the concrete use cases for the backup area and the vmalloc
>    optimizations (if we're strictly considering just kernel modules) would
>    mostly disappear (please correct me if I'm in the wrong here). Then
> tackling the
>    randomization of bpf allocations could potentially be a separate task on
> its own.
Yes it seems then the vmalloc optimizations could be dropped then, but I don't
think the backup area could be. Also the entropy would go down since there would
be less possible positions and we would reduce the space available to BPF. So
there are some downsides just to remove the vmalloc piece.

Is your concern that vmalloc optimizations might regress something else? There
is a middle ground vmalloc optimization where only the try_purge flag is plumbed
through. The flag was most of the performance gained and with just that piece it
should not change any behavior for the non-modules flows. Would that be more
acceptable?

> Thanks!
> 
> Jessica
> 
[snip]

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.