Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CALCETrXLrsKDBzDkN7sc9HYPWe9aV3NQzf4vMvM+FD8j6aA6AQ@mail.gmail.com>
Date: Tue, 4 Dec 2018 11:48:42 -0800
From: Andy Lutomirski <luto@...nel.org>
To: Nadav Amit <nadav.amit@...il.com>
Cc: Andrew Lutomirski <luto@...nel.org>, Rick Edgecombe <rick.p.edgecombe@...el.com>, 
	Andrew Morton <akpm@...ux-foundation.org>, Will Deacon <will.deacon@....com>, 
	Linux-MM <linux-mm@...ck.org>, LKML <linux-kernel@...r.kernel.org>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>, 
	"Naveen N . Rao" <naveen.n.rao@...ux.vnet.ibm.com>, 
	Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>, "David S. Miller" <davem@...emloft.net>, 
	Masami Hiramatsu <mhiramat@...nel.org>, Steven Rostedt <rostedt@...dmis.org>, 
	Ingo Molnar <mingo@...hat.com>, Alexei Starovoitov <ast@...nel.org>, 
	Daniel Borkmann <daniel@...earbox.net>, jeyu@...nel.org, 
	Network Development <netdev@...r.kernel.org>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, 
	Jann Horn <jannh@...gle.com>, Kristen Carlson Accardi <kristen@...ux.intel.com>, 
	Dave Hansen <dave.hansen@...el.com>, "Dock, Deneen T" <deneen.t.dock@...el.com>, 
	Peter Zijlstra <peterz@...radead.org>
Subject: Re: [PATCH 1/2] vmalloc: New flag for flush before releasing pages

On Tue, Dec 4, 2018 at 11:45 AM Nadav Amit <nadav.amit@...il.com> wrote:
>
> > On Dec 4, 2018, at 10:56 AM, Andy Lutomirski <luto@...nel.org> wrote:
> >
> > On Mon, Dec 3, 2018 at 5:43 PM Nadav Amit <nadav.amit@...il.com> wrote:
> >>> On Nov 27, 2018, at 4:07 PM, Rick Edgecombe <rick.p.edgecombe@...el.com> wrote:
> >>>
> >>> Since vfree will lazily flush the TLB, but not lazily free the underlying pages,
> >>> it often leaves stale TLB entries to freed pages that could get re-used. This is
> >>> undesirable for cases where the memory being freed has special permissions such
> >>> as executable.
> >>
> >> So I am trying to finish my patch-set for preventing transient W+X mappings
> >> from taking space, by handling kprobes & ftrace that I missed (thanks again for
> >> pointing it out).
> >>
> >> But all of the sudden, I don’t understand why we have the problem that this
> >> (your) patch-set deals with at all. We already change the mappings to make
> >> the memory writable before freeing the memory, so why can’t we make it
> >> non-executable at the same time? Actually, why do we make the module memory,
> >> including its data executable before freeing it???
> >
> > All the code you're looking at is IMO a very awkward and possibly
> > incorrect of doing what's actually necessary: putting the direct map
> > the way it wants to be.
> >
> > Can't we shove this entirely mess into vunmap?  Have a flag (as part
> > of vmalloc like in Rick's patch or as a flag passed to a vfree variant
> > directly) that makes the vunmap code that frees the underlying pages
> > also reset their permissions?
> >
> > Right now, we muck with set_memory_rw() and set_memory_nx(), which
> > both have very awkward (and inconsistent with each other!) semantics
> > when called on vmalloc memory.  And they have their own flushes, which
> > is inefficient.  Maybe the right solution is for vunmap to remove the
> > vmap area PTEs, call into a function like set_memory_rw() that resets
> > the direct maps to their default permissions *without* flushing, and
> > then to do a single flush for everything.  Or, even better, to cause
> > the change_page_attr code to do the flush and also to flush the vmap
> > area all at once so that very small free operations can flush single
> > pages instead of flushing globally.
>
> Thanks for the explanation. I read it just after I realized that indeed the
> whole purpose of this code is to get cpa_process_alias()
> update the corresponding direct mapping.
>
> This thing (pageattr.c) indeed seems over-engineered and very unintuitive.
> Right now I have a list of patch-sets that I owe, so I don’t have the time
> to deal with it.
>
> But, I still think that disable_ro_nx() should not call set_memory_x().
> IIUC, this breaks W+X of the direct-mapping which correspond with the module
> memory. Does it ever stop being W+X?? I’ll have another look.
>

Dunno.  I did once chase down a bug where some memory got freed while
it was still read-only, and the results were hilarious and hard to
debug, since the explosion happened long after the buggy code
finished.

--Andy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.