Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0975aa62d9649df56832b8e745c78d0fb83a3610.camel@intel.com>
Date: Wed, 12 Dec 2018 23:05:35 +0000
From: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
To: "daniel@...earbox.net" <daniel@...earbox.net>, "jeyu@...nel.org"
	<jeyu@...nel.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"jannh@...gle.com" <jannh@...gle.com>, "arjan@...ux.intel.com"
	<arjan@...ux.intel.com>, "keescook@...omium.org" <keescook@...omium.org>,
	"ard.biesheuvel@...aro.org" <ard.biesheuvel@...aro.org>, "linux-mm@...ck.org"
	<linux-mm@...ck.org>, "tglx@...utronix.de" <tglx@...utronix.de>,
	"willy@...radead.org" <willy@...radead.org>, "x86@...nel.org"
	<x86@...nel.org>, "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
	"hpa@...or.com" <hpa@...or.com>, "kristen@...ux.intel.com"
	<kristen@...ux.intel.com>, "mingo@...hat.com" <mingo@...hat.com>,
	"alexei.starovoitov@...il.com" <alexei.starovoitov@...il.com>,
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
	"Hansen, Dave" <dave.hansen@...el.com>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>
Subject: Re: [PATCH v9 RESEND 0/4] KASLR feature to randomize each loadable
 module

On Wed, 2018-11-28 at 01:40 +0000, Edgecombe, Rick P wrote:
> On Tue, 2018-11-27 at 11:21 +0100, Daniel Borkmann wrote:
> > On 11/27/2018 01:19 AM, Edgecombe, Rick P wrote:
> > > On Mon, 2018-11-26 at 16:36 +0100, Jessica Yu wrote:
> > > > +++ Rick Edgecombe [20/11/18 15:23 -0800]:
> > > 
> > > [snip]
> > > > Hi Rick!
> > > > 
> > > > Sorry for the delay. I'd like to take a step back and ask some broader
> > > > questions -
> > > > 
> > > > - Is the end goal of this patchset to randomize loading kernel modules,
> > > > or
> > > > most/all
> > > >    executable kernel memory allocations, including bpf, kprobes, etc?
> > > 
> > > Thanks for taking a look!
> > > 
> > > It started with the goal of just randomizing modules (hence the name), but
> > > I
> > > think there is maybe value in randomizing the placement of all runtime
> > > added
> > > executable code. Beyond just trying to make executable code placement less
> > > deterministic in general, today all of the usages have the property of
> > > starting
> > > with RW permissions and then becoming RO executable, so there is the
> > > benefit
> > > of
> > > narrowing the chances a bug could successfully write to it during the RW
> > > window.
> > > 
> > > > - It seems that a lot of complexity and heuristics are introduced just
> > > > to
> > > >    accommodate the potential fragmentation that can happen when the
> > > > module
> > > > vmalloc
> > > >    space starts to get fragmented with bpf filters. I'm partial to the
> > > > idea of
> > > >    splitting or having bpf own its own vmalloc space, similar to what
> > > > Ard
> > > > is
> > > > already
> > > >    implementing for arm64.
> > > > 
> > > >    So a question for the bpf and x86 folks, is having a dedicated
> > > > vmalloc
> > > > region
> > > >    (as well as a seperate bpf_alloc api) for bpf feasible or desirable
> > > > on
> > > > x86_64?
> > > 
> > > I actually did some prototyping and testing on this. It seems there would
> > > be
> > > some slowdown from the required changes to the JITed code to support
> > > calling
> > > back from the vmalloc region into the kernel, and so module space would
> > > still be
> > > the preferred region.
> > 
> > Yes, any runtime slow-down would be no-go as BPF sits in the middle of
> > critical
> > networking fast-path and e.g. on XDP or tc layer and is used in load-
> > balancing,
> > firewalling, DDoS protection scenarios, some recent examples in [0-3].
> > 
> >   [0] http://vger.kernel.org/lpc-networking2018.html#session-10
> >   [1] http://vger.kernel.org/lpc-networking2018.html#session-15
> >   [2] https://blog.cloudflare.com/how-to-drop-10-million-packets/
> >   [3] http://vger.kernel.org/lpc-bpf2018.html#session-1
> > 
> > > >    If bpf filters need to be within 2 GB of the core kernel, would it
> > > > make
> > > > sense
> > > >    to carve out a portion of the current module region for bpf
> > > > filters?  According
> > > >    to Documentation/x86/x86_64/mm.txt, the module region is ~1.5 GB. I
> > > > am
> > > > doubtful
> > > >    that any real system will actually have 1.5 GB worth of kernel
> > > > modules
> > > > loaded.
> > > >    Is there a specific reason why that much space is dedicated to kernel
> > > > modules,
> > > >    and would it be feasible to split that region cleanly with bpf?
> > > 
> > > Hopefully someone from BPF side of things will chime in, but my
> > > understanding
> > > was that they would like even more space than today if possible and so
> > > they
> > > may
> > > not like the reduced space.
> > 
> > I wouldn't mind of the region is split as Jessica suggests but in a way
> > where
> > there would be _no_ runtime regressions for BPF. This might also allow to
> > have
> > more flexibility in sizing the area dedicated for BPF in future, and could
> > potentially be done in similar way as Ard was proposing recently [4].
> > 
> >   [4] https://patchwork.ozlabs.org/project/netdev/list/?series=77779
> 
> CCing Ard.
> 
> The benefit of sharing the space, for randomization at least, is that you can
> spread the allocations over a larger area.
> 
> I think there are also other benefits to unifying how this memory is managed
> though, rather than spreading it further. Today there are various patterns and
> techniques used like calling different combinations of set_memory_* before
> freeing, zeroing in modules or setting invalid instructions like BPF does,
> etc.
> There is also special care to be taken on vfree-ing executable memory. So this
> way things only have to be done right once and there is less duplication.
> 
> Not saying there shouldn't be __weak alloc and free method in BPF for arch
> specific behavior, just that there is quite a few other concerns that could be
> good to centralize even more than today.
> 
> What if there was a unified executable alloc API with support for things like:
>  - Concepts of two regions for Ard's usage, near(modules) and far(vmalloc)
> from
>    kernel text. Won't apply for every arch, but maybe enough that some logic
>    could be unified
>  - Limits for each of the usages (modules, bpf, kprobes, ftrace)
>  - Centralized logic for moving between RW and RO+X
>  - Options for exclusive regions or all shared
>  - Randomizing base, randomizing independently or none
>  - Some cgroups hooks?
> 
> Would there be any interest in that for the future?
> 
> As a next step, if BPF doesn't want to use this by default, could BPF just
> call
> vmalloc_node_range directly from Ard's new __weak functions on x86? Then
> modules
> can randomize across the whole space and BPF can fill the gaps linearly from
> the
> beginning. Is that acceptable? Then the vmalloc optimizations could be dropped
> for the time being since the BPFs would not be fragmented, but the separate
> regions could come as part of future work.
Jessica, Daniel,

Any advice for me on how we could move this forward?

Thanks,
Rick



> Thanks,
> 
> Rick
> 
> > > Also with KASLR on x86 its actually only 1GB, so it would only be 500MB
> > > per
> > > section (assuming kprobes, etc would share the non-module region, so just
> > > two
> > > sections).
> > > 
> > > > - If bpf gets its own dedicated vmalloc space, and we stick to the
> > > > single
> > > > task
> > > >    of randomizing *just* kernel modules, could the vmalloc optimizations
> > > > and
> > > > the
> > > >    "backup" area be dropped? The benefits of the vmalloc optimizations
> > > > seem to
> > > >    only be noticeable when we get to thousands of module_alloc
> > > > allocations
> > > > -
> > > >    again, a concern caused by bpf filters sharing the same space with
> > > > kernel
> > > >    modules.
> > > 
> > > I think the backup area may still be needed, for example if you have 200
> > > modules
> > > evenly spaced inside 500MB there is only average ~2.5MB gap between them.
> > > So
> > > a
> > > late added large module could still get blocked.
> > > 
> > > >    So tldr, it seems to me that the concern of fragmentation, the
> > > > vmalloc
> > > >    optimizations, and the main purpose of the backup area - basically,
> > > > the
> > > > more
> > > >    complex parts of this patchset - stems squarely from the fact that
> > > > bpf
> > > > filters
> > > >    share the same space as modules on x86. If we were to focus on
> > > > randomizing
> > > >    *just* kernel modules, and if bpf and modules had their own dedicated
> > > > regions,
> > > >    then I *think* the concrete use cases for the backup area and the
> > > > vmalloc
> > > >    optimizations (if we're strictly considering just kernel modules)
> > > > would
> > > >    mostly disappear (please correct me if I'm in the wrong here). Then
> > > > tackling the
> > > >    randomization of bpf allocations could potentially be a separate task
> > > > on
> > > > its own.
> > > 
> > > Yes it seems then the vmalloc optimizations could be dropped then, but I
> > > don't
> > > think the backup area could be. Also the entropy would go down since there
> > > would
> > > be less possible positions and we would reduce the space available to BPF.
> > > So
> > > there are some downsides just to remove the vmalloc piece.
> > > 
> > > Is your concern that vmalloc optimizations might regress something else?
> > > There
> > > is a middle ground vmalloc optimization where only the try_purge flag is
> > > plumbed
> > > through. The flag was most of the performance gained and with just that
> > > piece it
> > > should not change any behavior for the non-modules flows. Would that be
> > > more
> > > acceptable?
> > > 
> > > > Thanks!
> > > > 
> > > > Jessica
> > > > 
> > > 
> > > [snip]
> > > 
> > 
> > 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.