|
Message-ID: <6562ebd3-e97d-41c4-261a-9f4b863118eb@gmail.com> Date: Sun, 23 Dec 2018 04:28:59 +0200 From: Igor Stoppa <igor.stoppa@...il.com> To: Matthew Wilcox <willy@...radead.org>, Nadav Amit <nadav.amit@...il.com> Cc: Andy Lutomirski <luto@...capital.net>, Peter Zijlstra <peterz@...radead.org>, Dave Hansen <dave.hansen@...ux.intel.com>, Mimi Zohar <zohar@...ux.vnet.ibm.com>, igor.stoppa@...wei.com, Kees Cook <keescook@...omium.org>, linux-integrity@...r.kernel.org, kernel-hardening@...ts.openwall.com, linux-mm@...ck.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 03/12] __wr_after_init: generic header On 21/12/2018 21:45, Matthew Wilcox wrote: > On Fri, Dec 21, 2018 at 11:38:16AM -0800, Nadav Amit wrote: >>> On Dec 19, 2018, at 1:33 PM, Igor Stoppa <igor.stoppa@...il.com> wrote: >>> >>> +static inline void *wr_memset(void *p, int c, __kernel_size_t len) >>> +{ >>> + return __wr_op((unsigned long)p, (unsigned long)c, len, WR_MEMSET); >>> +} >> >> What do you think about doing something like: >> >> #define __wr __attribute__((address_space(5))) >> >> And then make all the pointers to write-rarely memory to use this attribute? >> It might require more changes to the code, but can prevent bugs. > > I like this idea. It was something I was considering suggesting. I have been thinking about this sort of problem, although from a bit different angle: 1) enforcing alignment for pointers This can be implemented in similar way, by creating a multi-attribute that would define section, address space, like said here, and alignment. However I'm not sure if it's possible to do anything to enforce the alignment of a pointer field within a structure. I haven't had time to look into this yet. 2) validation of the correctness of the actual value Inside the kernel code, a function is not supposed to sanitize its arguments, as long as they come from some other trusted part of the kernel, rather than say from userspace or from some HW interface. However,ROP/JOP should be considered. I am aware of various efforts to make it harder to exploit these techniques, like signed pointers, CFI plugins, LTO. But they are not necessarily available on every platform and mostly, afaik, they focus on specific type of attacks. LTO can help with global optimizations, for example inlining functions across different objects. CFI can detect jumps in the middle of a function, rather than proper function invocation, from its natural entry point. Signed pointers can prevent data-based attacks to the execution flow, and they might have a role in preventing the attack I have in mind, but they are not available on all platforms. What I'd like to do, is to verify, at runtime, that the pointer belongs to the type that the receiving function is meant for. Ex: a legitimate __wr_after_init data must exist between __start_wr_after_init and __end_wr_after_init That is easier and cleaner to test, imho. But dynamically allocated memory doesn't have any such constraint. If it was possible to introduce, for example, a flag to pass to vmalloc, to get the vmap_area from within a specific address range, it would reduce the attack surface. In the implementation I have right now, I'm using extra flags for the pmalloc pages, which means the metadata is the new target for an attack. But with adding the constraint that a dynamically allocated protected memory page must be within a range, then the attacker must change the underlying PTE. And if a region of PTEs are all part of protected memory, it is possible to make the PMD write rare. -- igor
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.