Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAG_fn=XYRpeBgLpbwhaF=JfNHa-styydOKq8_SA3vsdMcXNgzw@mail.gmail.com>
Date: Wed, 3 Jul 2019 13:40:26 +0200
From: Alexander Potapenko <glider@...gle.com>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: Christoph Lameter <cl@...ux.com>, Kees Cook <keescook@...omium.org>, Michal Hocko <mhocko@...e.com>, 
	James Morris <jamorris@...ux.microsoft.com>, 
	Masahiro Yamada <yamada.masahiro@...ionext.com>, Michal Hocko <mhocko@...nel.org>, 
	James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, 
	Nick Desaulniers <ndesaulniers@...gle.com>, Kostya Serebryany <kcc@...gle.com>, 
	Dmitry Vyukov <dvyukov@...gle.com>, Sandeep Patil <sspatil@...roid.com>, 
	Laura Abbott <labbott@...hat.com>, Randy Dunlap <rdunlap@...radead.org>, Jann Horn <jannh@...gle.com>, 
	Mark Rutland <mark.rutland@....com>, Marco Elver <elver@...gle.com>, Qian Cai <cai@....pw>, 
	Linux Memory Management List <linux-mm@...ck.org>, 
	linux-security-module <linux-security-module@...r.kernel.org>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH v10 1/2] mm: security: introduce init_on_alloc=1 and
 init_on_free=1 boot options

On Wed, Jul 3, 2019 at 12:59 AM Andrew Morton <akpm@...ux-foundation.org> wrote:
>
> On Fri, 28 Jun 2019 11:31:30 +0200 Alexander Potapenko <glider@...gle.com> wrote:
>
> > The new options are needed to prevent possible information leaks and
> > make control-flow bugs that depend on uninitialized values more
> > deterministic.
> >
> > This is expected to be on-by-default on Android and Chrome OS. And it
> > gives the opportunity for anyone else to use it under distros too via
> > the boot args. (The init_on_free feature is regularly requested by
> > folks where memory forensics is included in their threat models.)
> >
> > init_on_alloc=1 makes the kernel initialize newly allocated pages and heap
> > objects with zeroes. Initialization is done at allocation time at the
> > places where checks for __GFP_ZERO are performed.
> >
> > init_on_free=1 makes the kernel initialize freed pages and heap objects
> > with zeroes upon their deletion. This helps to ensure sensitive data
> > doesn't leak via use-after-free accesses.
> >
> > Both init_on_alloc=1 and init_on_free=1 guarantee that the allocator
> > returns zeroed memory. The two exceptions are slab caches with
> > constructors and SLAB_TYPESAFE_BY_RCU flag. Those are never
> > zero-initialized to preserve their semantics.
> >
> > Both init_on_alloc and init_on_free default to zero, but those defaults
> > can be overridden with CONFIG_INIT_ON_ALLOC_DEFAULT_ON and
> > CONFIG_INIT_ON_FREE_DEFAULT_ON.
> >
> > If either SLUB poisoning or page poisoning is enabled, those options
> > take precedence over init_on_alloc and init_on_free: initialization is
> > only applied to unpoisoned allocations.
> >
> > Slowdown for the new features compared to init_on_free=0,
> > init_on_alloc=0:
> >
> > hackbench, init_on_free=1:  +7.62% sys time (st.err 0.74%)
> > hackbench, init_on_alloc=1: +7.75% sys time (st.err 2.14%)
> >
> > Linux build with -j12, init_on_free=1:  +8.38% wall time (st.err 0.39%)
> > Linux build with -j12, init_on_free=1:  +24.42% sys time (st.err 0.52%)
> > Linux build with -j12, init_on_alloc=1: -0.13% wall time (st.err 0.42%)
> > Linux build with -j12, init_on_alloc=1: +0.57% sys time (st.err 0.40%)
> >
> > The slowdown for init_on_free=0, init_on_alloc=0 compared to the
> > baseline is within the standard error.
> >
> > The new features are also going to pave the way for hardware memory
> > tagging (e.g. arm64's MTE), which will require both on_alloc and on_free
> > hooks to set the tags for heap objects. With MTE, tagging will have the
> > same cost as memory initialization.
> >
> > Although init_on_free is rather costly, there are paranoid use-cases where
> > in-memory data lifetime is desired to be minimized. There are various
> > arguments for/against the realism of the associated threat models, but
> > given that we'll need the infrastructure for MTE anyway, and there are
> > people who want wipe-on-free behavior no matter what the performance cost,
> > it seems reasonable to include it in this series.
> >
> > ...
> >
> >  v10:
> >   - added Acked-by: tags
> >   - converted pr_warn() to pr_info()
>
> There are unchangelogged alterations between v9 and v10.  The
> replacement of IS_ENABLED(CONFIG_PAGE_POISONING)) with
> page_poisoning_enabled().
In the case I send another version of the patch, do I need to
retroactively add them to the changelog?
>
> --- a/mm/page_alloc.c~mm-security-introduce-init_on_alloc=1-and-init_on_free=1-boot-options-v10
> +++ a/mm/page_alloc.c
> @@ -157,8 +157,8 @@ static int __init early_init_on_alloc(ch
>         if (!buf)
>                 return -EINVAL;
>         ret = kstrtobool(buf, &bool_result);
> -       if (bool_result && IS_ENABLED(CONFIG_PAGE_POISONING))
> -               pr_warn("mem auto-init: CONFIG_PAGE_POISONING is on, will take precedence over init_on_alloc\n");
> +       if (bool_result && page_poisoning_enabled())
> +               pr_info("mem auto-init: CONFIG_PAGE_POISONING is on, will take precedence over init_on_alloc\n");
>         if (bool_result)
>                 static_branch_enable(&init_on_alloc);
>         else
> @@ -175,8 +175,8 @@ static int __init early_init_on_free(cha
>         if (!buf)
>                 return -EINVAL;
>         ret = kstrtobool(buf, &bool_result);
> -       if (bool_result && IS_ENABLED(CONFIG_PAGE_POISONING))
> -               pr_warn("mem auto-init: CONFIG_PAGE_POISONING is on, will take precedence over init_on_free\n");
> +       if (bool_result && page_poisoning_enabled())
> +               pr_info("mem auto-init: CONFIG_PAGE_POISONING is on, will take precedence over init_on_free\n");
>         if (bool_result)
>                 static_branch_enable(&init_on_free);
>         else
> --- a/mm/slub.c~mm-security-introduce-init_on_alloc=1-and-init_on_free=1-boot-options-v10
> +++ a/mm/slub.c
> @@ -1281,9 +1281,8 @@ check_slabs:
>  out:
>         if ((static_branch_unlikely(&init_on_alloc) ||
>              static_branch_unlikely(&init_on_free)) &&
> -           (slub_debug & SLAB_POISON)) {
> -               pr_warn("mem auto-init: SLAB_POISON will take precedence over init_on_alloc/init_on_free\n");
> -       }
> +           (slub_debug & SLAB_POISON))
> +               pr_info("mem auto-init: SLAB_POISON will take precedence over init_on_alloc/init_on_free\n");
>         return 1;
>  }
>
> _
>


-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.