lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 26 Jan 2014 12:49:24 +0000
From:	"Ren, Qiaowei" <qiaowei.ren@...el.com>
To:	Ingo Molnar <mingo@...nel.org>
CC:	"H. Peter Anvin" <hpa@...or.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"x86@...nel.org" <x86@...nel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: RE: [PATCH v3 3/4] x86, mpx: add prctl commands PR_MPX_INIT,
 PR_MPX_RELEASE


> -----Original Message-----
> From: Ingo Molnar [mailto:mingo.kernel.org@...il.com] On Behalf Of Ingo
> Molnar
> Sent: Sunday, January 26, 2014 5:08 PM
> To: Ren, Qiaowei
> Cc: H. Peter Anvin; Thomas Gleixner; Ingo Molnar; x86@...nel.org;
> linux-kernel@...r.kernel.org; Peter Zijlstra; Linus Torvalds; Andrew Morton
> Subject: Re: [PATCH v3 3/4] x86, mpx: add prctl commands PR_MPX_INIT,
> PR_MPX_RELEASE
> 
> 
> * Qiaowei Ren <qiaowei.ren@...el.com> wrote:
> 
> > @@ -7,6 +9,88 @@
> >  #include <asm/fpu-internal.h>
> >  #include <asm/alternative.h>
> >
> > +static struct mmu_notifier mpx_mn;
> 
> > +static struct mmu_notifier_ops mpx_mmuops = {
> > +	.invalidate_range_end = mpx_invl_range_end, };
> > +
> > +int mpx_init(struct task_struct *tsk) {
> > +	if (!boot_cpu_has(X86_FEATURE_MPX))
> > +		return -EINVAL;
> > +
> > +	/* register mmu_notifier to delallocate the bound tables */
> > +	mpx_mn.ops = &mpx_mmuops;
> > +	mmu_notifier_register(&mpx_mn, current->mm);
> 
> 0)
> 
> I do think MPX should be supported by Linux, but this is the best thing I can say
> about the code at the moment:
> 
> 1)
> 
> The above MMU notifier bit is absolutely disgusting: it adds an
> O(nr_mpx_tasks) overhead to every MMU operation!
> 
> MPX needs to be called from architecture methods. (And the MMU notifier
> should probably be removed, it literally invites such abuse.)
> 
> 2)
> 
> The whole MPX_INIT() macro wrappery is ugly beyond relief.
> 
> 3)
> 
> The kernel/sys.c bits are x86-only, it probably won't even build on other
> architectures.
> 
> 4)
> 
> I also argue that MPX setup should be automatic through the ELF
> loader:
> 
>  - MPX setup could also be initiated through the ELF notes section or
>    so - similar to the executable bit stack attribute in ELF binaries.
>    (See PT_GNU_STACK handling in fs/binfmt_elf.c.)
> 
>  - What is the typical life time of the bounds table? Does user-space
>    get access to it? I don't see where it's discoverable to
>    user-space. (for example for debuggers)
> 
> 5)
> 
> Teardown can be done through regular munmap() if the notifier is eliminated,
> so that step falls away as well.
> 
> 6)
> 
> How many entries are in the bounds table? Because mpx_invl_range_end()
> looks utterly unscalable if it has any size beyond 1-2 entries.
> 
The size of one bound table is 4M bytes for 64bit, and 16K bytes for 32bit. It can not be accessed by user-space, and it will be accessed automatically by hardware.

When #BR faults come, and the entry of the bound directory is invalid, one bound table have to be allocated to save value of the bounds. It is what the second patch does. As for the lifetime of the bound tables, we can see the following case:
  User application use malloc or mmap to dynamically allocate memory. when address in the memory region is first accessed, related entry in the bound directory will be checked and it should be invalid. Then one new bound table will be allocated.
  After a time, this memory area is released, and so the bound tables related with this memory area become meaningless and may be released. If we don't release these unnecessary bound tables, it will save the workload of allocation of new bound tables when the memory area related with the entry of the bound directory is allocated and accessed again. But in this way the loss of virtual space will have to be worried.

Anyway, what this patch does is only that when a piece of address space is unmapped, we destroy/unmap the bounds tables that correspond to that same address space. MMU notifier will add some overhead for those tasks which use MPX. But I have no better way to know when one address space is unmapped, and then destroy the related bounds tables. Do you have any suggestion?

Thanks,
Qiaowei
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ