lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 7 May 2014 10:41:14 -0500
From:	Josh Poimboeuf <jpoimboe@...hat.com>
To:	Ingo Molnar <mingo@...nel.org>
Cc:	Frederic Weisbecker <fweisbec@...il.com>,
	Seth Jennings <sjenning@...hat.com>,
	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
	Steven Rostedt <rostedt@...dmis.org>,
	Ingo Molnar <mingo@...hat.com>, Jiri Slaby <jslaby@...e.cz>,
	linux-kernel@...r.kernel.org,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching

On Wed, May 07, 2014 at 02:24:44PM +0200, Ingo Molnar wrote:
> 
> * Josh Poimboeuf <jpoimboe@...hat.com> wrote:
> 
> > > Ah this reminds me when we chased kprobes dangerous spots and we 
> > > tried to declare __kprobes the functions which were too dangerous 
> > > to hot patch.
> > > 
> > > We eventually gave up because it was impossible to fix everything. 
> > > And that was only for kprobes!
> > > 
> > > So you can never tell if a given patch will impact a given 
> > > kthread.
> > 
> > If the user (or the person creating the patch for them) doesn't 
> > understand all impacts of the patch, they have no business patching 
> > their kernel with it.
> 
> I think what is being somewhat lost is this discussion is the 
> distinction between:
> 
>  1) is the patch safe
>  2) is the _live patching_ safe
> 
> It's really two different things. We should absolutely strive for live 
> patching to be safe under all circumstances, as long as the patch 
> being fed to it is safe in itself when building a new kernel the old 
> fashioned way.
> 
> I.e. it's natural that a kernel can be messed up via a patch, but this 
> subsystem should absolutely make sure that it will safely reject 
> totally fine patches that are unsafe to live patch.

Thanks, that's a very succinct way to put it.  They are indeed two
different things, but at the same time they're interrelated: determining
whether a patch is safe requires making assumptions about how it will be
applied.

Here's how kpatch draws the lines:

1) Is the patch safe?

   Determined by the user (and partially enforced by the kpatch-build
   tools).

   The user can assume that the old function(s) will not be in use by
   any task at the time of replacement, so there's no risk of unexpected
   interactions between the old and the new.  There is no guarantee that
   all tasks will be frozen.

2) Is the live patching safe?

   Determined by the kernel.  The kernel only needs to ensure that the
   old function(s) are not in use.  We do this with stop_machine() and
   backtrace checks of all tasks.

It's a very simple contract between user and kernel.

I think the proposal was that we change this contract such that the user
can additionally assume that all tasks will be frozen.  I could be
missing something but I don't see a real benefit from it.

-- 
Josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ