| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 09 May 2014 15:21:35 +0900 From: Masami Hiramatsu <masami.hiramatsu.pt@...achi.com> To: Josh Poimboeuf <jpoimboe@...hat.com> Cc: Ingo Molnar <mingo@...nel.org>, David Lang <david@...g.hm>, Frederic Weisbecker <fweisbec@...il.com>, Seth Jennings <sjenning@...hat.com>, Steven Rostedt <rostedt@...dmis.org>, Ingo Molnar <mingo@...hat.com>, Jiri Slaby <jslaby@...e.cz>, linux-kernel@...r.kernel.org, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching (2014/05/08 21:48), Josh Poimboeuf wrote: >> No, I was not demanding that at all, my suggestion was: >> >> > My claim is that if a patch is correct/safe in the old fashioned >> > way, then a fundamental principle is that a live patching >> > subsystem must either safely apply, or safely reject the live >> > patching attempt, independently from any user input. >> >> Note the 'if'. It could start simple and stupid, and only allow cases >> where we know the patch must be trivially safe (because it does not do >> much in terms of disturbing globally visible state). That needs some >> tooling help, but apparently tooling help is in place already. >> >> And then we can complicate it from there - but have a reasonably >> robust starting point that we _know_ works (as long as the >> implementation is correct). > > I really wonder if detecting a "trivially safe" patch is even possible. > > Where do you draw the line with the following patches? > > - add a call to another function which modifies global data This depends on what global data and how. For example, the global data is used only from the replaced functions, it's a kind of local data. And also, the global data modification is as designed (e.g. acquiring/ releasing a spinlock), that is also safe. I think, the bad case is modifying shared global data to new state which unexpected by other data holders. > - add an early return or a goto which changes the way the function > modifies (or no longer modifies) global data Ditto, if it is unexpected at other parts, that will be unacceptable. > - touch a local stack variable which results in global data being > modified later in the function > > - return a different value which causes the function's caller to modify > data I think if the local variable or return value change is correctly handled by the caller (as expected), that is good too. Thank you, -- Masami HIRAMATSU Software Platform Research Dept. Linux Technology Research Center Hitachi, Ltd., Yokohama Research Laboratory E-mail: masami.hiramatsu.pt@...achi.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists