lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 16 May 2014 20:27:09 -0400
From:	Steven Rostedt <rostedt@...dmis.org>
To:	Jiri Kosina <jkosina@...e.cz>
Cc:	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
	Ingo Molnar <mingo@...nel.org>,
	Frederic Weisbecker <fweisbec@...il.com>,
	Josh Poimboeuf <jpoimboe@...hat.com>,
	Seth Jennings <sjenning@...hat.com>,
	Ingo Molnar <mingo@...hat.com>, Jiri Slaby <jslaby@...e.cz>,
	linux-kernel@...r.kernel.org,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching

On Sat, 17 May 2014 00:32:10 +0200 (CEST)
Jiri Kosina <jkosina@...e.cz> wrote:


> That's true, and we come back to what has been said at the very beginning 
> for both aproaches -- you can't really get away without manual human 
> inspection of the patches that are being applied.
> 
> The case you have outlined is indeed problematic for the "lazy switching" 
> aproach, and can be worked around (interim function, which takes both 
> mutexes in well defined order, for example).
> 
> You can construct a broken locking scenario for stop_machine() aproach as 
> well -- consider a case when you are exchaing a function which changes the 
> locking order of two locks/mutexes. How do you deal with the rest of the 
> code where the locks are being acquired, but not through the functions 
> you've exchanged?

I'm a bit confused by this. If you change locking order and there's
other functions that acquire it in reverse order that's not in the
patch, that sounds like you just introduced a new bug.

> 
> So again -- there is no disagreement, I believe, about the fact that "live 
> patches" can't be reliably auto-generated, and human inspection will 
> always be necessary. Given the intended use-case (serious CVEs mostly, 
> handled by distro vendors), this is fine.
> 

Right, I absolutely agree that the real use case is to fix off by one
errors and buffer overflows. Anything that is more complex really needs
a reboot (at a minimum, a kexec reboot). I know our customers would love
to see this upgrading entire kernels, but that's rather unrealistic.

Why I still favor the stop_machine approach, is because the method of
patching is a bit simpler that way. A "lazy" approach will be more
complex and more likely to be buggy. The thing I'm arguing here is not
the end result being a problem, but the implementation of the patching
itself causing bugs.

I rather have a "lazy" approach, but like ftrace and its breakpoint
method, the stop_machine approach is the simpler way to make sure the
patching works before we try to optimize it.

-- Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists