| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Apr 2015 12:22:41 +0200 From: Petr Mladek <pmladek@...e.cz> To: Minfei Huang <minfei.huang@...mail.com> Cc: jpoimboe@...hat.com, sjenning@...hat.com, jkosina@...e.cz, vojtech@...e.cz, live-patching@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 1/2] livepatch: Add a new function to verify the address and name match for extra module On Mon 2015-04-13 17:50:23, Minfei Huang wrote: > On 04/13/15 at 11:41P, Petr Mladek wrote: > > On Mon 2015-04-13 17:11:19, Minfei Huang wrote: > > > On 04/13/15 at 10:37P, Petr Mladek wrote: > > > > On Sun 2015-04-12 21:15:53, Minfei Huang wrote: > > > > > In order to restrict the patch, we can verify the provided function > > > > > address and name match. Now we have can only verify the vmlinux function > > > > > name and address. > > > > > > > > > > Add a new function to verify extra module function name and address. The > > > > > patch would not be patched, if the function name and address are not > > > > > matched. > > > > > > > > old_addr could be predefined only for vmlinux. It does not make sense > > > > to define it for modules because they are loaded dynamically, each > > > > time on a different addresses. It means that it does not make sense > > > > to verify addresses from modules. They always need to be detected. > > > > > > > > > > Please correct me if there is something wrong for below comment. > > > > > > As commented in the doc that function address is optional, it is more > > > confortable during patching the patch, if function name and address are > > > provided. > > > > > > For now we only use function name to detect the module function. It is > > > more accurate to detect the function using function name and address. > > > > I think that it is the other way. It is easier to create patch without > > the addresses. It is enough for most patches. > > > > The function address is needed only if there are more functions of > > the same name. There are only few in vmlinux. > > > > We currently does not allow to handle name conflicts inside a module. > > But the chance is very small that there will be such a conflict. > > Do you know about any module that could not be patched because > > of this? > > > > Yes, the function name exceeding to 128 is not happened, in general. > But I donot think it is the reason that livepatch donot support this > case. > > Patched these patches, we can still use function name to detect function > for both vmlinux and extra module. > > It is poisonless that we support to verify both function name and > address to detect function for extra module. Please, read my previous mails. We do not know old_addr for modules at build time. Therefore we could solve this problem easily for modules. I think that the whole problem is rather theoretical and it is not worth spending time on it. Best Regards, Petr -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists