lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 30 Sep 2021 21:27:43 +0300
From:   Alexander Popov <>
To:     Andrew Morton <>
Cc:     Jonathan Corbet <>,
        Paul McKenney <>,
        Thomas Gleixner <>,
        Peter Zijlstra <>,
        Joerg Roedel <>,
        Maciej Rozycki <>,
        Muchun Song <>,
        Viresh Kumar <>,
        Robin Murphy <>,
        Randy Dunlap <>,
        Lu Baolu <>,
        Petr Mladek <>,
        Kees Cook <>,
        Luis Chamberlain <>, Wei Liu <>,
        John Ogness <>,
        Andy Shevchenko <>,
        Alexey Kardashevskiy <>,
        Christophe Leroy <>,
        Jann Horn <>,
        Greg Kroah-Hartman <>,
        Mark Rutland <>,
        Andy Lutomirski <>,
        Dave Hansen <>,
        Steven Rostedt <>,
        Will Deacon <>,
        David S Miller <>,
        Borislav Petkov <>,,,,,
Subject: Re: [PATCH] Introduce the pkill_on_warn boot parameter

On 30.09.2021 02:31, Andrew Morton wrote:
> On Wed, 29 Sep 2021 22:01:33 +0300 Alexander Popov <> wrote:
>> On 29.09.2021 21:58, Alexander Popov wrote:
>>> Currently, the Linux kernel provides two types of reaction to kernel
>>> warnings:
>>>  1. Do nothing (by default),
>>>  2. Call panic() if panic_on_warn is set. That's a very strong reaction,
>>>     so panic_on_warn is usually disabled on production systems.
>>> From a safety point of view, the Linux kernel misses a middle way of
>>> handling kernel warnings:
>>>  - The kernel should stop the activity that provokes a warning,
>>>  - But the kernel should avoid complete denial of service.
>>> From a security point of view, kernel warning messages provide a lot of
>>> useful information for attackers. Many GNU/Linux distributions allow
>>> unprivileged users to read the kernel log, so attackers use kernel
>>> warning infoleak in vulnerability exploits. See the examples:
>>> Let's introduce the pkill_on_warn boot parameter.
>>> If this parameter is set, the kernel kills all threads in a process
>>> that provoked a kernel warning. This behavior is reasonable from a safety
>>> point of view described above. It is also useful for kernel security
>>> hardening because the system kills an exploit process that hits a
>>> kernel warning.
>>> Signed-off-by: Alexander Popov <>
>> This patch was tested using CONFIG_LKDTM.
>> The kernel kills a process that performs this:
>>   echo WARNING > /sys/kernel/debug/provoke-crash/DIRECT
>> If you are fine with this approach, I will prepare a patch adding the
>> pkill_on_warn sysctl.
> Why do we need a boot parameter?  Isn't a sysctl all we need for this
> feature? 

I would say we need both sysctl and boot parameter for pkill_on_warn.
That would be consistent with panic_on_warn, ftrace_dump_on_oops and

> Also, 
> 	if (pkill_on_warn && system_state >= SYSTEM_RUNNING)
> 		do_group_exit(SIGKILL);
> - why do we care about system_state?  An explanatory code comment
>   seems appropriate.
> - do we really want to do this in states > SYSTEM_RUNNING?  If so, why?

A kernel warning may occur at any moment.
I don't have a deep understanding of possible side effects on early boot stages.
So I decided that at least it's safer to avoid interfering before SYSTEM_RUNNING.

Best regards,

Powered by blists - more mailing lists