lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <49D4A016.9040506@redhat.com>
Date:	Thu, 02 Apr 2009 14:23:02 +0300
From:	Izik Eidus <ieidus@...hat.com>
To:	Anthony Liguori <anthony@...emonkey.ws>
CC:	Chris Wright <chrisw@...hat.com>,
	Andrea Arcangeli <aarcange@...hat.com>,
	linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
	linux-mm@...ck.org, avi@...hat.com, riel@...hat.com,
	jeremy@...p.org, mtosatti@...hat.com, hugh@...itas.com,
	corbet@....net, yaniv@...hat.com, dmonakhov@...nvz.org
Subject: Re: [PATCH 4/4] add ksm kernel shared memory driver.

Anthony Liguori wrote:
> Chris Wright wrote:
>> * Anthony Liguori (anthony@...emonkey.ws) wrote:
>>  
>>> The ioctl() interface is quite bad for what you're doing.  You're  
>>> telling the kernel extra information about a VA range in 
>>> userspace.   That's what madvise is for.  You're tweaking simple 
>>> read/write values of  kernel infrastructure.  That's what sysfs is for.
>>>     
>>
>> I agree re: sysfs (brought it up myself before).  As far as madvise vs.
>> ioctl, the one thing that comes from the ioctl is fops->release to
>> automagically unregister memory on exit.
>
> This is precisely why ioctl() is a bad interface.  fops->release isn't 
> tied to the process but rather tied to the open file.  The file can 
> stay open long after the process exits either by a fork()'d child 
> inheriting the file descriptor or through something more sinister like 
> SCM_RIGHTS.
>
> In fact, a common mistake is to leak file descriptors by not closing 
> them when exec()'ing a process.  Instead of just delaying a close, if 
> you rely on this behavior to unregister memory regions, you could 
> potentially have badness happen in the kernel if ksm attempted to 
> access an invalid memory region. 
How could such badness ever happen in the kernel?
Ksm work by virtual addresses!, it fetch the pages by using 
get_user_pages(), and the mm struct is protected by get_task_mm(), in 
addion we take the down_read(mmap_sem)

So how could ksm ever acces to invalid memory region unless the host 
page table or get_task_mm() would stop working!

When someone register memory for scan, we do get_task_mm() when the file 
is closed or when he say that he dont want this to be registered anymore 
he call the unregister ioctl


You can aurgoment about API, but this is mathamathical thing to say Ksm 
is insecure, please show me senario!
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ