lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 02 Sep 2014 23:35:31 +0200
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Alexei Starovoitov <ast@...mgrid.com>
Cc:	Network Development <netdev@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Brad Spengler <spender@...ecurity.net>,
	Daniel Borkmann <dborkman@...hat.com>,
	Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH net-next v2] net: bpf: make eBPF interpreter images read-only

On Tue, Sep 2, 2014, at 23:31, Alexei Starovoitov wrote:
> On Tue, Sep 2, 2014 at 1:53 PM, Hannes Frederic Sowa
> <hannes@...essinduktion.org> wrote:
> > From: Daniel Borkmann <dborkman@...hat.com>
> >
> > With eBPF getting more extended and exposure to user space is on it's way,
> > hardening the memory range the interpreter uses to steer its command flow
> > seems appropriate.  This patch moves the to be interpreted bytecode to
> > read-only pages.
> ...
> >  11 files changed, 144 insertions(+), 32 deletions(-)
> 
> nice. quite short.
> 
> > +#ifdef CONFIG_DEBUG_SET_MODULE_RONX
> > +static inline void bpf_prog_lock_ro(struct bpf_prog *fp)
> > +{
> > +       set_memory_ro((unsigned long)fp, fp->pages);
> 
> since ronx are ifdef checked together,
> would probably make sense to set nx too?

NX bit is already set, because we didn't request page with
PAGE_KERNEL_EXEC.

E.g. in kernel_page_tables:
0xffffc90000a94000-0xffffc90000a96000           8K     ro            
GLB NX pte

> > +static inline void bpf_prog_unlock_ro(struct bpf_prog *fp)
> > +{
> > +       set_memory_rw((unsigned long)fp, fp->pages);
> 
> why rw is needed?
> since fp is allocated with vmalloc, vfree doesn't need
> to touch the pages to free them, no?

We will check that. It basically was copied from jit hardening code.
Maybe we can omit the call.

Thanks,
Hannes
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ