| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Nov 2014 13:52:33 -0600 From: Seth Jennings <sjenning@...hat.com> To: Andy Lutomirski <luto@...capital.net> Cc: Josh Poimboeuf <jpoimboe@...hat.com>, Jiri Kosina <jkosina@...e.cz>, Vojtech Pavlik <vojtech@...e.cz>, Steven Rostedt <rostedt@...dmis.org>, live-patching@...r.kernel.org, kpatch@...hat.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] kernel: add support for live patching On Fri, Nov 07, 2014 at 11:40:38AM -0800, Andy Lutomirski wrote: > On 11/06/2014 06:39 AM, Seth Jennings wrote: > > This commit introduces code for the live patching core. It implements > > an ftrace-based mechanism and kernel interface for doing live patching > > of kernel and kernel module functions. > > > > It represents the greatest common functionality set between kpatch and > > kgraft and can accept patches built using either method. > > > > This first version does not implement any consistency mechanism that > > ensures that old and new code do not run together. In practice, ~90% of > > CVEs are safe to apply in this way, since they simply add a conditional > > check. However, any function change that can not execute safely with > > the old version of the function can _not_ be safely applied in this > > version. > > > > [...] > > > +/******************************************** > > + * Sysfs Interface > > + *******************************************/ > > +/* > > + * /sys/kernel/livepatch > > + * /sys/kernel/livepatch/<patch> > > + * /sys/kernel/livepatch/<patch>/enabled > > + * /sys/kernel/livepatch/<patch>/<object> > > + * /sys/kernel/livepatch/<patch>/<object>/<func> > > + * /sys/kernel/livepatch/<patch>/<object>/<func>/new_addr > > + * /sys/kernel/livepatch/<patch>/<object>/<func>/old_addr > > + */ > > Letting anyone read new_addr and old_addr is a kASLR leak, and I would > argue that showing this information to non-root at all is probably a bad > idea. Also worth noting that this live patching implementation currently doesn't support kASLR, as there is a method for the patch module to supply the old_addr, determined at generation time by pulling from vmlinux/System.map/etc, for a particular function to resolve symbol ambiguity in a kallsyms lookup. Obviously, this old_addr would be wrong for a kernel using kASLR. Thanks, Seth > > Can you make new_addr and old_addr have mode 0600 and > /sys/kernel/livepatch itself have mode 0500? For the latter, an admin > who wants unprivileged users to be able to see it can easily chmod it. > > --Andy > -- > To unsubscribe from this list: send the line "unsubscribe live-patching" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists