| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Nov 2014 14:21:01 +0100 (CET) From: Jiri Kosina <jkosina@...e.cz> To: Thomas Gleixner <tglx@...utronix.de> cc: Seth Jennings <sjenning@...hat.com>, Josh Poimboeuf <jpoimboe@...hat.com>, Vojtech Pavlik <vojtech@...e.cz>, Steven Rostedt <rostedt@...dmis.org>, Petr Mladek <pmladek@...e.cz>, Miroslav Benes <mbenes@...e.cz>, Christoph Hellwig <hch@...radead.org>, Greg KH <gregkh@...uxfoundation.org>, Andy Lutomirski <luto@...capital.net>, Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>, live-patching@...r.kernel.org, x86@...nel.org, kpatch@...hat.com, linux-kernel@...r.kernel.org Subject: Re: [PATCHv3 2/3] kernel: add support for live patching On Mon, 24 Nov 2014, Thomas Gleixner wrote: > > This commit introduces code for the live patching core. It implements > > an ftrace-based mechanism and kernel interface for doing live patching > > of kernel and kernel module functions. > > > > It represents the greatest common functionality set between kpatch and > > kgraft and can accept patches built using either method. > > > > This first version does not implement any consistency mechanism that > > ensures that old and new code do not run together. In practice, ~90% of > > CVEs are safe to apply in this way, since they simply add a conditional > > check. However, any function change that can not execute safely with > > the old version of the function can _not_ be safely applied in this > > version. > > To be honest this sounds frightening. > > How is determined whether a change can be applied w/o a consistency > mechanism or not? By a human being producing the "live patch" code. If the semantics of the patch requires consistency mechanism to be applied (such as "old and new function must not run in parallel, because locking rules would be violated", or "return value from a function that is being called in a loop is changing its meaning", etc.), then this first naive implementation simply can't be used. For simple things though, such as "add a missing bounds check to sys_foo() prologue and return -EINVAL if out-of-bounds", this is sufficient. It's being designed in a way that more advanced consistency models (such as the ones kgraft and kpatch are currently implementing) can be built on top of it. The person writing the patch would always need to understand what he is doing to be able to pick correct consistency model to be used. I personally think this is a good thing -- this is nothing where we should be relying on any kinds of tools. Thanks, -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists