| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 Mar 2015 10:41:51 -0600 From: Josh Poimboeuf <jpoimboe@...hat.com> To: Jiri Kosina <jkosina@...e.cz> Cc: Petr Mladek <pmladek@...e.cz>, Seth Jennings <sjenning@...hat.com>, Vojtech Pavlik <vojtech@...e.cz>, live-patching@...r.kernel.org, linux-kernel@...r.kernel.org, Rusty Russell <rusty@...tcorp.com.au>, Miroslav Benes <mbenes@...e.cz>, Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>, mingo@...nel.org, mathieu.desnoyers@...icios.com, oleg@...hat.com, paulmck@...ux.vnet.ibm.com, andi@...stfloor.org, rostedt@...dmis.org, tglx@...utronix.de Subject: Re: [PATCH 2/2] livepatch: fix patched module loading race On Wed, Mar 04, 2015 at 04:51:39PM +0100, Jiri Kosina wrote: > On Wed, 4 Mar 2015, Josh Poimboeuf wrote: > > > > CPU0 CPU1 > > > > > > delete_module() #SYSCALL > > > > > > try_stop_module() > > > mod->state = MODULE_STATE_GOING; > > > > > > mutex_unlock(&module_mutex); > > > > > > klp_register_patch() > > > klp_enable_patch() > > > > > > #save place to switch universe > > > > > > b() # from module that is going > > > a() # from core (patched) > > > > > > > > > mod->exit(); > > > > > > > > > Note that the function b() can be called until we call mod->exit(). > > > > > > If we do not apply patch against b() because it is in > > > MODULE_STATE_GOING. It will call patched a() with modified semantic > > > and things might get wrong. > > > > > > Well, the above described race is rather theoretical. It will happen > > > only when a patched module is being removed and a module with a patch > > > is added at the same time. Also it means that some other CPU will > > > manage to register, enable the patch, switch the universe, and > > > call function from the patched module during the small race window. > > > > > > I am not sure if we need to handle such a type of race if the solution > > > adds too big complexity. > > > > But b() can't be called after the module is in MODULE_STATE_GOING, > > right? try_stop_module() makes sure it's not being used before changing > > its state. > > If b() is called from __exit() of the particular module, then you end up > in exactly the situation described above, don't you? Well, maybe. I guess it depends on the consistency model. The current "inconsistency" model doesn't allow for function semantic changes anyway. If we went to the per-task consistency model with stack checking (like my RFC), if mod->exit() calls schedule() before calling b(), the module task can potentially switch to the new universe, and call old b() which calls new a(). So yeah. Maybe this isn't the best approach. -- Josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists