| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Apr 2015 17:50:23 +0800 From: Minfei Huang <minfei.huang@...mail.com> To: Petr Mladek <pmladek@...e.cz> CC: jpoimboe@...hat.com, sjenning@...hat.com, jkosina@...e.cz, vojtech@...e.cz, live-patching@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 1/2] livepatch: Add a new function to verify the address and name match for extra module On 04/13/15 at 11:41P, Petr Mladek wrote: > On Mon 2015-04-13 17:11:19, Minfei Huang wrote: > > On 04/13/15 at 10:37P, Petr Mladek wrote: > > > On Sun 2015-04-12 21:15:53, Minfei Huang wrote: > > > > In order to restrict the patch, we can verify the provided function > > > > address and name match. Now we have can only verify the vmlinux function > > > > name and address. > > > > > > > > Add a new function to verify extra module function name and address. The > > > > patch would not be patched, if the function name and address are not > > > > matched. > > > > > > old_addr could be predefined only for vmlinux. It does not make sense > > > to define it for modules because they are loaded dynamically, each > > > time on a different addresses. It means that it does not make sense > > > to verify addresses from modules. They always need to be detected. > > > > > > > Please correct me if there is something wrong for below comment. > > > > As commented in the doc that function address is optional, it is more > > confortable during patching the patch, if function name and address are > > provided. > > > > For now we only use function name to detect the module function. It is > > more accurate to detect the function using function name and address. > > I think that it is the other way. It is easier to create patch without > the addresses. It is enough for most patches. > > The function address is needed only if there are more functions of > the same name. There are only few in vmlinux. > > We currently does not allow to handle name conflicts inside a module. > But the chance is very small that there will be such a conflict. > Do you know about any module that could not be patched because > of this? > Yes, the function name exceeding to 128 is not happened, in general. But I donot think it is the reason that livepatch donot support this case. Patched these patches, we can still use function name to detect function for both vmlinux and extra module. It is poisonless that we support to verify both function name and address to detect function for extra module. Thanks Minfei > > > Maybe the function address being optional to be added is more accepted. > > > > Also what the patches's purpose is to support the situation that > > function name is larger than 128. > > > > I think the patches make sense, because we can not disallow the extra > > module to be patch, which function name may be larger than 128. > > Do you know about any such function name, please? > > Best Regards, > Petr -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists