| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Apr 2015 23:05:38 -0500 From: Josh Poimboeuf <jpoimboe@...hat.com> To: Minfei Huang <minfei.huang@...mail.com> Cc: Petr Mladek <pmladek@...e.cz>, sjenning@...hat.com, jkosina@...e.cz, vojtech@...e.cz, live-patching@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 1/2] livepatch: Add a new function to verify the address and name match for extra module On Tue, Apr 14, 2015 at 08:48:11AM +0800, Minfei Huang wrote: > On 04/14/15 at 08:17P, Minfei Huang wrote: > > On 04/13/15 at 05:58P, Josh Poimboeuf wrote: > > > On Mon, Apr 13, 2015 at 06:37:10PM +0800, Minfei Huang wrote: > > > > For my patches, I think it is used by the persion which will compose the > > > > patch individually, not for the manufactor. > > > > > > > > Yes, Verifying extra function address is more useless in general, due to > > > > the changable address on different system. > > > > > > > > IMO, we shall do our best to make livepatch more robust. > > > > > > IIUC, to use this, you'd have to load the module first, manually look up > > > the module function's address, and _then_ build the patch for the > > > running system. And the resulting patch wouldn't work on other systems. > > > > > > Do you have concrete plans to use it this way? > > > > > > Just trying to understand if this is needed for a real world usage > > > scenario. > > > > For some companies(like cloud computing company), they will compose > > their own module to improve the performance. > > > > Once there is some bug for the own module, they cannt restart to reload > > the fixed-module. So it seems that livepatch is the best way to fix this > > issue. > > > > Before livepatch being integrated in kernel, we usually use ksplice to > > patch the patch. > > > > What the above scenario I met is in my previous work. > > > > For now, livepatch cannt patch the patch for extra module, once the > > function name is larger than 127. > > > > Also, Maybe there is some day, we can use script to detect the function > name and address in userspace, then generate the patch to patch the > defective kernel or extra module. I'd rather wait until we have a real world use case before adding support for that. Otherwise we end up bloating the code and have to support a nebulous feature which nobody uses. > So the people who want to use livepatch never concern how to compose the > patch to patch the kernel or extra module by using livepatch. All they > will do is to provide a common patch which is different with the > original code. We already have a kpatch tool named kpatch-build which does this. It is not yet upstreamed into Linux. The key difference is that it creates the patch at compile time rather than runtime. The resulting patch works for _all_ systems running the given version of kernel, rather than only the current system. -- Josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists