| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <568F0F75.4090101@labbott.name> Date: Thu, 7 Jan 2016 17:23:01 -0800 From: Laura Abbott <laura@...bott.name> To: Christoph Lameter <cl@...ux.com> Cc: Kees Cook <keescook@...omium.org>, Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>, Joonsoo Kim <iamjoonsoo.kim@....com>, Andrew Morton <akpm@...ux-foundation.org>, Linux-MM <linux-mm@...ck.org>, LKML <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com> Subject: Re: [RFC][PATCH 0/7] Sanitization of slabs based on grsecurity/PaX On 1/7/16 8:26 AM, Christoph Lameter wrote: > On Tue, 5 Jan 2016, Laura Abbott wrote: > >> It's not the poisoning per se that's incompatible, it's how the poisoning is >> set up. At least for slub, the current poisoning is part of SLUB_DEBUG which >> enables other consistency checks on the allocator. Trying to pull out just >> the poisoning for use when SLUB_DEBUG isn't on would result in roughly what >> would be here anyway. I looked at trying to reuse some of the existing >> poisoning >> and came to the conclusion it was less intrusive to the allocator to keep it >> separate. > > SLUB_DEBUG does *not* enable any debugging features. It builds the logic > for debugging into the kernel but does not activate it. CONFIG_SLUB_DEBUG > is set for production kernels. The poisoning is build in by default into > any recent linux kernel out there. You can enable poisoning selectively > (and no other debug feature) by specifying slub_debug=P on the Linux > kernel command line right now. > > There is a SLAB_POISON flag for each kmem_cache that can be set to > *only* enable poisoning and nothing else from code. > > The slub_debug=P not only poisons it enables other consistency checks on the slab as well, assuming my understanding of what check_object does is correct. My hope was to have the poison part only and none of the consistency checks in an attempt to mitigate performance issues. I misunderstood when the checks actually run and how SLUB_DEBUG was used. Another option would be to have a flag like SLAB_NO_SANITY_CHECK. sanitization enablement would just be that and SLAB_POISON in the debug options. The disadvantage to this approach would be losing the sanitization for ->ctor caches (the grsecurity version works around this by re-initializing with ->ctor, I haven't heard any feedback if this actually acceptable) and not having some of the fast paths enabled (assuming I'm understanding the code path correctly.) which would also be a performance penalty Thanks, Laura
Powered by blists - more mailing lists