lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 6 Jan 2017 16:03:04 -0500
From:   Jessica Yu <jeyu@...hat.com>
To:     Rusty Russell <rusty@...tcorp.com.au>
Cc:     "Luis R. Rodriguez" <mcgrof@...nel.org>,
        Filipe Manana <fdmanana@...e.com>,
        "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
        "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
        rgoldwyn@...e.com, hare <hare@...e.com>,
        Jonathan Corbet <corbet@....net>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        linux-kselftest@...r.kernel.org,
        Andrew Morton <akpm@...ux-foundation.org>,
        Dan Williams <dan.j.williams@...el.com>,
        Aaron Tomlin <atomlin@...hat.com>, rwright@....com,
        Heinrich Schuchardt <xypron.glpk@....de>,
        Michal Marek <mmarek@...e.com>, martin.wilck@...e.com,
        Jeff Mahoney <jeffm@...e.com>, Ingo Molnar <mingo@...hat.com>,
        Petr Mladek <pmladek@...e.com>,
        Dmitry Torokhov <dmitry.torokhov@...il.com>,
        Guenter Roeck <linux@...ck-us.net>,
        "Eric W. Biederman" <ebiederm@...ssion.com>, shuah@...nel.org,
        DSterba@...e.com, Kees Cook <keescook@...omium.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Arnaldo Carvalho de Melo <acme@...hat.com>,
        Miroslav Benes <mbenes@...e.cz>, NeilBrown <neilb@...e.com>,
        "linux-kernel@...r.kernel.o rg" <linux-kernel@...r.kernel.org>,
        David Miller <davem@...emloft.net>,
        Subash Abhinov Kasiviswanathan <subashab@...eaurora.org>,
        Julia Lawall <julia.lawall@...6.fr>
Subject: Re: kmod: add a sanity check on module loading

+++ Rusty Russell [03/01/17 10:34 +1030]:
>"Luis R. Rodriguez" <mcgrof@...nel.org> writes:
>>> Maybe a similar hack for try_then_request_module(), but many places seem
>>> to open-code request_module() so it's not as trivial...
>
>Hi Luis, Jessica (who is the main module maintainer now),
>
>        Back from break, sorry about delay.
>
>> Right, out of ~350 request_module() calls (not included try requests)
>> only ~46 check the return value. Hence a validation check, and come to
>> think of it, *this* was the issue that originally had me believing
>> that in some places we might end up in a null deref --if those open
>> coded request_module() calls assume the driver is loaded there could
>> be many places where a NULL is inevitable.
>
>Yes, assuming success == module loade is simply a bug.  I wrote
>try_then_request_module() to attempt to encapsulate the correct logic
>into a single place; maybe we need other helpers to cover (most of?) the
>remaining cases?
>
>> Granted, I agree they
>> should be fixed, we could add a grammar rule to start nagging at
>> driver developers for started, but it does beg the question also of
>> what a tightly knit validation for modprobe might look like, and hence
>> this patch and now the completed not-yet-posted alias work.
>
>I really think aliases-in-kernel is too heavy a hammer, but a warning
>when modprobe "succeeds" and the module still isn't found would be
>a Good Thing.

I was under the impression that aliases were a userspace concern. i.e., we let
kmod tools take care of alias resolution and bookkeeping. I'm getting the
feeling we're bending over backwards here to accommodate buggy/untrustworthy
userspace (modprobe). If I understand correctly, we're performing this
validation work - we're proposing to make the kernel alias-aware - because we
can't even trust modprobe's return value, and the proposal is to double check
this work ourselves in-kernel.

But I thought that request_module() wasn't written to provide these "module is
now live and loaded" guarantees in the first place. This seems to be documented
in kernel/kmod.c - "Callers must check that the service they requested is now
available not blindly invoke it." Isn't it the caller's responsibility to
(indirectly) validate request_module's work, to check that the service they want is
now there? If a caller doesn't do this, then this is a bug on their side. If it
is crucial for get_fs_type() to not fail, then perhaps we should be tightening
get_fs_type() instead, be that WARNing if the requested filesystem is still not
there (as suggested earlier), or maybe even trying the request again.

>> Would it be worthy as a kconfig kmod debugging aide for now? I can
>> follow up with a semantic patch to nag about checking the return value
>> of request_module(), and we can  have 0-day then also complain about
>> new invalid uses.
>
>Yeah, a warning about this would be win for sure.
>
>BTW, I wrote the original "check-for-module-before-loading" in
>module-init-tools, but I'm starting to wonder if it was a premature
>optimization.  Have you thought about simply removing it and always
>trying to load the module?  If it doesn't slow things down, perhaps
>simplicity FTW?
>
>Thanks,
>Rusty.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ