| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <12b6232f-ac3d-c74c-5f9e-d84905c39f0a@huawei.com>
Date: Tue, 13 Nov 2018 21:01:43 +0200
From: Igor Stoppa <igor.stoppa@...wei.com>
To: Andy Lutomirski <luto@...capital.net>
CC: Igor Stoppa <igor.stoppa@...il.com>,
Kees Cook <keescook@...omium.org>,
Peter Zijlstra <peterz@...radead.org>,
Nadav Amit <nadav.amit@...il.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Matthew Wilcox <willy@...radead.org>,
Dave Chinner <david@...morbit.com>,
James Morris <jmorris@...ei.org>,
"Michal Hocko" <mhocko@...nel.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
linux-integrity <linux-integrity@...r.kernel.org>,
LSM List <linux-security-module@...r.kernel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Jonathan Corbet <corbet@....net>,
Laura Abbott <labbott@...hat.com>,
Randy Dunlap <rdunlap@...radead.org>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
"Thomas Gleixner" <tglx@...utronix.de>
Subject: Re: [PATCH 10/17] prmem: documentation
On 13/11/2018 20:35, Andy Lutomirski wrote:
> On Tue, Nov 13, 2018 at 10:26 AM Igor Stoppa <igor.stoppa@...wei.com> wrote:
[...]
>> The high level API could be something like:
>>
>> wr_memcpy(void *src, void *dst, uint_t size)
[...]
> If you call a wr_memcpy() function with the signature you suggested,
> then you can overwrite any memory of this type. Having a different
> mm_struct under the hood makes no difference. As far as I'm
> concerned, for *dynamically allocated* rare-writable memory, you might
> as well allocate all the paging structures at the same time, so the
> mm_struct will always contain the mappings. If there are serious bugs
> in wr_memcpy() that cause it to write to the wrong place, we have
> bigger problems.
Beside bugs, I'm also thinking about possible vulnerability.
It might be overthinking, though.
I do not think it's possible to really protect against control flow
attacks, unless there is some support from the HW and/or the compiler.
What is left, are data-based attacks. In this case, it would be an
attacker using one existing wr_ invocation with doctored parameters.
However, there is always the objection that it would be possible to come
up with a "writing kit" for plowing through the page tables and
unprotect anything that might be of value.
Ideally, that should be the only type of data-based attack left.
In practice, it might just be an excess of paranoia from my side.
> I can imagine that we'd want a *typed* wr_memcpy()-like API some day,
> but that can wait for v2. And it still doesn't obviously need
> multiple mm_structs.
I left that out, for now, but yes, typing would play some role here.
[...]
> I think it's entirely reasonable for the API to internally break up
> very large memcpys.
The criteria for deciding if/how to break it down is not clear to me,
though. The single page was easy, but might be (probably is) too much.
--
igor
Powered by blists - more mailing lists