lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190814151244.5xoaxib5iya2qjco@treble>
Date:   Wed, 14 Aug 2019 10:12:44 -0500
From:   Josh Poimboeuf <jpoimboe@...hat.com>
To:     Miroslav Benes <mbenes@...e.cz>
Cc:     jikos@...nel.org, pmladek@...e.com, joe.lawrence@...hat.com,
        live-patching@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 2/2] livepatch: Clear relocation targets on a module
 removal

On Wed, Aug 14, 2019 at 01:06:09PM +0200, Miroslav Benes wrote:
> > Really, we should be going in the opposite direction, by creating module
> > dependencies, like all other kernel modules do, ensuring that a module
> > is loaded *before* we patch it.  That would also eliminate this bug.
> 
> Yes, but it is not ideal either with cumulative one-fixes-all patch 
> modules. It would load also modules which are not necessary for a 
> customer and I know that at least some customers care about this. They 
> want to deploy only things which are crucial for their systems.

If you frame the question as "do you want to destabilize the live
patching infrastucture" then the answer might be different.

We should look at whether it makes sense to destabilize live patching
for everybody, for a small minority of people who care about a small
minority of edge cases.

Or maybe there's some other solution we haven't thought about, which
fits more in the framework of how kernel modules already work.

> We could split patch modules as you proposed in the past, but that have 
> issues as well.

Right, I'm not really crazy about that solution either.

Here's another idea: per-object patch modules.  Patches to vmlinux are
in a vmlinux patch module.  Patches to kvm.ko are in a kvm patch module.
That would require:

- Careful management of dependencies between object-specific patches.
  Maybe that just means that exported function ABIs shouldn't change.

- Some kind of hooking into modprobe to ensure the patch module gets
  loaded with the real one.

- Changing 'atomic replace' to allow patch modules to be per-object.

> Anyway, that is why I proposed "Rethinking late module patching" talk at 
> LPC and we should try to come up with a solution there.

Thanks, I saw that.  It's definitely worthy of more discussion.  The
talk may be more productive if there were code to look at.  For example,
a patch which removes all the "late module patching" gunk, so we can at
least quantify the cost of the current approach.

-- 
Josh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ