| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Oct 2019 11:16:34 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Petr Mladek <pmladek@...e.com>
Cc: Josh Poimboeuf <jpoimboe@...hat.com>, x86@...nel.org,
linux-kernel@...r.kernel.org, rostedt@...dmis.org,
mhiramat@...nel.org, bristot@...hat.com, jbaron@...mai.com,
torvalds@...ux-foundation.org, tglx@...utronix.de,
mingo@...nel.org, namit@...are.com, hpa@...or.com, luto@...nel.org,
ard.biesheuvel@...aro.org, jeyu@...nel.org,
live-patching@...r.kernel.org
Subject: Re: [PATCH v4 15/16] module: Move where we mark modules RO,X
On Fri, Oct 25, 2019 at 08:44:56AM +0200, Petr Mladek wrote:
> On Thu 2019-10-24 15:16:34, Peter Zijlstra wrote:
> > Right, that really should be able to run early. Esp. after commit
> >
> > 11e86dc7f274 ("x86/paravirt: Detect over-sized patching bugs in paravirt_patch_call()")
> >
> > paravirt patching is unconditional. We _never_ run with the indirect
> > call except very early boot, but modules should have them patched way
> > before their init section runs.
> >
> > We rely on this for spectre-v2 and friends.
>
> Livepatching has the same requirement. The module code has to be fully
> livepatched before the module gets actually used.
Right, and that is just saying that all paravirt RELAs (pv_ops) can
basically be deleted from modules.
Which avoids the reported problem in yet another way.
> It means before mod->init() is called and before the module is moved
> into MODULE_STATE_LIVE state.
Funny thing, currently ftrace is running code before all that. It runs
code before klp_module_coming(), before jump_label patching.
My other patch in this thread fixes that.
Powered by blists - more mailing lists