lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YA/fsnfGy4jgOaCB@hirez.programming.kicks-ass.net>
Date:   Tue, 26 Jan 2021 10:24:02 +0100
From:   Peter Zijlstra <peterz@...radead.org>
To:     Josh Poimboeuf <jpoimboe@...hat.com>
Cc:     Frederic Weisbecker <frederic@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Mel Gorman <mgorman@...e.de>, Michal Hocko <mhocko@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        "Paul E . McKenney" <paulmck@...nel.org>,
        Ingo Molnar <mingo@...hat.com>, Michal Hocko <mhocko@...e.com>,
        rostedt@...dmis.org, jbaron@...mai.com, ardb@...nel.org
Subject: Re: [RFC PATCH 6/8] preempt/dynamic: Provide
 preempt_schedule[_notrace]() static calls

On Mon, Jan 25, 2021 at 05:40:39PM -0600, Josh Poimboeuf wrote:
> On Fri, Jan 22, 2021 at 05:52:26PM +0100, Peter Zijlstra wrote:
> > On Mon, Jan 18, 2021 at 03:12:21PM +0100, Frederic Weisbecker wrote:
> > > +#ifdef CONFIG_PREEMPT_DYNAMIC
> > > +DEFINE_STATIC_CALL(preempt_schedule, __preempt_schedule_func());
> > > +EXPORT_STATIC_CALL(preempt_schedule);
> > > +#endif
> > 
> > > +#ifdef CONFIG_PREEMPT_DYNAMIC
> > > +DEFINE_STATIC_CALL(preempt_schedule_notrace, __preempt_schedule_notrace_func());
> > > +EXPORT_STATIC_CALL(preempt_schedule_notrace);
> > > +#endif
> > 
> > So one of the things I hates most of this is that is allows 'random'
> > modules to hijack the preemption by rewriting these callsites. Once you
> > export the key, we've lost.
> > 
> > I've tried a number of things, but this is the only one I could come up
> > with that actually stands a chance against malicious modules (vbox and
> > the like).
> > 
> > It's somewhat elaborate, but afaict it actually works.
> 
> What about this hopefully abuse-proof idea which has less code, less
> complexity, no registration, no new data structures, no COC defiance.
> 
> Add a writable-by-modules bit to the key struct, which can be set when
> you define the key.  Enforce it in __static_call_update() with a call to
> __builtin_return_address(0).  WARN when the caller's text isn't in the
> kernel proper and the flag isn't set.
> 
> Hm?

What stops a module from clearing said bit? It has the key pointer.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ