lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 29 Mar 2021 12:53:48 +0200
From:   David Hildenbrand <david@...hat.com>
To:     Hyunsoon Kim <h10.kim@...sung.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc:     dseok.yi@...sung.com, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm: add ___GFP_NOINIT flag which disables zeroing on
 alloc

On 29.03.21 07:29, Hyunsoon Kim wrote:
> This patch allows programmer to avoid zero initialization on page
> allocation even when the kernel config "CONFIG_INIT_ON_ALLOC_DEFAULT"
> is enabled. The configuration is made to prevent uninitialized
> heap memory flaws, and Android has applied this for security and
> deterministic execution times. Please refer to below.
> 
> https://android-review.googlesource.com/c/kernel/common/+/1235132
> 
> However, there is a case that the zeroing page memory is unnecessary
> when the page is used on specific purpose and will be zeroed
> automatically by hardware that accesses the memory through DMA.
> For instance, page allocation used for IP packet reception from Exynos
> modem is solely used for packet reception. Although the page will be
> freed eventually and reused for some other purpose, initialization at
> that moment of reuse will be sufficient to avoid uninitialized heap
> memory flaws. To support this kind of control, this patch creates new
> gfp type called ___GFP_NOINIT, that allows no zeroing at the moment
> of page allocation, called by many related APIs such as page_frag_alloc,
> alloc_pages, etc.
> 
> Signed-off-by: Hyunsoon Kim <h10.kim@...sung.com>
> ---
>   include/linux/gfp.h | 2 ++
>   include/linux/mm.h  | 4 +++-
>   2 files changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/include/linux/gfp.h b/include/linux/gfp.h
> index 8572a14..4ddd947 100644
> --- a/include/linux/gfp.h
> +++ b/include/linux/gfp.h
> @@ -58,6 +58,8 @@ struct vm_area_struct;
>   #else
>   #define ___GFP_NOLOCKDEP	0
>   #endif
> +#define ___GFP_NOINIT		0x1000000u
> +
>   /* If the above are modified, __GFP_BITS_SHIFT may need updating */
>   
>   /*
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index 8ba4342..06a23bb 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -2907,7 +2907,9 @@ static inline void kernel_unpoison_pages(struct page *page, int numpages) { }
>   DECLARE_STATIC_KEY_FALSE(init_on_alloc);
>   static inline bool want_init_on_alloc(gfp_t flags)
>   {
> -	if (static_branch_unlikely(&init_on_alloc))
> +	if (flags & ___GFP_NOINIT)
> +		return false;
> +	else if (static_branch_unlikely(&init_on_alloc))
>   		return true;
>   	return flags & __GFP_ZERO;
>   }
> 

We discussed that in the past - whatever leaves the buddy shall be 
initialized. This is a security feature, not something random kernel 
modules should be able to hack around.

We also discussed back then to allow other allocators to eventually be 
able to optimize in the future if we are sure it really makes sense. 
Then, however, we need a new API that is not available to random 
modules, instead of exposing ___GFP_NOINIT to anybody out there in the 
system.

Nacked-by: David Hildenbrand <david@...hat.com>

-- 
Thanks,

David / dhildenb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ