| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Dec 2021 15:48:36 -0800
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Petr Mladek <pmladek@...e.com>
Cc: Miroslav Benes <mbenes@...e.cz>, jikos@...nel.org,
joe.lawrence@...hat.com, peterz@...radead.org,
linux-kernel@...r.kernel.org, live-patching@...r.kernel.org,
shuah@...nel.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v2 1/2] livepatch: Allow user to specify functions to
search for on a stack
On Tue, Dec 14, 2021 at 04:40:11PM +0100, Petr Mladek wrote:
> > > > Hm, what does this mean for the unpatching case? What if the new
> > > > function's .cold child is on the stack when we're trying to unpatch?
> > >
> > > Good question. I did not realize it worked both ways. Of course it does.
> > >
> > > > Would it make sense to allow the user specify a 'new_func' for
> > > > stack_only, which is a func to check on the stack when unpatching? Then
> > > > new_func could point to the new .cold child. And then
> > > > klp_check_stack_func() wouldn't need a special case.
> >
> > I am confused. My understanding is that .cold child is explicitly
> > livepatched to the new .cold child like it is done in the selftest:
> >
> > static struct klp_func funcs_stack_only[] = {
> > {
> > .old_name = "child_function",
> > .new_func = livepatch_child_function,
> > }, {
> >
> > We should not need anything special to check it on stack.
> > We only need to make sure that we check all .stack_only functions of
> > the to-be-disabled livepatch.
>
> We have discussed this with Miroslav and it seems to be even more
> complicated. My current understanding is that we actually have
> three functions involved:
>
> parent_func()
> call child_func()
> jmp child_func.cold
>
> We livepatch child_func() that uses jmp and need not be on stack.
> This is why we want to check parent_func() on stack.
> For this, we define something like:
>
> static struct klp_func funcs[] = {
> {
> .old_name = "child_func",
> .new_func = livepatch_child_func, // livepatched func
> },
> {
> .old_name = "parent_func",
> .stack_only = true, // stack only
> },
Hm, this is different than how I understand it.
In the past I referred to the "parent" as the function which jumps to
the cold ("child") function. So maybe we're getting confused by
different terminology. But here I'll go with the naming from your
example.
If parent_func() is stack_only, that could create some false positive
scenarios where patching stalls unnecessarily. Also, wouldn't all of
child_func()'s callers have to be made stack_only? How would you
definitively find all the callers?
Instead I was thinking child_func.cold() should be stack_only.
e.g.:
static struct klp_func funcs[] = {
{
.old_name = "child_func",
.new_func = livepatch_child_func,
},
{
.old_name = "child_func.cold",
.new_name = "livepatch_child_func.cold",
.stack_only = true,
},
Any reason why that wouldn't work?
> This is another argument that we should somehow reuse the nops code
> also for stack_only checks.
>
> Does it make sense, please? ;-)
Yes, if parent_func() is stack_only.
But if child_func.cold() is stack_only, that doesn't work, because it
doesn't have a fentry hook.
--
Josh
Powered by blists - more mailing lists