[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrV+2wPJwZ90-nZFgM9o_f0hCQ4Gf3Y+H+6cdkjoafgiZQ@mail.gmail.com>
Date: Sun, 12 Nov 2023 16:08:33 -0800
From: Andy Lutomirski <luto@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Willy Tarreau <w@....eu>,
York Jasper Niebuhr <yjnworkstation@...il.com>,
akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
linux-api@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH] exitz syscall
> On Nov 11, 2023, at 5:24 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote:
>
> On Sat, 11 Nov 2023 at 05:24, Willy Tarreau <w@....eu> wrote:
>> IMHO it does not make sense to add a syscall for this, please have a
>> look at prctl(2) instead, which is already used for similar settings.
>
> Honestly, I don't think it makes any sense at all.
>
> If the key manager people can't be bothered to keep track of their
> keys, the kernel certainly shouldn't be bothered with this kind of
> huge hammer.
>
> It looks like an active DoS attack to me, by anybody who just creates
> a huge process and then sits there giggling as the machine comes to a
> complete halt, with the kernel busy zeroing pointless crap.
The implementation in this patch is … bad. But that aside, the whole
concept seems wrong to me: zeroing memory specifically when an mm
exits seems rather bizarre -- it's the wrong condition. From a
hardening perspective, there are really three concerning cases, IMO:
1. Something sensitive is in memory, and some bug (side channel or
straight up kernel bug) allows an attacker to read it. Zeroing early
shortens the window but doesn't actually prevent the attack.
2. Something sensitive is in memory, and some bug allocates the memory
before it's freed. (I.e. allocator state gets corrupted.) Like #1,
all we can do is shorten the window. But these kinds of bugs are
quite rare.
3. Something sensitive is in memory, it gets freed, it gets reused
without __GFP_ZERO, and it gets leaked. This actually seems fairly
plausible. While __GFP_ZERO is fairly common, there are tons of paths
that don't use it, and bugs happen.
We do have:
commit 6471384af2a6530696fc0203bafe4de41a23c9ef
Author: Alexander Potapenko <glider@...gle.com>
Date: Thu Jul 11 20:59:19 2019 -0700
mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options
And I can easily imagine a useful API to flag some memory as being
sensitive such that either the kernel will always zero it when freed
or will make sure it's zeroed before being reallocated even if
__GFP_ZERO is not set and init_on_alloc and init_on_free are both
zero.
This would be a rather different patch that exitz().
--Andy
>
> Do it in user space. And if your user space randomly crashes, you have
> other problems - but you can try to use ptrace to catch even that case
> if you care.
>
> Linus
Powered by blists - more mailing lists