| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZuK6Y1+Z5x4Hvt4P@MiWiFi-R3L-srv> Date: Thu, 12 Sep 2024 17:54:43 +0800 From: Baoquan He <bhe@...hat.com> To: "Eric W. Biederman" <ebiederm@...ssion.com>, Sourabh Jain <sourabhjain@...ux.ibm.com> Cc: Petr Tesarik <petr.tesarik@...e.com>, Hari Bathini <hbathini@...ux.ibm.com>, Andrew Morton <akpm@...ux-foundation.org>, Eric DeVolder <eric.devolder@...cle.com>, "open list:KEXEC" <kexec@...ts.infradead.org>, open list <linux-kernel@...r.kernel.org>, Petr Tesarik <ptesarik@...e.com>, stable@...nel.org Subject: Re: [PATCH 1/1] kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y Hi Eric, On 08/16/24 at 07:54am, Eric W. Biederman wrote: > Petr Tesarik <petr.tesarik@...e.com> writes: > > > From: Petr Tesarik <ptesarik@...e.com> > > > > Fix the condition to exclude the elfcorehdr segment from the SHA digest > > calculation. > > > > The j iterator is an index into the output sha_regions[] array, not into > > the input image->segment[] array. Once it reaches image->elfcorehdr_index, > > all subsequent segments are excluded. Besides, if the purgatory segment > > precedes the elfcorehdr segment, the elfcorehdr may be wrongly included in > > the calculation. > > I would rather make CONFIG_CRASH_HOTPLUG depend on broken. > > The hash is supposed to include everything we depend upon so when > a borken machine corrupts something we can detect that corruption > and not attempt to take a crash dump. > > The elfcorehdr is definitely something that needs to be part of the > hash. > > So please go back to the drawing board and find a way to include the > program header in the hash even with CONFIG_CRASH_HOTPLUG. Thanks for checking this and adding your advice, and sorry for late reply. It's me who suggested Eric DeVolder not adding elfcorehdr into kdump kernel iamge hash during reviewing his patch. I need explain this if people has concern. When I suggested this, what I considered are: 1) The code change will be much simpler. As you can see, later Eric DeVolder's patchset experienced rounds of reviewing and finally merged. Below is his final round: - [PATCH v28 0/8] crash: Kernel handling of CPU and memory hot un/plug 2) The efficiency will be improved very much relative to adding elfcorehdr to the entire hash. When cpu/mem hotplug triggered, we only touch elfcorehdr area, but don't need access the entire loading segments. 3) The elfcorehdr size is very tiny relative to kernel image and initrd. E.g on x86, it's less than 1M, which is tiny relative to dozens of kernel image and initrd. Surely, adding all loading segments into hash is the best. While attracted by above benefits, I tend to not add for the time being. I am open to this, if anyone has concern about the security and is interested in the adding as a kernel project practice in the future, it's welcomed. Here I'd like to request comment from Sourabh since he and other IBM dev added the support to ppc too. Different than generic ARCH, IBM dev can be seen as a end user, maybe we can hear how they evaluate the balance between the risk and benefit. Thanks Baoquan
Powered by blists - more mailing lists