Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 25 Nov 2015 10:54:08 -0800
From: Kees Cook <>
To: "H. Peter Anvin" <>
Cc: Mathias Krause <>, 
	"" <>, 
	"" <>, Andy Lutomirski <>, 
	Ingo Molnar <>, Thomas Gleixner <>, x86-ml <>, 
	Arnd Bergmann <>, Michael Ellerman <>, 
	linux-arch <>, PaX Team <>, 
	Emese Revfy <>
Subject: Re: [PATCH 0/2] introduce post-init read-only memory

On Wed, Nov 25, 2015 at 9:31 AM, H. Peter Anvin <> wrote:
> On 11/25/15 01:13, Mathias Krause wrote:
>> While having that annotation makes perfect sense, not only from a
>> security perspective but also from a micro-optimization point of view
>> (much like the already existing __read_mostly annotation), it has its
>> drawbacks. Violating the "r/o after init" rule by writing to such
>> annotated variables from non-init code goes unnoticed as far as it
>> concerns the toolchain. Neither the compiler nor the linker will flag
>> that incorrect use. It'll just trap at runtime and that's bad.
>> I myself had some educating experience seeing my machine triple fault
>> when resuming from a S3 sleep. The root cause was a variable that was
>> annotated __read_only but that was (unnecessarily) modified during CPU
>> bring-up phase. Debugging that kind of problems is sort of a PITA, you
>> could imagine.
>> So, prior extending the usage of the __read_only annotation some
>> toolchain support is needed. Maybe a gcc plugin that'll warn/error on
>> code that writes to such a variable but is not __init itself. The
>> initify and checker plugins from the PaX patch might be worth to look
>> at for that purpose, as they're doing similar things already. Adding
>> such a check to sparse might be worth it, too.
>> A modpost check probably won't work as it's unable to tell if it's a
>> legitimate access (r/o) or a violation (/w access). So the gcc plugin
>> is the way to go, IMHO.
> We should not wait for compile-time support, that doesn't make any
> sense.  What would be useful would be a way to override this on the
> command line -- that way, if disabling RO or RO-after-init memory makes
> something work, we have an instant diagnosis.

Seems easiest to have an arg just skip calling mark_rodata_ro(). I can add that.


Kees Cook
Chrome OS & Brillo Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.