Date: Wed, 25 Nov 2015 10:54:08 -0800 From: Kees Cook <keescook@...omium.org> To: "H. Peter Anvin" <hpa@...or.com> Cc: Mathias Krause <minipli@...glemail.com>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Andy Lutomirski <luto@...capital.net>, Ingo Molnar <mingo@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, x86-ml <x86@...nel.org>, Arnd Bergmann <arnd@...db.de>, Michael Ellerman <mpe@...erman.id.au>, linux-arch <linux-arch@...r.kernel.org>, PaX Team <pageexec@...email.hu>, Emese Revfy <re.emese@...il.com> Subject: Re: [PATCH 0/2] introduce post-init read-only memory On Wed, Nov 25, 2015 at 9:31 AM, H. Peter Anvin <hpa@...or.com> wrote: > On 11/25/15 01:13, Mathias Krause wrote: >> >> While having that annotation makes perfect sense, not only from a >> security perspective but also from a micro-optimization point of view >> (much like the already existing __read_mostly annotation), it has its >> drawbacks. Violating the "r/o after init" rule by writing to such >> annotated variables from non-init code goes unnoticed as far as it >> concerns the toolchain. Neither the compiler nor the linker will flag >> that incorrect use. It'll just trap at runtime and that's bad. >> >> I myself had some educating experience seeing my machine triple fault >> when resuming from a S3 sleep. The root cause was a variable that was >> annotated __read_only but that was (unnecessarily) modified during CPU >> bring-up phase. Debugging that kind of problems is sort of a PITA, you >> could imagine. >> >> So, prior extending the usage of the __read_only annotation some >> toolchain support is needed. Maybe a gcc plugin that'll warn/error on >> code that writes to such a variable but is not __init itself. The >> initify and checker plugins from the PaX patch might be worth to look >> at for that purpose, as they're doing similar things already. Adding >> such a check to sparse might be worth it, too. >> A modpost check probably won't work as it's unable to tell if it's a >> legitimate access (r/o) or a violation (/w access). So the gcc plugin >> is the way to go, IMHO. >> > > We should not wait for compile-time support, that doesn't make any > sense. What would be useful would be a way to override this on the > command line -- that way, if disabling RO or RO-after-init memory makes > something work, we have an instant diagnosis. Seems easiest to have an arg just skip calling mark_rodata_ro(). I can add that. -Kees -- Kees Cook Chrome OS & Brillo Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.