Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Oct 2017 12:19:14 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Jordan Glover <Golden_Miller83@...tonmail.ch>
Cc: "Tobin C. Harding" <me@...in.cc>, Greg KH <gregkh@...uxfoundation.org>, 
	Petr Mladek <pmladek@...e.com>, Joe Perches <joe@...ches.com>, Ian Campbell <ijc@...lion.org.uk>, 
	Sergey Senozhatsky <sergey.senozhatsky@...il.com>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	Catalin Marinas <catalin.marinas@....com>, Will Deacon <will.deacon@....com>, 
	Steven Rostedt <rostedt@...dmis.org>, William Roberts <william.c.roberts@...el.com>, 
	Chris Fries <cfries@...gle.com>, Dave Weinstein <olorin@...gle.com>
Subject: Re: [RFC V2 0/6] add more kernel pointer filter options

On Wed, Oct 4, 2017 at 11:58 AM, Jordan Glover
<Golden_Miller83@...tonmail.ch> wrote:
> If we knew where those leaks are hiding they will be fixed already. The only
> thing we knew is that bugs/leaks are there. It's always better to just fix
> all the code but it isn't realistic.

Honestly, what's the difference between setting kptr_restrict to 4 and
just using a sed-script (or maybe some coccinelle) to remove all
existing plain %p users?

One just hides the issue and will make people work around it (likely
on a global level by just undoing it).

The other would *also* make people work around it for when they notice
breakage, but would actually force people to do it on a case-by-case
basis (and thus hopefully _properly_) rather than just setting
kptr_restrict back to 0.

Btw, this is *not* a theoretical argument.

WE HAVE BEEN HERE, DONE THIS!

kptr_restrict goes back to 6+ years ago, and was actually initially
set to a restrictive value. It got undone, exactly because it caused
problems. It's too big of a hammer, and it's too *broken* of a hammer.

And exactly because kptr_restrict was pretty much an "all or nothing"
thing, absolutely *NOTHING* has improved in the 6+ years since it was
introduced.

We have had improvements in our pointer printing that were _not_
related to kptr_restrict, though, See for example commit bb5e5ce545f2
("x86/dumpstack: Remove kernel text addresses from stack dump").

Those have actually been _real_ fixes for leaking things, unlike kptr_restrict.

This is why I maintain that kptr_restrict is bad. It's a badly thought
out interface. It's wrong.

We know it is crap, exactly because we've already been there. The
whole notion of a global switch is seriously mis-designed.

So I really do think that it would be better to just write a script to
get rid of all raw %p users, and then put the ones that are needed
(hopefully very few) back.

It wouldn't require odd new magic sequences to override "I actually
_do_ want %p".

              Linus

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.