Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 13 Nov 2018 21:01:43 +0200
From: Igor Stoppa <igor.stoppa@...wei.com>
To: Andy Lutomirski <luto@...capital.net>
CC: Igor Stoppa <igor.stoppa@...il.com>, Kees Cook <keescook@...omium.org>,
	Peter Zijlstra <peterz@...radead.org>, Nadav Amit <nadav.amit@...il.com>,
	Mimi Zohar <zohar@...ux.vnet.ibm.com>, Matthew Wilcox <willy@...radead.org>,
	Dave Chinner <david@...morbit.com>, James Morris <jmorris@...ei.org>,
	"Michal Hocko" <mhocko@...nel.org>, Kernel Hardening
	<kernel-hardening@...ts.openwall.com>, linux-integrity
	<linux-integrity@...r.kernel.org>, LSM List
	<linux-security-module@...r.kernel.org>, Dave Hansen
	<dave.hansen@...ux.intel.com>, Jonathan Corbet <corbet@....net>, Laura Abbott
	<labbott@...hat.com>, Randy Dunlap <rdunlap@...radead.org>, Mike Rapoport
	<rppt@...ux.vnet.ibm.com>, "open list:DOCUMENTATION"
	<linux-doc@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, "Thomas
 Gleixner" <tglx@...utronix.de>
Subject: Re: [PATCH 10/17] prmem: documentation



On 13/11/2018 20:35, Andy Lutomirski wrote:
> On Tue, Nov 13, 2018 at 10:26 AM Igor Stoppa <igor.stoppa@...wei.com> wrote:

[...]

>> The high level API could be something like:
>>
>> wr_memcpy(void *src, void *dst, uint_t size)

[...]

> If you call a wr_memcpy() function with the signature you suggested,
> then you can overwrite any memory of this type.  Having a different
> mm_struct under the hood makes no difference.  As far as I'm
> concerned, for *dynamically allocated* rare-writable memory, you might
> as well allocate all the paging structures at the same time, so the
> mm_struct will always contain the mappings.  If there are serious bugs
> in wr_memcpy() that cause it to write to the wrong place, we have
> bigger problems.

Beside bugs, I'm also thinking about possible vulnerability.
It might be overthinking, though.

I do not think it's possible to really protect against control flow
attacks, unless there is some support from the HW and/or the compiler.

What is left, are data-based attacks. In this case, it would be an
attacker using one existing wr_ invocation with doctored parameters.

However, there is always the objection that it would be possible to come
up with a "writing kit" for plowing through the page tables and
unprotect anything that might be of value.

Ideally, that should be the only type of data-based attack left.

In practice, it might just be an excess of paranoia from my side.

> I can imagine that we'd want a *typed* wr_memcpy()-like API some day,
> but that can wait for v2.  And it still doesn't obviously need
> multiple mm_structs.

I left that out, for now, but yes, typing would play some role here.

[...]

> I think it's entirely reasonable for the API to internally break up
> very large memcpys.

The criteria for deciding if/how to break it down is not clear to me,
though. The single page was easy, but might be (probably is) too much.

--
igor

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.