|
Message-ID: <12b6232f-ac3d-c74c-5f9e-d84905c39f0a@huawei.com> Date: Tue, 13 Nov 2018 21:01:43 +0200 From: Igor Stoppa <igor.stoppa@...wei.com> To: Andy Lutomirski <luto@...capital.net> CC: Igor Stoppa <igor.stoppa@...il.com>, Kees Cook <keescook@...omium.org>, Peter Zijlstra <peterz@...radead.org>, Nadav Amit <nadav.amit@...il.com>, Mimi Zohar <zohar@...ux.vnet.ibm.com>, Matthew Wilcox <willy@...radead.org>, Dave Chinner <david@...morbit.com>, James Morris <jmorris@...ei.org>, "Michal Hocko" <mhocko@...nel.org>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, linux-integrity <linux-integrity@...r.kernel.org>, LSM List <linux-security-module@...r.kernel.org>, Dave Hansen <dave.hansen@...ux.intel.com>, Jonathan Corbet <corbet@....net>, Laura Abbott <labbott@...hat.com>, Randy Dunlap <rdunlap@...radead.org>, Mike Rapoport <rppt@...ux.vnet.ibm.com>, "open list:DOCUMENTATION" <linux-doc@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, "Thomas Gleixner" <tglx@...utronix.de> Subject: Re: [PATCH 10/17] prmem: documentation On 13/11/2018 20:35, Andy Lutomirski wrote: > On Tue, Nov 13, 2018 at 10:26 AM Igor Stoppa <igor.stoppa@...wei.com> wrote: [...] >> The high level API could be something like: >> >> wr_memcpy(void *src, void *dst, uint_t size) [...] > If you call a wr_memcpy() function with the signature you suggested, > then you can overwrite any memory of this type. Having a different > mm_struct under the hood makes no difference. As far as I'm > concerned, for *dynamically allocated* rare-writable memory, you might > as well allocate all the paging structures at the same time, so the > mm_struct will always contain the mappings. If there are serious bugs > in wr_memcpy() that cause it to write to the wrong place, we have > bigger problems. Beside bugs, I'm also thinking about possible vulnerability. It might be overthinking, though. I do not think it's possible to really protect against control flow attacks, unless there is some support from the HW and/or the compiler. What is left, are data-based attacks. In this case, it would be an attacker using one existing wr_ invocation with doctored parameters. However, there is always the objection that it would be possible to come up with a "writing kit" for plowing through the page tables and unprotect anything that might be of value. Ideally, that should be the only type of data-based attack left. In practice, it might just be an excess of paranoia from my side. > I can imagine that we'd want a *typed* wr_memcpy()-like API some day, > but that can wait for v2. And it still doesn't obviously need > multiple mm_structs. I left that out, for now, but yes, typing would play some role here. [...] > I think it's entirely reasonable for the API to internally break up > very large memcpys. The criteria for deciding if/how to break it down is not clear to me, though. The single page was easy, but might be (probably is) too much. -- igor
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.