Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Nov 2018 21:01:43 +0200
From: Igor Stoppa <>
To: Andy Lutomirski <>
CC: Igor Stoppa <>, Kees Cook <>,
	Peter Zijlstra <>, Nadav Amit <>,
	Mimi Zohar <>, Matthew Wilcox <>,
	Dave Chinner <>, James Morris <>,
	"Michal Hocko" <>, Kernel Hardening
	<>, linux-integrity
	<>, LSM List
	<>, Dave Hansen
	<>, Jonathan Corbet <>, Laura Abbott
	<>, Randy Dunlap <>, Mike Rapoport
	<>, "open list:DOCUMENTATION"
	<>, LKML <>, "Thomas
 Gleixner" <>
Subject: Re: [PATCH 10/17] prmem: documentation

On 13/11/2018 20:35, Andy Lutomirski wrote:
> On Tue, Nov 13, 2018 at 10:26 AM Igor Stoppa <> wrote:


>> The high level API could be something like:
>> wr_memcpy(void *src, void *dst, uint_t size)


> If you call a wr_memcpy() function with the signature you suggested,
> then you can overwrite any memory of this type.  Having a different
> mm_struct under the hood makes no difference.  As far as I'm
> concerned, for *dynamically allocated* rare-writable memory, you might
> as well allocate all the paging structures at the same time, so the
> mm_struct will always contain the mappings.  If there are serious bugs
> in wr_memcpy() that cause it to write to the wrong place, we have
> bigger problems.

Beside bugs, I'm also thinking about possible vulnerability.
It might be overthinking, though.

I do not think it's possible to really protect against control flow
attacks, unless there is some support from the HW and/or the compiler.

What is left, are data-based attacks. In this case, it would be an
attacker using one existing wr_ invocation with doctored parameters.

However, there is always the objection that it would be possible to come
up with a "writing kit" for plowing through the page tables and
unprotect anything that might be of value.

Ideally, that should be the only type of data-based attack left.

In practice, it might just be an excess of paranoia from my side.

> I can imagine that we'd want a *typed* wr_memcpy()-like API some day,
> but that can wait for v2.  And it still doesn't obviously need
> multiple mm_structs.

I left that out, for now, but yes, typing would play some role here.


> I think it's entirely reasonable for the API to internally break up
> very large memcpys.

The criteria for deciding if/how to break it down is not clear to me,
though. The single page was easy, but might be (probably is) too much.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.