Re: [PATCH v8] RO/NX protection for loadable kernel modules

From: Siarhei Liakh
Date: Tue Feb 02 2010 - 23:07:27 EST

Next message: Bill Gatliff: "Re: [PWM PATCH 0/5] Implements a common PWM API"
Previous message: Michael Breuer: "Re: [PATCH] sky2: receive dma mapping error handling"
In reply to: Andi Kleen: "Re: [PATCH v8] RO/NX protection for loadable kernel modules"
Next in thread: Rusty Russell: "Re: [PATCH v8] RO/NX protection for loadable kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 2, 2010 at 6:05 PM, Andi Kleen <andi@xxxxxxxxxxxxxx> wrote:

> My current kernel has 52 modules loaded, most of them very small.
> Assuming the additional alignment of the data section cost two more
> pages on average (I think that's a good assumption), that's roughly
> 424KB of additional memory, plus associated runtime costs in increased
> TLB usage.

You are right about the additional memory consumption with this option
enabled. In worst case scenario, a one-page module will get split into
3 pages. This might be a significant and unwelcome increase in some
cases (embedded systems come to mind) and that is why this is
implemented as compile-time option.
However, on a general run-of-the-mill system the impact is not that
significant. Case in point: I run Ubuntu 9.04 amd x86_64 with stock
kernel on a generic AMD box. There are 111 modules loaded for all the
hardware in the box and all the functions that it provides (regular
consumer-grade hardware, but definitely not a typical home desktop
setup). In total, 111 modules consume 15590884 bytes, with no module
less then 10KB. After eliminating top 3 memory hogs (nvidia@8MB,
vboxdrv@xxxxx and snd_hda_intel@xxxxx) we left with 5007532 bytes, 108
modules and nfs leading the list at 300KB. Assuming the worst-case
scenario of 2 additional pages per module, we get
(5007532+108*8192)/5007532 = 1.18 - only 18%. In addition, most
modules already have some unused space left at the end of the last
page and some padding in the middle for page/cache-aligned data. With
that in mind, it looks to me that typical overhead will be about 1
page per module (9% for the case above, although I have no solid
statistics to back this up).

> What would I get for that if I applied the patch and enabled the option?

With this patch you get strict separation of code, RO-data and RW-data
in LKMs. This will prevent all attempts (intentional or erroneous) to
modify code and RO-data, while keeping all data non-executable. While
not targeted to prevent any specific exploit, this patch does improve
general kernel security. When combined with the other two patches I
have submitted (RW+NX for first megabyte and NX for static kernel
data), this patch set completely eliminates kernel pages with
executable data and modifiable code.

> Did you find any bugs with this option?

Well, so far I did not find any bugs in the last version of the patch,
but it definitely breaks any module that uses self-modifying code or
data execution.
An issue with ftrace have been reported earlier and fixed in V7.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bill Gatliff: "Re: [PWM PATCH 0/5] Implements a common PWM API"
Previous message: Michael Breuer: "Re: [PATCH] sky2: receive dma mapping error handling"
In reply to: Andi Kleen: "Re: [PATCH v8] RO/NX protection for loadable kernel modules"
Next in thread: Rusty Russell: "Re: [PATCH v8] RO/NX protection for loadable kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]