Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory

From: Kees Cook
Date: Wed Nov 25 2015 - 13:54:21 EST

Next message: Dan Williams: "Re: [PATCH v2 2/2] restrict /dev/mem to idle io memory ranges"
Previous message: Sinan Kaya: "[PATCH V6] acpi: add support for extended IRQ to PCI link"
In reply to: H. Peter Anvin: "Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory"
Next in thread: H. Peter Anvin: "Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 25, 2015 at 9:31 AM, H. Peter Anvin <hpa@xxxxxxxxx> wrote:
> On 11/25/15 01:13, Mathias Krause wrote:
>>
>> While having that annotation makes perfect sense, not only from a
>> security perspective but also from a micro-optimization point of view
>> (much like the already existing __read_mostly annotation), it has its
>> drawbacks. Violating the "r/o after init" rule by writing to such
>> annotated variables from non-init code goes unnoticed as far as it
>> concerns the toolchain. Neither the compiler nor the linker will flag
>> that incorrect use. It'll just trap at runtime and that's bad.
>>
>> I myself had some educating experience seeing my machine triple fault
>> when resuming from a S3 sleep. The root cause was a variable that was
>> annotated __read_only but that was (unnecessarily) modified during CPU
>> bring-up phase. Debugging that kind of problems is sort of a PITA, you
>> could imagine.
>>
>> So, prior extending the usage of the __read_only annotation some
>> toolchain support is needed. Maybe a gcc plugin that'll warn/error on
>> code that writes to such a variable but is not __init itself. The
>> initify and checker plugins from the PaX patch might be worth to look
>> at for that purpose, as they're doing similar things already. Adding
>> such a check to sparse might be worth it, too.
>> A modpost check probably won't work as it's unable to tell if it's a
>> legitimate access (r/o) or a violation (/w access). So the gcc plugin
>> is the way to go, IMHO.
>>
>
> We should not wait for compile-time support, that doesn't make any
> sense. What would be useful would be a way to override this on the
> command line -- that way, if disabling RO or RO-after-init memory makes
> something work, we have an instant diagnosis.

Seems easiest to have an arg just skip calling mark_rodata_ro(). I can add that.

-Kees

--
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dan Williams: "Re: [PATCH v2 2/2] restrict /dev/mem to idle io memory ranges"
Previous message: Sinan Kaya: "[PATCH V6] acpi: add support for extended IRQ to PCI link"
In reply to: H. Peter Anvin: "Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory"
Next in thread: H. Peter Anvin: "Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]