Re: [PATCH 03/12] __wr_after_init: generic header

From: Igor Stoppa
Date: Sat Dec 22 2018 - 21:29:36 EST

Next message: David Miller: "Re: [PATCH] net: core: Fix Spectre v1 vulnerability"
Previous message: kernel test robot: "[debugfs] a1e6b3dc1c: WARNING:at_fs/inode.c:#drop_nlink"
In reply to: Matthew Wilcox: "Re: [PATCH 03/12] __wr_after_init: generic header"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 21/12/2018 21:45, Matthew Wilcox wrote:

On Fri, Dec 21, 2018 at 11:38:16AM -0800, Nadav Amit wrote:

On Dec 19, 2018, at 1:33 PM, Igor Stoppa <igor.stoppa@xxxxxxxxx> wrote:

+static inline void *wr_memset(void *p, int c, __kernel_size_t len)
+{
+ return __wr_op((unsigned long)p, (unsigned long)c, len, WR_MEMSET);
+}

What do you think about doing something like:

#define __wr __attribute__((address_space(5)))

And then make all the pointers to write-rarely memory to use this attribute?
It might require more changes to the code, but can prevent bugs.

I like this idea. It was something I was considering suggesting.

I have been thinking about this sort of problem, although from a bit different angle:

1) enforcing alignment for pointers
This can be implemented in similar way, by creating a multi-attribute that would define section, address space, like said here, and alignment.
However I'm not sure if it's possible to do anything to enforce the alignment of a pointer field within a structure. I haven't had time to look into this yet.

2) validation of the correctness of the actual value
Inside the kernel code, a function is not supposed to sanitize its arguments, as long as they come from some other trusted part of the kernel, rather than say from userspace or from some HW interface.
However,ROP/JOP should be considered.

I am aware of various efforts to make it harder to exploit these techniques, like signed pointers, CFI plugins, LTO.

But they are not necessarily available on every platform and mostly, afaik, they focus on specific type of attacks.

LTO can help with global optimizations, for example inlining functions across different objects.

CFI can detect jumps in the middle of a function, rather than proper function invocation, from its natural entry point.

Signed pointers can prevent data-based attacks to the execution flow, and they might have a role in preventing the attack I have in mind, but they are not available on all platforms.

What I'd like to do, is to verify, at runtime, that the pointer belongs to the type that the receiving function is meant for.

Ex: a legitimate __wr_after_init data must exist between __start_wr_after_init and __end_wr_after_init

That is easier and cleaner to test, imho.

But dynamically allocated memory doesn't have any such constraint.
If it was possible to introduce, for example, a flag to pass to vmalloc, to get the vmap_area from within a specific address range, it would reduce the attack surface.

In the implementation I have right now, I'm using extra flags for the pmalloc pages, which means the metadata is the new target for an attack.

But with adding the constraint that a dynamically allocated protected memory page must be within a range, then the attacker must change the underlying PTE. And if a region of PTEs are all part of protected memory, it is possible to make the PMD write rare.

--
igor

Next message: David Miller: "Re: [PATCH] net: core: Fix Spectre v1 vulnerability"
Previous message: kernel test robot: "[debugfs] a1e6b3dc1c: WARNING:at_fs/inode.c:#drop_nlink"
In reply to: Matthew Wilcox: "Re: [PATCH 03/12] __wr_after_init: generic header"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]