Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754111AbbK0IGW (ORCPT ); Fri, 27 Nov 2015 03:06:22 -0500 Received: from mail-wm0-f45.google.com ([74.125.82.45]:33818 "EHLO mail-wm0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754071AbbK0IF6 (ORCPT ); Fri, 27 Nov 2015 03:05:58 -0500 Date: Fri, 27 Nov 2015 09:05:54 +0100 From: Ingo Molnar To: PaX Team , Linus Torvalds Cc: kernel-hardening@lists.openwall.com, Mathias Krause , "linux-kernel@vger.kernel.org" , Kees Cook , Andy Lutomirski , Ingo Molnar , Thomas Gleixner , "H. Peter Anvin" , x86-ml , Arnd Bergmann , Michael Ellerman , linux-arch@vger.kernel.org, Emese Revfy Subject: Re: [kernel-hardening] [PATCH 0/2] introduce post-init read-only memory Message-ID: <20151127080554.GB24991@gmail.com> References: <1448401114-24650-1-git-send-email-keescook@chromium.org> <5656D779.17137.12A1EA53@pageexec.freemail.hu> <20151126104229.GA8530@gmail.com> <5656F7A2.738.131F89C0@pageexec.freemail.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5656F7A2.738.131F89C0@pageexec.freemail.hu> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2402 Lines: 57 * PaX Team wrote: > On 26 Nov 2015 at 11:42, Ingo Molnar wrote: > > > * PaX Team wrote: > > > > > On 26 Nov 2015 at 9:54, Ingo Molnar wrote: > > > > > e.g., imagine that the write was to a function pointer (even an entire ops > > > structure) or a boolean that controls some important feature for after-init > > > code. ignoring/dropping such writes could cause all kinds of logic bugs (if not > > > worse). > > > > Well, the typical case is that it's a logic bug to _do_ the write: the structure > > was marked readonly for a reason but some init code re-runs during suspend or so. > > that's actually not the typical case in my experience, but rather these two: > > 1. initial mistake: someone didn't actually check whether the given object can > be __read_only > > 2. code evolution: an object that was once written by __init code only (and > thus proactively subjected to __read_only) gets modified by non-init code > due to later changes > > what you described above is a third case where there's a latent bug to begin > (unintended write) with that __read_only merely exposes but doesn't create > itself, unlike the two cases above (intended writes getting caught by wrong use > of __read_only). You are right, I concede this part of the argument - what you describe is probably the most typical way to get ro-faults. I do maintain the (sub-)argument that oopsing or relying on tooling help years down the line is vastly inferior to fixing up the problem and generating a one-time stack dump so that kernel developers have a chance to fix the bug. The sooner we detect and dump such information the more likely it is that such bugs don't get into end user kernel versions. > my proposal would produce the exact same reports, the difference is in letting > the write attempt succeed vs. skipping it. this latter step is what is wrong > since it introduces at least a logic bug the same way the constprop optimization > created a logic bug. Yes, you are right and I agree. Does anyone want to submit such a patch for upstream? Looks like a good change. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/