Received: by 10.223.176.5 with SMTP id f5csp1000398wra; Sat, 3 Feb 2018 15:37:32 -0800 (PST) X-Google-Smtp-Source: AH8x227/lMHSqvUMkNEwTC1xeyDPwviJ7xn1f+eoRb10xV5JvXcQstiiuj0vbDpM70I8YmlzktzJ X-Received: by 10.99.8.198 with SMTP id 189mr1569345pgi.88.1517701052336; Sat, 03 Feb 2018 15:37:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517701052; cv=none; d=google.com; s=arc-20160816; b=yTMpwie3bZs5n9qAz6lc9tg76aNySNry/gKOgyMri2N+PLoDuOxYy2sFjLP1WutUfV 0khc+0ydTBJZ4ogh++OMvCQ3Vji3dJTGx0cXqzA3HK33znC4QiS5TYZ1bog4EwgdDRKJ ElM3KHXRrXHSMyiWAve6isejqsQ0zoIFEtYBXnkPHJnTE8tynDm5PUAaGW0loBpm5DxT oVmfjhQyn8lLzW5bIDOggdKA2qdeM8yl8BhdQ4aIO0/RfzWMwVnM8QVARYKabRqXI3kW lFAJ9BzwyeDMm8ITEljDw+5b6T0GgAOd30+rpsY5okKYWASMrLA+X+iIb7SSfBfagZ3s gFhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=inS5AXAdYyf3YEa+7TnPen0jsmTDZ8FdpH3FbMAO1ms=; b=Ltgc2pZFPplZ17C4NWre1sqE63cj6oMbS0p+D6drJrCNW++Vq7u7//y9o0tCnT4Jra WzWeC4jIMxZSuNhk3Monx0D1J6wbDzqcpuTMDW5NcJN1O9TX8Pf1TFcpHJO/Oyk6dUaq 0iokBRc0LQng4RU0NDQn0gNNom81JHYynL4JOwJl1EAURIFgyk8Xcd0vjlZLe2Gg1b3Z hSewfe65ih6EUUZBcvr8ajLwihPInX65QItThf4oFGdJ7kjIUQXyifnhtE3F9HuACfF+ 46suxs2QR8l3R7Bt3+9wHrrQL28i37bKUvAxfusdeGYP11btGTctljYD+IUIyfHCjW6O CWaQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z184si223002pgd.819.2018.02.03.15.37.17; Sat, 03 Feb 2018 15:37:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753664AbeBCUdS (ORCPT + 99 others); Sat, 3 Feb 2018 15:33:18 -0500 Received: from lhrrgout.huawei.com ([194.213.3.17]:24963 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752777AbeBCUdM (ORCPT ); Sat, 3 Feb 2018 15:33:12 -0500 Received: from LHREML714-CAH.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 7BF438FC4B791; Sat, 3 Feb 2018 20:32:58 +0000 (GMT) Received: from [10.122.225.51] (10.122.225.51) by smtpsuk.huawei.com (10.201.108.37) with Microsoft SMTP Server (TLS) id 14.3.361.1; Sat, 3 Feb 2018 20:32:55 +0000 Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory To: Boris Lukashev CC: Christopher Lameter , Matthew Wilcox , Jann Horn , Jerome Glisse , Kees Cook , Michal Hocko , Laura Abbott , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , "Kernel Hardening" References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> From: Igor Stoppa Message-ID: <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> Date: Sat, 3 Feb 2018 22:32:48 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.122.225.51] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/02/18 22:12, Boris Lukashev wrote: > Regarding the notion of validated protected memory, is there a method > by which the resulting checksum could be used in a lookup > table/function to resolve the location of the protected data? What I have in mind is a checksum at page/vmap_area level, so there would be no 1:1 mapping between a specific allocation and the checksum. An extreme case would be the one where an allocation crosses one or more page boundaries, while the checksum refers to a (partially) overlapping memory area. Code accessing a pool could perform one (relatively expensive) validation. But still something that would require a more sophisticated attack, to subvert. > Effectively a hash table of protected allocations, with a benefit of > dedup since any data matching the same key would be the same data > (multiple identical cred structs being pushed around). Should leave > the resolver address/csum in recent memory to check against, right? I see where you are trying to land, but I do not see how it would work without a further intermediate step. pmalloc dishes out virtual memory addresses, when called. It doesn't know what the user of the allocation will put in it. The user, otoh, has the direct address of the memory it got. What you are suggesting, if I have understood it correctly, is that, when the pool is protected, the addresses already given out, will become traps that get resolved through a lookup table that is built based on the content of each allocation. That seems to generate a lot of overhead, not to mention the fact that it might not play very well with the MMU. If I misunderstood, then I'd need a step by step description of what happens, because it's not clear to me how else the data would be accessed if not through the address that was obtained when pmalloc was invoked. -- igor