Received: by 10.213.65.68 with SMTP id h4csp922389imn;
        Wed, 14 Mar 2018 04:25:47 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtZrcklmXSLzS6V1A9dFC2jtjp7PbGS6Ug0RGIodUbQvIRB3LjlG4Eh/dXqP0c0H4BtXbtU
X-Received: by 10.99.160.17 with SMTP id r17mr3395516pge.127.1521026746974;
        Wed, 14 Mar 2018 04:25:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521026746; cv=none;
        d=google.com; s=arc-20160816;
        b=iaXS2NlioxSIJ6LPBPbi7G+JJsl74acP3vKWPNPbb27gJtK4EkOYCvUT2aS6INEaun
         kz+4pC8+T2jP0RpLn6V33gFRyH57/wvmM48UZ8QTZ/jkdhfV5JsN8rjmL/v3iAq5VPN8
         +e4hItSKeqPYk5RMcKle8Gb612dh7m8tOpxJTJvaV48hCTFGZBY1m6gVZjsk/Hq1+GCp
         023dLtEA8942mHfdiHRU9w8UTuXKOLARLMLfr+uryi6QSXiDO4bSTIVsv6ozdTeIazND
         7UQGevLJQs9IDSO7Nfq71fH+5yAw1foMG0ERXOCvmHriaE1tma8COB2WYF3sCNoXNRsv
         Hk0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=pKBLWECLFOdJT8TcnI43il2j5id38rPAAP496rsd99o=;
        b=WA7F+DvHjkmr5/qExiApv/6N7E9iES8aYCexnbxdBIOKwTNyl5S40aBMez5tCT4Gf1
         b+EUSdrYj8QiTx1Gi7xivTOPtRLNohSkfRQ55GP6BQ7T24nseNlv0fQSkhHow3l2Lk8h
         D9VhZo4DatARIPTZZ2mRDrzQNJSAwbxBjJkxYRfAxWL4w0nrH9zPLzIoBTzGNXh61Ugh
         j1p+8dg4b+6985lIbdFY7l5bOxqTTO65gOElf7NqbyzylGd/Ko4n1IbK3sFIyVGQfJuk
         jnX4zHf6qjUp2Aaro2dMnKL/bYMrMDklV/4jfF4lYtlMC9f1UCr+zEezwa9nOs0kYZnv
         +9Iw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a13si1669264pgt.344.2018.03.14.04.25.27;
        Wed, 14 Mar 2018 04:25:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751556AbeCNLWp (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Wed, 14 Mar 2018 07:22:45 -0400
Received: from lhrrgout.huawei.com ([194.213.3.17]:29322 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1750974AbeCNLWn (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Mar 2018 07:22:43 -0400
Received: from LHREML711-CAH.china.huawei.com (unknown [172.18.7.108])
        by Forcepoint Email with ESMTP id 0FE08FDE28845;
        Wed, 14 Mar 2018 11:22:39 +0000 (GMT)
Received: from [10.122.225.51] (10.122.225.51) by smtpsuk.huawei.com
 (10.201.108.34) with Microsoft SMTP Server (TLS) id 14.3.382.0; Wed, 14 Mar
 2018 11:22:39 +0000
Subject: Re: [RFC PATCH v19 0/8] mm: security: ro protection for dynamic data
To:     <willy@infradead.org>, <keescook@chromium.org>
CC:     <david@fromorbit.com>, <rppt@linux.vnet.ibm.com>,
        <mhocko@kernel.org>, <labbott@redhat.com>,
        <linux-security-module@vger.kernel.org>, <linux-mm@kvack.org>,
        <linux-kernel@vger.kernel.org>,
        <kernel-hardening@lists.openwall.com>
References: <20180313214554.28521-1-igor.stoppa@huawei.com>
From:   Igor Stoppa <igor.stoppa@huawei.com>
Message-ID: <a9bfc57f-1591-21b6-1676-b60341a2fadd@huawei.com>
Date:   Wed, 14 Mar 2018 13:21:54 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180313214554.28521-1-igor.stoppa@huawei.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.122.225.51]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 13/03/18 23:45, Igor Stoppa wrote:

[...]

Some more thoughts about the open topics:

> Discussion topics that are unclear if they are closed and would need
> comment from those who initiated them, if my answers are accepted or not:
> 
> * @Kees Cook proposed to have first self testing for genalloc, to
>   validate the following patch, adding tracing of allocations
>   My answer was that such tests would also need patching, therefore they 
>   could not certify that the functionality is corect both before and
>   after the genalloc bitmap modification.

This is the only one where I still couldn't find a solution.
If Matthew Wilcox's proposal about implementing the the genalloc bitmap
would work, then this too could be done, but I think this alternate
bitmap proposed has problems. More on it below.

> * @Kees Cook proposed to turn the self testing into modules.
>   My answer was that the functionality is intentionally tested very early
>   in the boot phase, to prevent unexplainable errors, should the feature
>   really fail.

This could be workable, if it's acceptable that the early testing is
performed only when the module is compiled in.
I do not expect the module-based testing to bring much value, but it
doesn't do harm. Is this acceptable?

> * @Matthew Wilcox proposed to use a different mechanism for the genalloc
>   bitmap: 2 bitmaps, one for occupation and one for start.
>   And possibly use an rbtree for the starts.
>   My answer was that this solution is less optimized, because it scatters
>   the data of one allocation across multiple words/pages, plus is not
>   a transaction anymore. And the particular distribution of sizes of
>   allocation is likely to eat up much more memory than the bitmap.

I think I can describe a scenario where the split bitmaps would not work
(based on my understanding of the proposal), but I would appreciate a
review. Here it is:

* One allocation (let's call it allocation A) is already present in both
bitmaps:
  - its units of allocation are marked in the "space" bitmap
  - its starting bit is marked in the "starts" bitmap

* Another allocation (let's call it allocation B) is undergoing:
  - some of its units of allocation (starting from the beginning) are
    marked in the "space" bitmap
  - the starting bit is *not* yet marked in the "starts" bitmap

* B occupies the space immediately after A

* While B is being written, A is freed

* Having to determine the length of A, the "space" bitmap will be
  searched, then the "starts" bitmap


The space initially allocated for B will be wrongly accounted for A,
because there is no empty gap in-between and the beginning of B is not
yet marked.

The implementation which interleaves "space" and "start" does not suffer
from this sort of races, because the alteration of the interleaved
bitmaps is atomic.

However, at the very least, some more explanation is needed in the
documentation/code, because this scenario is not exactly obvious.

Does this justification for the use of interleaved bitmaps (iow the
current implementation) make sense?

--
igor