Received: by 2002:a17:90a:37a3:0:0:0:0 with SMTP id v32csp746352pjb; Fri, 21 Jun 2019 07:57:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqy3SggR5X+OFMjjpEMA+0Of/DVDH/ogljnAwP9XyaAxeqUWDSdT6hxJORxK2KdN+3QKIOow X-Received: by 2002:a63:2326:: with SMTP id j38mr19232679pgj.134.1561129045794; Fri, 21 Jun 2019 07:57:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561129045; cv=none; d=google.com; s=arc-20160816; b=ASY8ExYZ83XDCPCHEYDEzKvcwZodwcdMwUgoZQzdvNwsTiUVCoE6bkQpDoOkhVWKJp UR7zxD7NzUAKea4vgL3CXGNntaG/M9Qgy2xj+0xjH5P09ukaQakLw3/crZ50AhYnh7vD w6HzIQSXGdBo/Hod9SKTKvrCYXblMZ8ogEB9fWWtGIvmET36e0WmZ3Wge5DlmPdlLVnU 2Op5K0BLCvfLM6CYmdUjEuEW8VNJS4yMvhlaPDphVlb58SJwY0FSPhmuxwI3QfqGnwCZ CCUr1JW2Qt+pJCWoRyjwHZwrY4pHpPFKmqzroutXOpPhK4UUTmFvc5xwj760Xa6iNd7j A3ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=Y2jSEi8sxGbtd9XqToa9O5z6ODlBTruzPgaOmq/wTns=; b=QxiQelwSErHSKi9P0bn4L8+0xSzFlUjHjj8TzBFu4WxUlrlx+04N99B0nYzUKNuWXq +Mg/MWr6H4FhY5Gr3Y1vPGkqAYcRsJAP6jffB70DmduN6wbwzyiTRj/2LlvVmfkp4XH7 0qmPDhFWcQZpfq5v7xM8rTCppab6pn7jcNACGCiNo699kvwpvL4P4r4OMr4S8E2f0lMt dQOThATjvab5Z+E8246KfE/GMqH/fabgFvW4aCCSR+4d8gOMuQmPmr7czbJgxfPJwdnU G6IBvDf3ltUVIigQu2gFoTve9xnO/lJdnmTL3igIThkQtIcL9ZoIoCorqO2sMX+z4kXL JZwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b=gYgr6uvq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d6si2846581pfc.139.2019.06.21.07.57.10; Fri, 21 Jun 2019 07:57:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b=gYgr6uvq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726388AbfFUO4L (ORCPT + 99 others); Fri, 21 Jun 2019 10:56:11 -0400 Received: from mail-qk1-f195.google.com ([209.85.222.195]:36217 "EHLO mail-qk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726010AbfFUO4K (ORCPT ); Fri, 21 Jun 2019 10:56:10 -0400 Received: by mail-qk1-f195.google.com with SMTP id g18so4642845qkl.3 for ; Fri, 21 Jun 2019 07:56:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lca.pw; s=google; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=Y2jSEi8sxGbtd9XqToa9O5z6ODlBTruzPgaOmq/wTns=; b=gYgr6uvq3e99g5z1DITZTTDDikIDoeGMeREh38wawLs+nFJeAz5Xqj77bM3E910xFY +ZAljwkmUjsGIH1/zKjIY5Kt5vwDNvzTLF+OcYMgBOPGNGMmofaJuh9npl22zdMgU63z 3VlBAKlSAzMm5bCEcaus7JH8AgTRPo9UiWQCTdh/hVUITLZsbCXOTUiA+KSsvcKnLeyw XWPY1KH2xf6Q/jSvqhmfHPlR+HqqngalxnndIi1832DfEBUWObiL0psTtreV3quiOdlH ds245fuvJ0nzAOKfIhEQfnP9gyLRKZbx2fRQhzQ61g+3/XorYHntg8sYaq9p6YCu+GZx oO9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=Y2jSEi8sxGbtd9XqToa9O5z6ODlBTruzPgaOmq/wTns=; b=QmHzN8bozqIkuVISpN2tDuyiaCsmix5rbDMTVDlvTiR/2a8ygrIwU3j+xF0YacDiwz 7NrqPjw+EtrjU/kJ/u7oH+RNK/KeUvR4rP2ns69majW1MrLrPnk/IphS8s0vIyP2SnJv GOnt7gIBU2PDKNgm7/Q0TVJvj/4EigD4MX8UiJGLvokQIvwIwYm+TwNGKRfgRyqYQceG vT6+lE8Y/ha67MsBonp5/wYeueLCIyuSTNZfA2gfh5glfZihS4H6aucvM+Vmp2hlfkkD sQUxcn2SOVRsIzQIm8w08w4A+svJXOAR60VDJZrJcCaKK+7MSCo8w1B6kGaGPAPuDXUn lukw== X-Gm-Message-State: APjAAAXYO8MDjf1tfHdIX57xaiGDdbZvv5L9KMEKYs4VDVmCXwrY4hEd HdX3On3ufyQQ0Ucvr39zjKQtRQ== X-Received: by 2002:a37:680e:: with SMTP id d14mr15417323qkc.287.1561128969542; Fri, 21 Jun 2019 07:56:09 -0700 (PDT) Received: from dhcp-41-57.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id g54sm2143489qtc.61.2019.06.21.07.56.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Jun 2019 07:56:08 -0700 (PDT) Message-ID: <1561128967.5154.45.camel@lca.pw> Subject: Re: [PATCH -next v2] mm/page_alloc: fix a false memory corruption From: Qian Cai To: Alexander Potapenko Cc: Kees Cook , Andrew Morton , Linux Memory Management List , LKML Date: Fri, 21 Jun 2019 10:56:07 -0400 In-Reply-To: References: <1561063566-16335-1-git-send-email-cai@lca.pw> <201906201801.9CFC9225@keescook> <1561119983.5154.33.camel@lca.pw> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-10.el7) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2019-06-21 at 16:37 +0200, Alexander Potapenko wrote: > On Fri, Jun 21, 2019 at 2:26 PM Qian Cai wrote: > > > > On Fri, 2019-06-21 at 12:39 +0200, Alexander Potapenko wrote: > > > On Fri, Jun 21, 2019 at 3:01 AM Kees Cook wrote: > > > > > > > > On Thu, Jun 20, 2019 at 04:46:06PM -0400, Qian Cai wrote: > > > > > The linux-next commit "mm: security: introduce init_on_alloc=1 and > > > > > init_on_free=1 boot options" [1] introduced a false positive when > > > > > init_on_free=1 and page_poison=on, due to the page_poison expects the > > > > > pattern 0xaa when allocating pages which were overwritten by > > > > > init_on_free=1 with 0. > > > > > > > > > > Fix it by switching the order between kernel_init_free_pages() and > > > > > kernel_poison_pages() in free_pages_prepare(). > > > > > > > > Cool; this seems like the right approach. Alexander, what do you think? > > > > > > Can using init_on_free together with page_poison bring any value at all? > > > Isn't it better to decide at boot time which of the two features we're > > > going to enable? > > > > I think the typical use case is people are using init_on_free=1, and then > > decide > > to debug something by enabling page_poison=on. Definitely, don't want > > init_on_free=1 to disable page_poison as the later has additional checking > > in > > the allocation time to make sure that poison pattern set in the free time is > > still there. > > In addition to information lifetime reduction the idea of init_on_free > is to ensure the newly allocated objects have predictable contents. > Therefore it's handy (although not strictly necessary) to keep them > zero-initialized regardless of other boot-time flags. > Right now free_pages_prezeroed() relies on that, though this can be changed. > > On the other hand, since page_poison already initializes freed memory, > we can probably make want_init_on_free() return false in that case to > avoid extra initialization. > > Side note: if we make it possible to switch betwen 0x00 and 0xAA in > init_on_free mode, we can merge it with page_poison, performing the > initialization depending on a boot-time flag and doing heavyweight > checks under a separate config. Yes, that would be great which will reduce code duplication.