Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1804860ybb; Sat, 4 Apr 2020 13:01:06 -0700 (PDT) X-Google-Smtp-Source: APiQypKnlUHIsauMQhQOftYX5LWuU19xvFfEYIUd+HNH+3NrDuR38jAnYx5ERPe+hNnQ5IfWViex X-Received: by 2002:aca:aac1:: with SMTP id t184mr7698739oie.14.1586030466424; Sat, 04 Apr 2020 13:01:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586030466; cv=none; d=google.com; s=arc-20160816; b=L9YTAqdopuquQ9S8Bx7YtzPNVE84szQZxB/4M+PhdXbezUUM8dDwBmDrVvyvR+zmSO ikBpzGwBQWen7msPfOLMK+Nxoa2PY+iufnX5wBlI88CsL2hSRzRbwU3RhpFoQQ2E3kl3 Hhhn9CKSz47nB5YMEmWmDjAaSCLalakeT/U6+0miK74RrykAUp411xc65eRiPXWCko3/ 80boL49pmPu7NYIiLt6maenm4JqJ1KC3liZkDgYAOct//J86LEdbjJpKqWG1KI/Dl9x3 rbfA8JaRLuFlsZ7QLzciyiCb3vGezY7K0PM1s1l9VnJzDSQ+AjfFfjIdYzmTZXiDdq3W HtgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YsuPBZsb8WE7VCqvhICagjys5vaL8jznepcO6gVNhuY=; b=H0uXsS70RDCSSyWPxmzAGxh3AgI6a+30E31MqcRC9bknmu5ic0RgxiTqeGbKOEZjNQ YmZqwDczlLEZzaLj3ed9Q0LxGtM/ZcwzkdKcaMDNItDed4Cftbl9cB2/U7pUAjvkEXeU dKdsyDQeED5z8zAGqf6NtQ35/uvI7az6gp2+liJwtZSceGv6D+jZCz4s0DXb2jCFKvRO CDoSPFZVoZeEyT3dI6tFuqGp/gyXuvtcz3LtObhMh/emO45IillZs5bYXtkAXTQCXHDl 37FBJXqTk5qrq1aNzDugBHHV6m7wrMVOriETYS5jLN7kmdsc0NsTUTEnux3l/mn1HJxe bW/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="O/NJbZhE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a13si5903673otk.158.2020.04.04.13.00.54; Sat, 04 Apr 2020 13:01:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="O/NJbZhE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726396AbgDDUAb (ORCPT + 99 others); Sat, 4 Apr 2020 16:00:31 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:45622 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726297AbgDDUAa (ORCPT ); Sat, 4 Apr 2020 16:00:30 -0400 Received: by mail-lj1-f195.google.com with SMTP id t17so10471385ljc.12 for ; Sat, 04 Apr 2020 13:00:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YsuPBZsb8WE7VCqvhICagjys5vaL8jznepcO6gVNhuY=; b=O/NJbZhEcELmxr8BjYMVRxOGDrpsvhy4davP58ldZKgobV0p7JxPIcKelXaB7aNZW9 mPcbUFn5jfyaOh/i3A4S/VxDN7Nv056gxJ7+iidO74GTBvCOtL8MrU9wKnElTGHdb3um EpkDy6jh4uuboALpwZV+wASIDyIisdDKaAb18= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YsuPBZsb8WE7VCqvhICagjys5vaL8jznepcO6gVNhuY=; b=PR0ksHmMfuY7n/VsLyubG68SRkCp6KdMMcv/iSTgJRWeGpxo7h1oZ1ez6dcFzGj57M 8LeeA/ik/EvjbE7FYO8CHfeF7Fr37OgRYlL4p4mzecRqzvpb0ia/kt8aU5eS+cEL7Pa7 PcQU84zHEYiBBCP9J9WctO0F+F44O60g3Mi45/JjNY94RAXC8bJHf6cYTQML2c7Dfac3 YTy9gQaWtLucBZuJ8zq9+EwBourP5MRyVVgzMi9HTjFUxg981mlbzpk5C4rDanEUSRJC MqvxEz6CavvlxDoEQXslmjALdWQoyL0Bf23oArpjGQW1xbUh3mAog8UoJ/hY8s6LyFQS rQ0Q== X-Gm-Message-State: AGi0PuY9FilP1goD1PsABt/GSs95da6Gs8I0JXhtO6Gr0MmtFbK6+ZZD mS7hPJ6iSoc+X66w3464ePo+jMjXgNI= X-Received: by 2002:a2e:3919:: with SMTP id g25mr8309460lja.248.1586030426200; Sat, 04 Apr 2020 13:00:26 -0700 (PDT) Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com. [209.85.208.170]) by smtp.gmail.com with ESMTPSA id u25sm8549757lfm.97.2020.04.04.13.00.24 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 04 Apr 2020 13:00:25 -0700 (PDT) Received: by mail-lj1-f170.google.com with SMTP id k21so10543041ljh.2 for ; Sat, 04 Apr 2020 13:00:24 -0700 (PDT) X-Received: by 2002:a2e:7c1a:: with SMTP id x26mr7591094ljc.209.1586030424282; Sat, 04 Apr 2020 13:00:24 -0700 (PDT) MIME-Version: 1.0 References: <1437197.1585570598@warthog.procyon.org.uk> In-Reply-To: <1437197.1585570598@warthog.procyon.org.uk> From: Linus Torvalds Date: Sat, 4 Apr 2020 13:00:08 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] keys: Fix key->sem vs mmap_sem issue when reading key To: David Howells , Johannes Weiner , Herbert Xu Cc: Jarkko Sakkinen , Waiman Long , keyrings@vger.kernel.org, LSM List , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 30, 2020 at 5:16 AM David Howells wrote: > > security/keys/internal.h | 12 ++++ This isn't so much about this pull (which I have taken), as about the fact that this code re-inforces bad behavior we already in the slub layer, and now extends it further to kvfree. Doing this: __kvzfree(const void *addr, size_t len) .. memset((void *)addr, 0, len); kvfree(addr); is wrong to begin with. It's wrong because if the compiler ever knows that kvfree is a freeing function (with something like __attribute__((free)) - I don't think gcc is smart enough today), the compiler might throw the memset away. Yeah, so far we've only seen that for automatic stack clearing, but there are very much compilers that know that alloc/free are special (both for warning about use-after-free issues, and for "improving" code generation by blindly removing dead writes). We have a function for clearing sensitive information: it's called "memclear_explicit()", and it's about forced (explicit) clearing even if the data might look dead afterwards. The other problem with that function is the name: "__kvzfree()" is not a useful name for this function. We use the "__" format for internal low-level helpers, and it generally means that it does *less* than the full function. This does more, not less, and "__" is not following any sane naming model. So the name should probably be something like "kvfree_sensitive()" or similar. Or maybe it could go even further, and talk about _why_ it's sensitive, and call it "kvfree_cleartext()" or something like that. Because the clearing is really not what even matters. It might choose other patterns to overwrite things with, but it might do other things too, like putting special barriers for data leakage (or flags to tell return-to-user-mode to do so). And yes, kzfree() isn't a good name either, and had that same memset(), but at least it doesn't do the dual-underscore mistake. Including some kzfree()/crypto people explicitly - I hope we can get away from this incorrect and actively wrong pattern of thinking that "sensitive data should be memset(), and then we should add a random 'z' in the name somewhere to 'document' that". Linus