Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64EF3C433F5 for ; Tue, 16 Nov 2021 00:11:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 50EA563215 for ; Tue, 16 Nov 2021 00:11:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233689AbhKPAOs (ORCPT ); Mon, 15 Nov 2021 19:14:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55454 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347588AbhKOW4g (ORCPT ); Mon, 15 Nov 2021 17:56:36 -0500 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F51CC0337CB for ; Mon, 15 Nov 2021 14:06:43 -0800 (PST) Received: by mail-pf1-x432.google.com with SMTP id 8so4307413pfo.4 for ; Mon, 15 Nov 2021 14:06:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=+75pOgzRSIiee94ABsrf5glhvGlXlViH0+WT5j4L0aw=; b=dS8Un6tSdNnk9Z4kmfDP4XsUZOMSVFQw3q3GTGh5sr8XmLWMkM07MuC1+dT12/ptHP 8r4FauaE6OQMmNCZkBtn866ZhTNqnOWvSfGwr5K3/jo8deQAcP6hs392bnEV+AReAEVH V9uj6x0kL07NJEinAldy4HwU/0bSkPFxwZmfQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=+75pOgzRSIiee94ABsrf5glhvGlXlViH0+WT5j4L0aw=; b=renhy+Tq5oGvziqAKUw6VPgMSsxyMtkG1opj2gx5pxFQhNPh3gxLie2WE9SKWXO+si mM4pVwTTc9qT17WyZ3IyrGbnr8MNHAtYk7uS2ov7GRRXM/HW4qUHsFkEyi3zwfZWcRyf YF0//MJwCLGiBc6K4E70UyTAdG72DLPce5PtD6nYhQa+N7/XJXZVTCxqXqsEX0emOeno fx4gCvt6d7Bs7IbwjyP9RAEPMP9X1A0+TAmy/Z4M/6PEWBhXrw/TYlWALcBQxZL0Mreh ZoYlYtkZKHdFUdRg8Lw4Zg3ux6dLKLazhK1xXR2xtORcKIDbtWbV78d/cRkvUMxV1qwu vTUA== X-Gm-Message-State: AOAM533TOPHnBxZ/k6B31E3oGuhSlSHfvXNZEMLHE96t6KVMn/HHHhI4 RYEsbzpd8LnuJv03cpuLyGSwOw== X-Google-Smtp-Source: ABdhPJxbI3NOtgyO8DBjqkXVe/gYAMuaxOIkr7hH2fyzLDr8HfWh0griJts14SzHJ0idri2HBcFqDg== X-Received: by 2002:aa7:8151:0:b0:480:9d40:8e38 with SMTP id d17-20020aa78151000000b004809d408e38mr35382844pfn.72.1637014002929; Mon, 15 Nov 2021 14:06:42 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id rm10sm277789pjb.29.2021.11.15.14.06.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 14:06:42 -0800 (PST) Date: Mon, 15 Nov 2021 14:06:41 -0800 From: Kees Cook To: Steven Rostedt Cc: Lukas Bulwahn , Alexander Popov , Linus Torvalds , Jonathan Corbet , Paul McKenney , Andrew Morton , Thomas Gleixner , Peter Zijlstra , Joerg Roedel , Maciej Rozycki , Muchun Song , Viresh Kumar , Robin Murphy , Randy Dunlap , Lu Baolu , Petr Mladek , Luis Chamberlain , Wei Liu , John Ogness , Andy Shevchenko , Alexey Kardashevskiy , Christophe Leroy , Jann Horn , Greg Kroah-Hartman , Mark Rutland , Andy Lutomirski , Dave Hansen , Will Deacon , Ard Biesheuvel , Laura Abbott , David S Miller , Borislav Petkov , Arnd Bergmann , Andrew Scull , Marc Zyngier , Jessica Yu , Iurii Zaikin , Rasmus Villemoes , Wang Qing , Mel Gorman , Mauro Carvalho Chehab , Andrew Klychkov , Mathieu Chouquet-Stringer , Daniel Borkmann , Stephen Kitt , Stephen Boyd , Thomas Bogendoerfer , Mike Rapoport , Bjorn Andersson , Kernel Hardening , linux-hardening@vger.kernel.org, "open list:DOCUMENTATION" , linux-arch , Linux Kernel Mailing List , linux-fsdevel , notify@kernel.org, main@lists.elisa.tech, safety-architecture@lists.elisa.tech, devel@lists.elisa.tech, Shuah Khan Subject: Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter Message-ID: <202111151116.933184F716@keescook> References: <20211027233215.306111-1-alex.popov@linux.com> <77b79f0c-48f2-16dd-1d00-22f3a1b1f5a6@linux.com> <20211115110649.4f9cb390@gandalf.local.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20211115110649.4f9cb390@gandalf.local.home> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 15, 2021 at 11:06:49AM -0500, Steven Rostedt wrote: > On Mon, 15 Nov 2021 14:59:57 +0100 > Lukas Bulwahn wrote: > > > 1. Allow a reasonably configured kernel to boot and run with > > panic_on_warn set. Warnings should only be raised when something is > > not configured as the developers expect it or the kernel is put into a > > state that generally is _unexpected_ and has been exposed little to > > the critical thought of the developer, to testing efforts and use in > > other systems in the wild. Warnings should not be used for something > > informative, which still allows the kernel to continue running in a > > proper way in a generally expected environment. Up to my knowledge, > > there are some kernels in production that run with panic_on_warn; so, > > IMHO, this requirement is generally accepted (we might of course > > To me, WARN*() is the same as BUG*(). If it gets hit, it's a bug in the > kernel and needs to be fixed. I have several WARN*() calls in my code, and > it's all because the algorithms used is expected to prevent the condition > in the warning from happening. If the warning triggers, it means either that > the algorithm is wrong or my assumption about the algorithm is wrong. In > either case, the kernel needs to be updated. All my tests fail if a WARN*() > gets hit (anywhere in the kernel, not just my own). > > After reading all the replies and thinking about this more, I find the > pkill_on_warning actually worse than not doing anything. If you are > concerned about exploits from warnings, the only real solution is a > panic_on_warning. Yes, it brings down the system, but really, it has to be > brought down anyway, because it is in need of a kernel update. Hmm, yes. What it originally boiled down to, which is why Linus first objected to BUG(), was that we don't know what other parts of the system have been disrupted. The best example is just that of locking: if we BUG() or do_exit() in the middle of holding a lock, we'll wreck whatever subsystem that was attached to. Without a deterministic system state unwinder, there really isn't a "safe" way to just stop a kernel thread. With this pkill_on_warn, we avoid the BUG problem (since the thread of execution continues and stops at an 'expected' place: the signal handler). However, now we have the newer objection from Linus, which is one of attribution: the WARN might be hit during an "unrelated" thread of execution and "current" gets blamed, etc. And beyond that, if we take down a portion of userspace, what in userspace may be destabilized? In theory, we get a case where any required daemons would be restarted by init, but that's not "known". The safest version of this I can think of is for processes to opt into this mitigation. That would also cover the "special cases" we've seen exposed too. i.e. init and kthreads would not opt in. However, that's a lot to implement when Marco's tracing suggestion might be sufficient and policy could be entirely implemented in userspace. It could be as simple as this (totally untested): diff --git a/include/trace/events/error_report.h b/include/trace/events/error_report.h index 96f64bf218b2..129d22eb8b6e 100644 --- a/include/trace/events/error_report.h +++ b/include/trace/events/error_report.h @@ -16,6 +16,8 @@ #define __ERROR_REPORT_DECLARE_TRACE_ENUMS_ONCE_ONLY enum error_detector { + ERROR_DETECTOR_WARN, + ERROR_DETECTOR_BUG, ERROR_DETECTOR_KFENCE, ERROR_DETECTOR_KASAN }; @@ -23,6 +25,8 @@ enum error_detector { #endif /* __ERROR_REPORT_DECLARE_TRACE_ENUMS_ONCE_ONLY */ #define error_detector_list \ + EM(ERROR_DETECTOR_WARN, "warn") \ + EM(ERROR_DETECTOR_BUG, "bug") \ EM(ERROR_DETECTOR_KFENCE, "kfence") \ EMe(ERROR_DETECTOR_KASAN, "kasan") /* Always end the list with an EMe. */ diff --git a/lib/bug.c b/lib/bug.c index 45a0584f6541..201b4070bbbc 100644 --- a/lib/bug.c +++ b/lib/bug.c @@ -48,6 +48,7 @@ #include #include #include +#include extern struct bug_entry __start___bug_table[], __stop___bug_table[]; @@ -198,6 +199,7 @@ enum bug_trap_type report_bug(unsigned long bugaddr, struct pt_regs *regs) /* this is a WARN_ON rather than BUG/BUG_ON */ __warn(file, line, (void *)bugaddr, BUG_GET_TAINT(bug), regs, NULL); + trace_error_report_end(ERROR_DETECTOR_WARN, bugaddr); return BUG_TRAP_TYPE_WARN; } @@ -206,6 +208,7 @@ enum bug_trap_type report_bug(unsigned long bugaddr, struct pt_regs *regs) else pr_crit("Kernel BUG at %pB [verbose debug info unavailable]\n", (void *)bugaddr); + trace_error_report_end(ERROR_DETECTOR_BUG, bugaddr); return BUG_TRAP_TYPE_BUG; } Marco, is this the full version of monitoring this from the userspace side? perf record -e error_report:error_report_end -- Kees Cook