ces, the situation is going to get quite complicated very soon, if
you explicitly include certain HW devices in your model.
--
Cheers, Igor
Igor Stoppa <[EMAIL PROTECTED]>
(Nokia Multimedia - CP - OSSO / Helsinki, Finland)
--
To unsubscribe from this list: send the line "unsubscribe li
ives for examples of failed attempts
over the last year or so, just search for "framework" in the subject.
--
Cheers, Igor
Igor Stoppa <[EMAIL PROTECTED]>
(Nokia Multimedia - CP - OSSO / Helsinki, Finland)
-
To unsubscribe from this list: send the line "unsubscribe linux-k
On Sun, 2007-07-22 at 01:58 -0700, ext [EMAIL PROTECTED] wrote:
> On Sun, 22 Jul 2007, Igor Stoppa wrote:
[snip]
> > Could you elaborate on how your proposal is incompatible with enhancing
> > the clock framework?
>
> It's not that I think it's incompatibl
more
> >> generic API go in for external use and then the existing cpufreq be called
> >> from the set_mode() call?
> >
> > No, that doesn't make sense, as general approach.
> > You want to manage from kernel only those parts of the system where the
> > l
ep it ON.
Trying to abstract such details from the decision-making makes little
sense.
Isolating that into a separate module, instead, brings the best of both
worlds:
-containment of the HW-specific code
-leveraging every possible, no matter how exotic, power saving mode
available.
--
Cheers,
h
> > +for failing drivers by following the procedure analogous to the one
> > described in
> > +1b). If you find some failing drivers, you will have to unload them every
> > time
> > +before the STR transition (ie. before you run s2ram), and please report the
Foreword:
If I should direct this message to someone else, please let me know.
I couldn't get a clear idea, by looking at both MAINTAINERS and git blame.
Hi,
I'm currently trying to convert the SE Linux policy db into using a
protectable memory allocator (pmalloc) that I have developed.
Su
it out as preview.
Igor Stoppa (6):
genalloc: track beginning of allocations
genalloc: selftest
struct page: add field for vm_struct
Protectable Memory
Documentation for Pmalloc
Pmalloc: self-test
Documentation/core-api/pmalloc.txt | 104
include/linux/genalloc-selftest.h
on units, while the code
being patched has a 1:1 mapping between allocation units and bits.
This means that, now, the bitmap can be extended (by following powers of
2), to track also other properties of the allocations, if ever needed.
Signed-off-by: Igor Stoppa
---
include/linux/gen
execution of the self testing is controlled through a Kconfig option.
Signed-off-by: Igor Stoppa
---
include/linux/genalloc-selftest.h | 30 +++
init/main.c | 2 +
lib/Kconfig | 15 ++
lib/Makefile | 1 +
lib/genalloc-selftest.c
area. This will avoid more expensive searches.
As example, the function find_vm_area is reimplemented, to take advantage
of the newly introduced field.
Signed-off-by: Igor Stoppa
---
include/linux/mm_types.h | 1 +
mm/vmalloc.c | 18 +-
2 files changed, 14 insert
as needed, for example to support the
protection of data that is initialized in sufficiently distinct phases.
Signed-off-by: Igor Stoppa
---
include/linux/genalloc.h | 3 +
include/linux/pmalloc.h | 215
include/linux/vmalloc.h | 1 +
lib/genalloc.c | 27
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa
---
Documentation/core-api/pmalloc.txt | 104 +
1 file changed, 104 insertions(+)
create mode 100644 Documentation/core-api/pmalloc.txt
diff --git a/Documentation/core
Add basic self-test functionality for pmalloc.
Signed-off-by: Igor Stoppa
---
mm/Kconfig| 7 ++
mm/Makefile | 1 +
mm/pmalloc-selftest.c | 65 +++
mm/pmalloc-selftest.h | 30
mm/pmalloc.c
On 24/01/18 21:14, Ralph Campbell wrote:
> 2 Minor typos inline below:
thanks for proof-reading, will fix accordingly.
--
igor
Hi,
thanks for the review. My reply below.
On 24/01/18 21:10, Jann Horn wrote:
> I'm not entirely convinced by the approach of marking small parts of
> kernel memory as readonly for hardening.
Because of the physmap you mention later?
Regarding small parts vs big parts (what is big enough?) I
execution of the self testing is controlled through a Kconfig option.
Signed-off-by: Igor Stoppa
---
include/linux/genalloc-selftest.h | 30 +++
init/main.c | 2 +
lib/Kconfig | 14 ++
lib/Makefile | 1 +
lib/genalloc-selftest.c
missed someone, please include them to the recipients.
Igor Stoppa (2):
genalloc: track beginning of allocations
genalloc: selftest
include/linux/genalloc-selftest.h | 30 +++
include/linux/genalloc.h | 3 +-
init/main.c | 2 +
lib/Kconfig
on units, while the code
being patched has a 1:1 mapping between allocation units and bits.
This means that, now, the bitmap can be extended (by following powers of
2), to track also other properties of the allocations, if ever needed.
Signed-off-by: Igor Stoppa
---
include/linux/gen
On 26/01/18 18:36, Boris Lukashev wrote:
> I like the idea of making the verification call optional for consumers
> allowing for fast/slow+hard paths depending on their needs.
> Cant see any additional vectors for abuse (other than the original
> ones effecting out-of-band modification) introduced
royed.
An example is provided, in the form of self-testing.
Changes since the v11 version:
[http://www.openwall.com/lists/kernel-hardening/2018/01/24/4]
- restricted access to sysfs entries created (444 -> 400)
- more explicit reference to documentation
- couple of typos
Igor Stoppa (6):
on units, while the code
being patched has a 1:1 mapping between allocation units and bits.
This means that, now, the bitmap can be extended (by following powers of
2), to track also other properties of the allocations, if ever needed.
Signed-off-by: Igor Stoppa
---
include/linux/gen
execution of the self testing is controlled through a Kconfig option.
Signed-off-by: Igor Stoppa
---
include/linux/genalloc-selftest.h | 30 +++
init/main.c | 2 +
lib/Kconfig | 15 ++
lib/Makefile | 1 +
lib/genalloc-selftest.c
area. This will avoid more expensive searches.
As example, the function find_vm_area is reimplemented, to take advantage
of the newly introduced field.
Signed-off-by: Igor Stoppa
---
include/linux/mm_types.h | 1 +
mm/vmalloc.c | 18 +-
2 files changed, 14 insert
as needed, for example to support the
protection of data that is initialized in sufficiently distinct phases.
Signed-off-by: Igor Stoppa
---
include/linux/genalloc.h | 3 +
include/linux/pmalloc.h | 216
include/linux/vmalloc.h | 1 +
lib/genalloc.c | 27
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa
---
Documentation/core-api/pmalloc.txt | 104 +
1 file changed, 104 insertions(+)
create mode 100644 Documentation/core-api/pmalloc.txt
diff --git a/Documentation/core
Add basic self-test functionality for pmalloc.
Signed-off-by: Igor Stoppa
---
lib/genalloc.c| 2 +-
mm/Kconfig| 7 ++
mm/Makefile | 1 +
mm/pmalloc-selftest.c | 65 +++
mm/pmalloc-selftest.h | 30
On 01/02/18 02:00, Christopher Lameter wrote:
> On Tue, 30 Jan 2018, Igor Stoppa wrote:
>
>> @@ -1769,6 +1774,9 @@ void *__vmalloc_node_range(unsigned long size,
>> unsigned long align,
>>
>> kmemleak_vmalloc(area, size, gfp_mask);
>>
>> +
On 26/01/18 07:35, Matthew Wilcox wrote:
> On Wed, Jan 24, 2018 at 08:10:53PM +0100, Jann Horn wrote:
>> I'm not entirely convinced by the approach of marking small parts of
>> kernel memory as readonly for hardening.
>
> It depends how significant the data stored in there are. For example,
> sto
On 25/01/18 17:38, Jerome Glisse wrote:
> On Thu, Jan 25, 2018 at 10:14:28AM -0500, Boris Lukashev wrote:
>> On Thu, Jan 25, 2018 at 6:59 AM, Igor Stoppa wrote:
>
> [...]
>
>> DMA/physmap access coupled with a knowledge of which virtual mappings
>> are in the physi
On 24/01/18 19:56, Igor Stoppa wrote:
[...]
> +bool pmalloc_prealloc(struct gen_pool *pool, size_t size)
> +{
[...]
> +abort:
> + vfree(chunk);
this should be vfree_atomic()
[...]
> +void *pmalloc(struct gen_pool *pool, size_t size, gfp_t gfp)
> +{
[...]
> +free
On 12/03/18 21:13, Matthew Wilcox wrote:
> On Wed, Feb 28, 2018 at 10:06:17PM +0200, Igor Stoppa wrote:
>> struct gen_pool *pmalloc_create_pool(const char *name,
>> int min_alloc_order);
>> int is_pmalloc_object(const void *ptr,
On 06/03/2018 16:10, Matthew Wilcox wrote:
> On Wed, Feb 28, 2018 at 10:06:14PM +0200, Igor Stoppa wrote:
>> + * Encoding of the bitmap tracking the allocations
>> + * ---
>> + *
>> + * The bitmap is composed of units of allo
On 05/03/2018 21:00, J Freyensee wrote:
> .
> .
>
>
> On 2/28/18 12:06 PM, Igor Stoppa wrote:
>> +
>> +/**
>> + * gen_pool_dma_alloc() - allocate special memory from the pool for DMA
>> usage
>> + * @pool: pool to allocate from
>> +
On 06/03/18 18:05, Igor Stoppa wrote:
> On 06/03/2018 16:10, Matthew Wilcox wrote:
[...]
>> This seems unnecessarily complicated.
>
> TBH it seemed to me a natural extension of the existing encoding :-)
BTW, to provide some background, this is where it begun:
http://www.ope
On 06/03/18 19:20, J Freyensee wrote:
> On 2/28/18 12:06 PM, Igor Stoppa wrote:
[...]
>> void __init lkdtm_perms_init(void);
>> void lkdtm_WRITE_RO(void);
>> void lkdtm_WRITE_RO_AFTER_INIT(void);
>> +void lkdtm_WRITE_RO_PMALLOC(void);
>
> Does this n
On 06/03/18 05:59, J Freyensee wrote:
[...]
>> +config PROTECTABLE_MEMORY
>> +bool
>> +depends on MMU
>
>
> Curious, would you also want to depend on "SECURITY" as well, as this is
> being advertised as a compliment to __read_only_after_init, per the file
> header comments, as I'm ass
On 06/03/18 15:19, Mike Rapoport wrote:
> On Wed, Feb 28, 2018 at 10:06:14PM +0200, Igor Stoppa wrote:
[...]
> If I'm not mistaken, several kernel-doc descriptions are duplicated now.
> Can you please keep a single copy? ;-)
What's the preferred approach?
Document the fun
On 07/03/18 16:48, Igor Stoppa wrote:
>
>
> On 06/03/18 15:19, Mike Rapoport wrote:
>> On Wed, Feb 28, 2018 at 10:06:14PM +0200, Igor Stoppa wrote:
[...]
>>> + * get_boundary() - verifies address, then measure length.
>>
>> There's some lack of consis
On 14/03/18 14:25, Matthew Wilcox wrote:
> On Tue, Mar 13, 2018 at 11:45:52PM +0200, Igor Stoppa wrote:
>> Add basic self-test functionality for pmalloc.
>
> Here're some additional tests for your test-suite:
>
> for (i = 1; i; i *= 2)
> pz
ignment of allocations
* added parameter for specifying size of a refill
* removed option to pre-allocate memory for a pool (is it a bad idea?)
* changed vmap_area to allow chaining them, for tracking them in a pool
* made public the previously private find_vmap_area function
Igor Stoppa (6):
struct
arent area.
This will avoid more expensive searches, later on.
Signed-off-by: Igor Stoppa
Reviewed-by: Jay Freyensee
Reviewed-by: Matthew Wilcox
---
include/linux/mm_types.h | 1 +
mm/vmalloc.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/include/linux/mm_types.h b/inc
tilization outside of the purging phase.
Since the purging happens after the vmap_area is dismissed, its use is
mutually exclusive with any use performed while the area is allocated.
Signed-off-by: Igor Stoppa
---
include/linux/vmalloc.h | 2 +-
mm/vmalloc.c| 6 +++---
2 files changed, 4
gained access to the physical mapping, still has to identify where the
target of the attack is actually located.
At the same time, being also based on genalloc, pmalloc does not
generate as much trashing of the TLB as it would be caused by only using
directly vmalloc.
Signed-off-by: Igor Stoppa
Verify that pmalloc read-only protection is in place: trying to
overwrite a protected variable will crash the kernel.
Signed-off-by: Igor Stoppa
---
drivers/misc/lkdtm.h | 1 +
drivers/misc/lkdtm_core.c | 3 +++
drivers/misc/lkdtm_perms.c | 28
3 files
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa
---
Documentation/core-api/index.rst | 1 +
Documentation/core-api/pmalloc.rst | 101 +
2 files changed, 102 insertions(+)
create mode 100644 Documentation/core-api
Add basic self-test functionality for pmalloc.
The testing is introduced as early as possible, right after the main
dependency, genalloc, has passed successfully, so that it can help
diagnosing failures in pmalloc users.
Signed-off-by: Igor Stoppa
---
include/linux/test_pmalloc.h | 24
On 27/03/18 05:31, Matthew Wilcox wrote:
> On Tue, Mar 27, 2018 at 04:55:21AM +0300, Igor Stoppa wrote:
>> +static inline void *pmalloc_array_align(struct pmalloc_pool *pool,
>> +size_t n, size_t size,
>> +
orked the destroy function, removing a possible race with
use-after-free code.
Igor Stoppa (6):
struct page: add field for vm_struct
vmalloc: rename llist field in vmap_area
Protectable Memory
Pmalloc selftest
lkdtm: crash on overwriting protected pmalloc var
Documentation for Pm
arent area.
This will avoid more expensive searches, later on.
Signed-off-by: Igor Stoppa
Reviewed-by: Jay Freyensee
Reviewed-by: Matthew Wilcox
---
include/linux/mm_types.h | 1 +
mm/vmalloc.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/include/linux/mm_types.h b/inc
tilization outside of the purging phase.
Since the purging happens after the vmap_area is dismissed, its use is
mutually exclusive with any use performed while the area is allocated.
Signed-off-by: Igor Stoppa
---
include/linux/vmalloc.h | 2 +-
mm/vmalloc.c| 6 +++---
2 files changed, 4
page,
where present.
Signed-off-by: Igor Stoppa
---
include/linux/pmalloc.h | 166 ++
include/linux/vmalloc.h | 3 +
mm/Kconfig | 6 ++
mm/Makefile | 1 +
mm/pmalloc.c| 264 +++
Add basic self-test functionality for pmalloc.
The testing is introduced as early as possible, right after the main
dependency, genalloc, has passed successfully, so that it can help
diagnosing failures in pmalloc users.
Signed-off-by: Igor Stoppa
---
include/linux/test_pmalloc.h | 24
Verify that pmalloc read-only protection is in place: trying to
overwrite a protected variable will crash the kernel.
Signed-off-by: Igor Stoppa
---
drivers/misc/lkdtm.h | 1 +
drivers/misc/lkdtm_core.c | 3 +++
drivers/misc/lkdtm_perms.c | 25 +
3 files changed
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa
---
Documentation/core-api/index.rst | 1 +
Documentation/core-api/pmalloc.rst | 107 +
2 files changed, 108 insertions(+)
create mode 100644 Documentation/core-api
tilization outside of the purging phase.
Since the purging happens after the vmap_area is dismissed, its use is
mutually exclusive with any use performed while the area is allocated.
Signed-off-by: Igor Stoppa
---
include/linux/vmalloc.h | 2 +-
mm/vmalloc.c| 6 +++---
2 files changed, 4
arent area.
This will avoid more expensive searches, later on.
Signed-off-by: Igor Stoppa
Reviewed-by: Jay Freyensee
Reviewed-by: Matthew Wilcox
---
include/linux/mm_types.h | 1 +
mm/vmalloc.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/include/linux/mm_types.h b/inc
f max(), detected by gcc 7.3
* converted internal types into size_t
* fixed leak of vmalloc memory in the self-test code
Igor Stoppa (6):
struct page: add field for vm_struct
vmalloc: rename llist field in vmap_area
Protectable Memory
Documentation for Pmalloc
Pmalloc selftest
lkdtm: cra
Verify that pmalloc read-only protection is in place: trying to
overwrite a protected variable will crash the kernel.
Signed-off-by: Igor Stoppa
---
drivers/misc/lkdtm/core.c | 3 +++
drivers/misc/lkdtm/lkdtm.h | 1 +
drivers/misc/lkdtm/perms.c | 25 +
3 files changed
page,
where present.
Signed-off-by: Igor Stoppa
---
include/linux/pmalloc.h | 166 ++
include/linux/vmalloc.h | 3 +
mm/Kconfig | 6 ++
mm/Makefile | 1 +
mm/pmalloc.c| 265 +++
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa
---
Documentation/core-api/index.rst | 1 +
Documentation/core-api/pmalloc.rst | 107 +
2 files changed, 108 insertions(+)
create mode 100644 Documentation/core-api
Add basic self-test functionality for pmalloc.
The testing is introduced as early as possible, right after the main
dependency, genalloc, has passed successfully, so that it can help
diagnosing failures in pmalloc users.
Signed-off-by: Igor Stoppa
---
include/linux/test_pmalloc.h | 24
sizes of
allocation is likely to eat up much more memory than the bitmap.
Igor Stoppa (8):
genalloc: track beginning of allocations
Add label to genalloc.rst for cross reference
genalloc: selftest
struct page: add field for vm_struct
Protectable Memory
Pmalloc selftest
lkdtm:
that the patch works correctly.
Eventually, the extra parameter (and the corresponding verification)
could be dropped, in favor of a simplified API.
Signed-off-by: Igor Stoppa
---
include/linux/genalloc.h | 112 +++
lib/genalloc.c | 742 ++---
as module.
Signed-off-by: Igor Stoppa
---
include/linux/test_genalloc.h | 26 +++
init/main.c | 2 +
lib/Kconfig | 15 ++
lib/Makefile | 1 +
lib/test_genalloc.c | 410 ++
5 files changed
Put a label at the beginning of the genalloc.rst, to allow other
documents to cross-reference it.
Signed-off-by: Igor Stoppa
---
Documentation/core-api/genalloc.rst | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Documentation/core-api/genalloc.rst
b/Documentation/core-api/genalloc.rst
arent area.
This will avoid more expensive searches, later on.
Signed-off-by: Igor Stoppa
---
include/linux/mm_types.h | 1 +
mm/vmalloc.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index fd1af6b9591d..c3a4825e10c0 100644
---
same time, being also based on genalloc, pmalloc does not
generate as much trashing of the TLB as it would be caused by using
directly only vmalloc.
Signed-off-by: Igor Stoppa
---
include/linux/genalloc.h | 4 +
include/linux/pmalloc.h | 163
include/linux/vmalloc.h | 1 +
lib
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa
---
Documentation/core-api/index.rst | 1 +
Documentation/core-api/pmalloc.rst | 111 +
2 files changed, 112 insertions(+)
create mode 100644 Documentation/core-api
Add basic self-test functionality for pmalloc.
The testing is introduced as early as possible, right after the main
dependency, genalloc, has passed successfully, so that it can help
diagnosing failures in pmalloc users.
Signed-off-by: Igor Stoppa
---
include/linux/test_pmalloc.h | 24
Verify that pmalloc read-only protection is in place: trying to
overwrite a protected variable will crash the kernel.
Signed-off-by: Igor Stoppa
---
drivers/misc/lkdtm.h | 1 +
drivers/misc/lkdtm_core.c | 3 +++
drivers/misc/lkdtm_perms.c | 28
3 files
On 13/03/18 23:45, Igor Stoppa wrote:
[...]
Some more thoughts about the open topics:
> Discussion topics that are unclear if they are closed and would need
> comment from those who initiated them, if my answers are accepted or not:
>
> * @Kees Cook proposed to have first self
On 14/03/18 13:56, Matthew Wilcox wrote:
> On Wed, Mar 14, 2018 at 01:21:54PM +0200, Igor Stoppa wrote:
[...]
> You misread my proposal. I did not suggest storing the 'start', but the
> 'end'.
Ok, but doesn't that only change the race scenario?
Attempting t
On 14/03/18 14:15, Matthew Wilcox wrote:
> On Tue, Mar 13, 2018 at 11:45:51PM +0200, Igor Stoppa wrote:
>> +static inline void *pmalloc_array(struct gen_pool *pool, size_t n,
>> + size_t size, gfp_t flags)
>> +{
>> +if (u
On 14/03/18 15:04, Matthew Wilcox wrote:
> I don't necessarily think you should use it as-is,
I think I simply cannot use it as-is, because it seems to use linear
memory, while I need virtual. This reason alone would require a rewrite
of several parts.
> but the principle it uses
> seems like
Hi,
On 13/11/2018 20:36, Andy Lutomirski wrote:
On Tue, Nov 13, 2018 at 10:33 AM Igor Stoppa wrote:
I forgot one sentence :-(
On 13/11/2018 20:31, Igor Stoppa wrote:
On 13/11/2018 19:47, Andy Lutomirski wrote:
For general rare-writish stuff, I don't think we want IRQs running
with
On 13/11/2018 19:16, Andy Lutomirski wrote:
> On Tue, Nov 13, 2018 at 6:25 AM Igor Stoppa wrote:
[...]
>> How about having one mm_struct for each writer (core or thread)?
>>
>
> I don't think that helps anything. I think the mm_struct used for
> prmem (or rare_
On 06/12/2018 01:13, Andy Lutomirski wrote:
+ kasan_disable_current();
+ if (op == WR_MEMCPY)
+ memcpy((void *)wr_poking_addr, (void *)src, len);
+ else if (op == WR_MEMSET)
+ memset((u8 *)wr_poking_addr, (u8)src, len);
+ else if (op == WR_RCU_
On 06/12/2018 06:44, Matthew Wilcox wrote:
On Tue, Dec 04, 2018 at 02:18:01PM +0200, Igor Stoppa wrote:
+void *__wr_op(unsigned long dst, unsigned long src, __kernel_size_t len,
+ enum wr_op_type op)
+{
+ temporary_mm_state_t prev;
+ unsigned long flags
On 06/12/2018 11:44, Peter Zijlstra wrote:
On Wed, Dec 05, 2018 at 03:13:56PM -0800, Andy Lutomirski wrote:
+ if (op == WR_MEMCPY)
+ memcpy((void *)wr_poking_addr, (void *)src, len);
+ else if (op == WR_MEMSET)
+ memset((u8 *)wr_poking_addr, (u8)src, l
Refactor the test cases, in preparation for using them also for testing
__wr_after_init memory.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
[1] https://www.openwall.com/lists/kernel-hardening/2018/11/22/8
[2] https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1793199.html
[3] https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1810245.html
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Pete
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel-harden...@lists.openwall.com
CC: linux...@kvack.org
CC: linux-kernel@vger.kernel.org
---
include/asm-generic/vml
elay, in a preemptible
system, however the amount of data to be altered is likely to be far
smaller than a page.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: ker
The write protection of the __wr_after_init data can be verified with the
same methodology used for const data.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel
Set of test cases meant to confirm that the write rare functionality
works as expected.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
Verify that trying to modify a variable with the __wr_after_init
modifier wil lcause a crash.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
Hi,
I have been wondering if it's ok to break a long (function declaration)
line in the following way:
static __always_inline
struct foo_bar *__get_foo_bar(type1 parm1, type2 parm2, type3 parm3)
instead of:
static __always_inline struct foo_bar *__get_foo_bar(type1 parm1,
On 12/05/18 18:41, Joe Perches wrote:
I personally like more the former, not to mention that it uses also one
line less, but it seems less common in the sources.
The coding style references do not seem to say anything explicit about
which style to prefer.
thank you, I could provide a patch to
patch.pl sources, to figure out the actual
test.
Signed-off-by: Igor Stoppa
CC: Andy Whitcroft
CC: Joe Perches
CC: linux-kernel@vger.kernel.org
---
scripts/checkpatch.pl | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index c883ec
On 19/12/2018 14:29, Joe Perches wrote:
On Wed, 2018-12-19 at 11:59 +, Andy Whitcroft wrote:
On Wed, Dec 19, 2018 at 02:44:36AM -0800, Joe Perches wrote:
To cover both cases perhaps:
"please ensure that this config symbols is described fully (less than
$min_conf_desc_
patch.pl sources, to figure out the actual
test.
Signed-off-by: Igor Stoppa
CC: Andy Whitcroft
CC: Joe Perches
CC: linux-kernel@vger.kernel.org
---
scripts/checkpatch.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index c883ec
Create x86_64 specific version of memset for user space, based on
clear_user().
This will be used for implementing wr_memset() in the __wr_after_init
scenario, where write-rare variables have an alternate mapping for
writing.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC
o activate both section and label, the arch must set CONFIG_ARCH_HAS_PRMEM
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
CC: kernel-harden...@lists.openw
ck.org
CC: linux-kernel@vger.kernel.org
Igor Stoppa (12):
[PATCH 01/12] x86_64: memset_user()
[PATCH 02/12] __wr_after_init: linker section and label
[PATCH 03/12] __wr_after_init: generic header
[PATCH 04/12] __wr_after_init: x86_64: __wr_op
[PATCH 05/12] __wr_af
To avoid code duplication, re-use __memset_user(), when clearing
user-space memory.
The overhead should be minimal (2 extra register assignments) and
outside of the writing loop.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees
Update the self-protection documentation, to mention also the use of the
__wr_after_init attribute.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
CC
Set of test cases meant to confirm that the write rare functionality
works as expected.
It can be optionally compiled as module.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux
.
__wr_after_init can still provide some protection, at least against
simple memory overwrite attacks
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
CC: kernel
The write protection of the __wr_after_init data can be verified with the
same methodology used for const data.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr
1 - 100 of 461 matches
Mail list logo
