Re: [PATCH v8] RO/NX protection for loadable kernel modules

public inbox for linux-next@vger.kernel.org 
 help / color / mirror / Atom feed

From: Siarhei Liakh <sliakh.lkml@gmail•com>
To: Andi Kleen <andi@firstfloor•org>
Cc: linux-kernel@vger•kernel.org,
	linux-security-module@vger•kernel.org,
	linux-next@vger•kernel.org,
	Arjan van de Ven <arjan@infradead•org>,
	James Morris <jmorris@namei•org>,
	Andrew Morton <akpm@linux-foundation•org>, Andi Kleen <ak@muc•de>,
	Thomas Gleixner <tglx@linutronix•de>,
	"H. Peter Anvin" <hpa@zytor•com>, Ingo Molnar <mingo@elte•hu>,
	Rusty Russell <rusty@rustcorp•com.au>,
	Stephen Rothwell <sfr@canb•auug.org.au>,
	Dave Jones <davej@redhat•com>
Subject: Re: [PATCH v8] RO/NX protection for loadable kernel modules
Date: Tue, 2 Feb 2010 23:07:02 -0500	[thread overview]
Message-ID: <817ecb6f1002022007t236823b2pbf2a443f07532c72@mail.gmail.com> (raw)
In-Reply-To: <873a1jdyrg.fsf@basil.nowhere.org>

On Tue, Feb 2, 2010 at 6:05 PM, Andi Kleen <andi@firstfloor•org> wrote:

> My current kernel has 52 modules loaded, most of them very small.
> Assuming the additional alignment of the data section cost two more
> pages on average (I think that's a good assumption), that's roughly
> 424KB of additional memory, plus associated runtime costs in increased
> TLB usage.

You are right about the additional memory consumption with this option
enabled. In worst case scenario, a one-page module will get split into
3 pages. This might be a significant and unwelcome increase in some
cases (embedded systems come to mind) and that is why this is
implemented as compile-time option.
However, on a general run-of-the-mill system the impact is not that
significant. Case in point: I run Ubuntu 9.04 amd x86_64 with stock
kernel on a generic AMD box. There are 111 modules loaded for all the
hardware in the box and all the functions that it provides (regular
consumer-grade hardware, but definitely not a typical home desktop
setup). In total, 111 modules consume 15590884 bytes, with no module
less then 10KB. After eliminating top 3 memory hogs (nvidia@8MB,
vboxdrv@1•7MB and snd_hda_intel@0•5MB) we left with 5007532 bytes, 108
modules and nfs leading the list at 300KB. Assuming the worst-case
scenario of 2 additional pages per module, we get
(5007532+108*8192)/5007532 = 1.18 - only 18%. In addition, most
modules already have some unused space left at the end of the last
page and some padding in the middle for page/cache-aligned data. With
that in mind, it looks to me that typical overhead will be about 1
page per module (9% for the case above, although I have no solid
statistics to back this up).

> What would I get for that if I applied the patch and enabled the option?

With this patch you get strict separation of code, RO-data and RW-data
in LKMs. This will prevent all attempts (intentional or erroneous) to
modify code and RO-data, while keeping all data non-executable. While
not targeted to prevent any specific exploit, this patch does improve
general kernel security. When combined with the other two patches I
have submitted (RW+NX for first megabyte and NX for static kernel
data), this patch set completely eliminates kernel pages with
executable data and modifiable code.

> Did you find any bugs with this option?

Well, so far I did not find any bugs in the last version of the patch,
but it definitely breaks any module that uses self-modifying code or
data execution.
An issue with ftrace have been reported earlier and fixed in V7.

next prev parent reply	other threads:[~2010-02-03  4:07 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-01-31 23:22 [PATCH v8] RO/NX protection for loadable kernel modules Siarhei Liakh
2010-02-01  1:39 ` Rusty Russell
2010-02-01 16:22   ` Siarhei Liakh
2010-02-02 23:05 ` Andi Kleen
2010-02-03  4:07   ` Siarhei Liakh [this message]
2010-02-08  1:45   ` Rusty Russell
2010-02-08  1:54     ` H. Peter Anvin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=817ecb6f1002022007t236823b2pbf2a443f07532c72@mail.gmail.com \
    --to=sliakh.lkml@gmail$(echo .)com \
    --cc=ak@muc$(echo .)de \
    --cc=akpm@linux-foundation$(echo .)org \
    --cc=andi@firstfloor$(echo .)org \
    --cc=arjan@infradead$(echo .)org \
    --cc=davej@redhat$(echo .)com \
    --cc=hpa@zytor$(echo .)com \
    --cc=jmorris@namei$(echo .)org \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=linux-next@vger$(echo .)kernel.org \
    --cc=linux-security-module@vger$(echo .)kernel.org \
    --cc=mingo@elte$(echo .)hu \
    --cc=rusty@rustcorp$(echo .)com.au \
    --cc=sfr@canb$(echo .)auug.org.au \
    --cc=tglx@linutronix$(echo .)de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox