On Tue, Apr 11, 2017 at 9:23 AM, Christoph Lameter <cl@xxxxxxxxx> wrote: > On Tue, 11 Apr 2017, Kees Cook wrote: > >> It seems that enabling the debug checks comes with a non-trivial >> performance impact. I'd like to see consistency checks by default so >> we can handle intentional heap corruption attacks better. This check >> isn't expensive... > > Its in a very hot code and frequently used code path. Yeah, absolutely. All the more reason to make sure the kernel can't be attacked through it. :) As with the automotive industry analogy[1] from Konstantin, we need to make sure Linux not only run fast and efficiently, but also fails gracefully by default. > Note also that these checks can be enabled and disabled at runtime for > each slab cache. Correct, but my understanding is that enabling them through the debug system ends up being much more expensive than this smaller check. The debug code is fairly comprehensive, but it's not been designed for efficient attack detection, etc. -Kees [1] http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf -- Kees Cook Pixel Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
