On 11/06/2014 06:39 AM, Seth Jennings wrote: > This commit introduces code for the live patching core. It implements > an ftrace-based mechanism and kernel interface for doing live patching > of kernel and kernel module functions. > > It represents the greatest common functionality set between kpatch and > kgraft and can accept patches built using either method. > > This first version does not implement any consistency mechanism that > ensures that old and new code do not run together. In practice, ~90% of > CVEs are safe to apply in this way, since they simply add a conditional > check. However, any function change that can not execute safely with > the old version of the function can _not_ be safely applied in this > version. > [...] > +/******************************************** > + * Sysfs Interface > + *******************************************/ > +/* > + * /sys/kernel/livepatch > + * /sys/kernel/livepatch/<patch> > + * /sys/kernel/livepatch/<patch>/enabled > + * /sys/kernel/livepatch/<patch>/<object> > + * /sys/kernel/livepatch/<patch>/<object>/<func> > + * /sys/kernel/livepatch/<patch>/<object>/<func>/new_addr > + * /sys/kernel/livepatch/<patch>/<object>/<func>/old_addr > + */ Letting anyone read new_addr and old_addr is a kASLR leak, and I would argue that showing this information to non-root at all is probably a bad idea. Can you make new_addr and old_addr have mode 0600 and /sys/kernel/livepatch itself have mode 0500? For the latter, an admin who wants unprivileged users to be able to see it can easily chmod it. --Andy -- To unsubscribe from this list: send the line "unsubscribe live-patching" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
