SUSE Labs Conference 2018 - Live patching tricks
Most of the time, fixing a vulnerablility from a live patch is straight forward and local in nature: adding an additional bounds check, for example.
And then there's CPU bugs.
After a short recap of the kGraft and upstream kernel live patching's per-task consistency model, see how we managed to achieve global consistency by live patching kGraft itself. This enabled us to to change semantics on a running system: flipping CR4 bits, messing with page tables, etc. is all possible now.
Other highlights, unrelated to the consistency model, include
live patching entry code
fooling the non-eager mode FPU switching heuristics into being eager
Parts of this talk have been handled at a not so technical level at
https://www.suse.com/c/live-patching-...
Nicolai Stange