From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id F0793C433EF
	for <linux-arm-kernel@archiver.kernel.org>; Mon, 13 Jun 2022 16:38:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:
	Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=Wm3bdP2bD8sGKZO4+rP7ZHSBg8tdG3oHGYoZuzHOB2U=; b=F3TaF/RgUngGb8
	RPJA12s5LNHCUyXRP/q1sCyVP6nfwp0NIaQ7WD1EMHsQ+BvhwcOKaI1Rm8M7nqqcUGWY9dEk4r15a
	W8aJruTS4PdjnSO1R6CfVL3u/doM4mAxk8sqIqCK0bQtLP/TCoR9F/UTuSH7XxDvFkRoL9JzQ8UZi
	RY3h0OoTEba8kIPR9uz7Ot5pJ7iyN1Yt1DvqM8qmZfF/MIwZcM7bbotd1dbx+3Gt8VMmGs0lv/GGl
	L2aA5TtkXRxJhlENWmnwFpEsTPOJebQPhJ2IeyAAQNhF64qoVftQbxXWJzeQUSVL5wX174Ic7ybF8
	ha4sHRLGCLUb8/tvckqw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o0n4C-004iv5-9d; Mon, 13 Jun 2022 16:37:28 +0000
Received: from mail-pl1-x62e.google.com ([2607:f8b0:4864:20::62e])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o0n49-004itx-0I
	for linux-arm-kernel@lists.infradead.org; Mon, 13 Jun 2022 16:37:26 +0000
Received: by mail-pl1-x62e.google.com with SMTP id i15so5557753plr.1
        for <linux-arm-kernel@lists.infradead.org>; Mon, 13 Jun 2022 09:37:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=LPXLt9kVpe5Fsi5X1PQCacaJ2vWmIlJcfhVyG9efN0o=;
        b=RW9lBaK0fKKAC/862pfH/kb5UyFjW3glVd7xVHcskrr5o9j1oOG5rfYjOQRaCIbDlb
         ilsSbVHf0M43wrnjgX8JdlfXeptyuAFygTdeVW4GnknNawl+8VtP3LC+hApkqzkYrqC/
         GUVFz6T6A+sBRTFYivsnz1bcqd76Ec+6t91fE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=LPXLt9kVpe5Fsi5X1PQCacaJ2vWmIlJcfhVyG9efN0o=;
        b=hbr6uIHCH/IsSoYKjULvlnB6K/VrFJXSbiMsQivKdbdpPEj7leDVDIUXV0RXwxnCAI
         HZ0iOaUfHDd7tgsDLqLXfU8np7d6gCkb05W/fzXe+wEy935nlgIOyYXxCYyagxnn4M8Z
         0oDby8Jg1kMBp3o+mq/uIDES8sy6SyWITYOUDyifDlao0klzic/QzTBzHSqS4WR17SG2
         dK4yxNbXJCar7XsfgAVxFVo4tNV8aaIaErePdADgUVX3eJ9F2SWg1lera684XVT4r3WA
         VuC1QKds9E1wwT+lZKOVcXP6NI2mI0o99AfN1RP9GI4UtRK5dMafIxHisuOe1CYw9a5L
         woUQ==
X-Gm-Message-State: AOAM532Sl7Cjvlmq+XupbDwCjvX1o+8i1Rx+8HMK6Si6MIQLLJcDERGD
	5xv37cOK/hEmf7TKY4enu/kx9w==
X-Google-Smtp-Source: ABdhPJxomxONaGPsH9OZEbVxM7EXcFB/LR/hLbxJ1vhR4m7eLeMmROa0gPYiYHYHcqjy9asXQTlzBQ==
X-Received: by 2002:a17:90b:1c86:b0:1ea:4ceb:2788 with SMTP id oo6-20020a17090b1c8600b001ea4ceb2788mr16785406pjb.16.1655138237683;
        Mon, 13 Jun 2022 09:37:17 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id jc17-20020a17090325d100b0015e8da1f9e8sm5349510plb.77.2022.06.13.09.37.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 13 Jun 2022 09:37:17 -0700 (PDT)
Date: Mon, 13 Jun 2022 09:37:16 -0700
From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, linux-hardening@vger.kernel.org,
	Marc Zyngier <maz@kernel.org>, Will Deacon <will@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Mark Brown <broonie@kernel.org>,
	Anshuman Khandual <anshuman.khandual@arm.com>
Subject: Re: [PATCH v4 24/26] mm: add arch hook to validate mmap() prot flags
Message-ID: <202206130932.592AAE7@keescook>
References: <20220613144550.3760857-1-ardb@kernel.org>
 <20220613144550.3760857-25-ardb@kernel.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20220613144550.3760857-25-ardb@kernel.org>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220613_093725_099713_53FDF4D7 
X-CRM114-Status: GOOD (  26.97  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On Mon, Jun 13, 2022 at 04:45:48PM +0200, Ard Biesheuvel wrote:
> Add a hook to permit architectures to perform validation on the prot
> flags passed to mmap(), like arch_validate_prot() does for mprotect().
> This will be used by arm64 to reject PROT_WRITE+PROT_EXEC mappings on
> configurations that run with WXN enabled.
> 
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  include/linux/mman.h | 15 +++++++++++++++
>  mm/mmap.c            |  3 +++
>  2 files changed, 18 insertions(+)
> 
> diff --git a/include/linux/mman.h b/include/linux/mman.h
> index 58b3abd457a3..53ac72310ce0 100644
> --- a/include/linux/mman.h
> +++ b/include/linux/mman.h
> @@ -120,6 +120,21 @@ static inline bool arch_validate_flags(unsigned long flags)
>  #define arch_validate_flags arch_validate_flags
>  #endif
>  
> +#ifndef arch_validate_mmap_prot
> +/*
> + * This is called from mmap(), which ignores unknown prot bits so the default
> + * is to accept anything.
> + *
> + * Returns true if the prot flags are valid
> + */
> +static inline bool arch_validate_mmap_prot(unsigned long prot,
> +					   unsigned long addr)
> +{
> +	return true;
> +}
> +#define arch_validate_mmap_prot arch_validate_mmap_prot
> +#endif
> +
>  /*
>   * Optimisation macro.  It is equivalent to:
>   *      (x & bit1) ? bit2 : 0
> diff --git a/mm/mmap.c b/mm/mmap.c
> index 61e6135c54ef..4a585879937d 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -1437,6 +1437,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
>  		if (!(file && path_noexec(&file->f_path)))
>  			prot |= PROT_EXEC;
>  
> +	if (!arch_validate_mmap_prot(prot, addr))
> +		return -EACCES;

I assume yes, but just to be clear, the existing userspace programs that
can switch modes are checking for EACCES? (Or are just just checking for
failure generally?) It looks like, for example, SELinux returns EACCES
too, so this looks correct. (Looking at the mmap man page, it seems the
ship has sailed for this to be EPERM, which looks more correct to me,
but so be it.)

> +
>  	/* force arch specific MAP_FIXED handling in get_unmapped_area */
>  	if (flags & MAP_FIXED_NOREPLACE)
>  		flags |= MAP_FIXED;
> -- 
> 2.30.2
> 

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel