From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 3DCABC433FE
	for <linux-arm-kernel@archiver.kernel.org>; Fri, 22 Apr 2022 11:05:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To:
	Subject:MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=OqaTfPgJbiVXwyX7EUL7FTjTavaFF801dkc9CDzptWA=; b=WxCsIYm6k7BhSe
	Xuqk0pBcClw4/o233QKU+2quZcuX0SslPr+mZx2WYK+j0I8FtG2/fCmyKUHkJhIrEtbRt6ns1Jt9v
	HU7ppl99KHO/stEAEaQCG3+oG30ebXjdtTYMcEMM/0LHDrrX3nLeCnFB4qgaaH7ku5VHJJVR6k0CO
	2G+lI1qVW17CaA9jZEr5fp6GfsQsto46AJNuLgbg++GFFC32aYbdyBvC+nu2zJnOjmT7T7FZPLYru
	pAqeSAnMNWJzpcmdfbjJ8DZIcJjOdfWz8uPbbC5aSY41OT/x5KR0LgNvcTTUVBeiMg6Ee55wiQSJf
	02f8vt7aa/7PNqJZpF1w==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1nhr5d-0008gI-Uw; Fri, 22 Apr 2022 11:04:42 +0000
Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1nhr5a-0008ek-KZ
 for linux-arm-kernel@lists.infradead.org; Fri, 22 Apr 2022 11:04:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1650625477;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=jRi6fF/wPrjuetNQMKTMoWZvwVCVWmt81i4fHNIav04=;
 b=HIpJLce9AMTjwYOwM5XYERkpoENddDZC4Sm00nvM9/kp/smf0C56nzXuAHjYgioEUBpC1y
 H3z663s+EBOqkPu72xjQommwIKct75oMtGfFnigCNljbc2iWWIy8wckP8Sw9FchwBhXObd
 clbVe7n5ZfSdq3gGW6aN1S7CLFAE160=
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-619-CpllF4-xPdGFVFbDztbXww-1; Fri, 22 Apr 2022 07:04:34 -0400
X-MC-Unique: CpllF4-xPdGFVFbDztbXww-1
Received: by mail-wr1-f72.google.com with SMTP id
 n17-20020adfc611000000b0020a7e397ccaso1784849wrg.23
 for <linux-arm-kernel@lists.infradead.org>;
 Fri, 22 Apr 2022 04:04:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
 :content-language:to:cc:references:from:organization:in-reply-to
 :content-transfer-encoding;
 bh=jRi6fF/wPrjuetNQMKTMoWZvwVCVWmt81i4fHNIav04=;
 b=qI+FZGmeWskRIUhg6Xz9M7B4siMJdxd6zgI3WkpY+O3NdJJ7CCwBUPpne7uAF+b6KU
 Noci1mHEQRBEuCCZg/DX0pE13XD037DUesCZvfPH02h5lQpY4rXCgsx38MUIs3PhrqFd
 bpD+OefAKC0ArfTPEF/PaVHvyr3dYACJJ4XDiYWzIhZCcsL4Pnt9Cg0nkMJy6RsfYvlH
 HT3P4RaKb2uDfaKepQTsNk0iUag/6Vr3EMnVlIThkGwEYlsp49DgYCq2Oye7fefVG77k
 Qv2GYfdkZmCDmcv0L39pyWzKh83n6FVAZEjHWORtMbRrCdnl5Tv9O1LB2zTAxe6zTuqP
 j+yw==
X-Gm-Message-State: AOAM5300NI9IgYaRcQ94T2PLsa4L3UU1Sfg2tDJvya1PMadqQllJcj1s
 IwLYG27r19KmtoFfjFIKmaJzjuwoptpFaR7h70OM2897hp7j80MOfyDs4yQROncNg72JYXjUz2C
 ZywNbRN546+VlShZ1srPyZEGUR0vdDdhZxOs=
X-Received: by 2002:a5d:598c:0:b0:20a:9194:22d4 with SMTP id
 n12-20020a5d598c000000b0020a919422d4mr3286591wri.124.1650625473023; 
 Fri, 22 Apr 2022 04:04:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyOzP+TC7jlZrImUxt5R3LgWdlydQp4XEVcEFtjbin355B40Vrl+xA1tCmlMVyrQnlww3ZSMA==
X-Received: by 2002:a5d:598c:0:b0:20a:9194:22d4 with SMTP id
 n12-20020a5d598c000000b0020a919422d4mr3286563wri.124.1650625472715; 
 Fri, 22 Apr 2022 04:04:32 -0700 (PDT)
Received: from ?IPV6:2003:cb:c702:dd00:745e:20b7:bfa4:2e5f?
 (p200300cbc702dd00745e20b7bfa42e5f.dip0.t-ipconnect.de.
 [2003:cb:c702:dd00:745e:20b7:bfa4:2e5f])
 by smtp.gmail.com with ESMTPSA id
 c9-20020a5d4149000000b00207adbc4982sm1416161wrq.94.2022.04.22.04.04.31
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Fri, 22 Apr 2022 04:04:32 -0700 (PDT)
Message-ID: <59401856-0e45-0ee6-1e45-667c8e00cf21@redhat.com>
Date: Fri, 22 Apr 2022 13:04:31 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.2
Subject: Re: [PATCH RFC 2/4] mm, personality: Implement
 memory-deny-write-execute as a personality flag
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
 Christoph Hellwig <hch@infradead.org>,
 Lennart Poettering <lennart@poettering.net>,
 =?UTF-8?Q?Zbigniew_J=c4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>,
 Will Deacon <will@kernel.org>, Alexander Viro <viro@zeniv.linux.org.uk>,
 Eric Biederman <ebiederm@xmission.com>, Kees Cook <keescook@chromium.org>,
 Szabolcs Nagy <Szabolcs.Nagy@arm.com>, Mark Brown <broonie@kernel.org>,
 Jeremy Linton <Jeremy.Linton@arm.com>, Topi Miettinen <toiwoton@gmail.com>,
 "linux-mm@kvack.org" <linux-mm@kvack.org>,
 "linux-arm-kernel@lists.infradead.org"
 <linux-arm-kernel@lists.infradead.org>,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
 "linux-abi-devel@lists.sourceforge.net"
 <linux-abi-devel@lists.sourceforge.net>
References: <20220413134946.2732468-1-catalin.marinas@arm.com>
 <20220413134946.2732468-3-catalin.marinas@arm.com>
 <443d978a-7092-b5b1-22f3-ae3a997080ad@redhat.com> <YmKDaEaOpOaKl7m9@arm.com>
From: David Hildenbrand <david@redhat.com>
Organization: Red Hat
In-Reply-To: <YmKDaEaOpOaKl7m9@arm.com>
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=david@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220422_040438_799172_8ABBA9E3 
X-CRM114-Status: GOOD (  25.30  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On 22.04.22 12:28, Catalin Marinas wrote:
> On Thu, Apr 21, 2022 at 06:37:49PM +0100, David Hildenbrand wrote:
>> On 13.04.22 15:49, Catalin Marinas wrote:
>>> The aim of such policy is to prevent a user task from inadvertently
>>> creating an executable mapping that is or was writeable (and
>>> subsequently made read-only).
>>>
>>> An example of mmap() returning -EACCESS if the policy is enabled:
>>>
>>> 	mmap(0, size, PROT_READ | PROT_WRITE | PROT_EXEC, flags, 0, 0);
>>>
>>> Similarly, mprotect() would return -EACCESS below:
>>>
>>> 	addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
>>> 	mprotect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
>>>
>>> With the past vma writeable permission tracking, mprotect() below would
>>> also fail with -EACCESS:
>>>
>>> 	addr = mmap(0, size, PROT_READ | PROT_WRITE, flags, 0, 0);
>>> 	mprotect(addr, size, PROT_READ | PROT_EXEC);
>>>
>>> While the above could be achieved by checking PROT_WRITE & PROT_EXEC on
>>> mmap/mprotect and denying mprotect(PROT_EXEC) altogether (current
>>> systemd MDWE approach via SECCOMP BPF filters), we want the following
>>> scenario to succeed:
>>>
>>> 	addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
>>> 	mprotect(addr, size, PROT_READ | PROT_EXEC | PROT_BTI);
>>>
>>> where PROT_BTI enables branch tracking identification on arm64.
>>>
>>> The choice for a DENY_WRITE_EXEC personality flag, inherited on fork()
>>> and execve(), was made by analogy to READ_IMPLIES_EXEC.
>>>
>>> Note that it is sufficient to check for VM_WAS_WRITE in
>>> map_deny_write_exec() as this flag is always set on VM_WRITE mappings.
>>>
>>> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
>>> Cc: Christoph Hellwig <hch@infradead.org>
>>> Cc: Andrew Morton <akpm@linux-foundation.org>
>>
>> How does this interact with get_user_pages(FOLL_WRITE|FOLL_FORCE) on a
>> VMA that is VM_MAYWRITE but not VM_WRITE? Is it handled accordingly?
> 
> For now, that's just about VM_WRITE. Most vmas are VM_MAYWRITE, so we
> can't really have MAYWRITE^EXEC. The basic feature aims to avoid user
> vulnerabilities where a buffer is mapped both writeable and executable.
> Of course, it can be expanded with additional prctl() flags to cover
> other cases.
> 
>> Note that in the (FOLL_WRITE|FOLL_FORCE) we only require VM_MAYWRITE on
>> the vma and trigger a write fault. As the VMA is not VM_WRITE, we won't
>> actually map the PTE writable, but set it dirty. GUP will retry, find a
>> R/O pte that is dirty and where it knows that it broke COW and will
>> allow the read access, although the PTE is R/O.
>>
>> That mechanism is required to e.g., set breakpoints in R/O MAP_PRIVATE
>> kernel sections, but it's used elsewhere for page pinning as well.
>>
>> My gut feeling is that GUP(FOLL_WRITE|FOLL_FORCE) could be used right
>> now to bypass that mechanism, I might be wrong.
> 
> GUP can be used to bypass this. But if an attacker can trigger such GUP
> paths via a syscall (e.g. ptrace(PTRACE_POKEDATA)), I think we need the
> checks on those paths (and reject the syscall) rather than on
> mmap/mprotect(). This would be covered by something like CAP_SYS_PTRACE.
> 
> 

I was told that RDMA uses FOLL_FORCE|FOLL_WRITE and is available to
unprivileged users.

-- 
Thanks,

David / dhildenb


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel