From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9FF3BC433F5 for ; Fri, 22 Apr 2022 10:30:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=F0KzSHMCRgfvE2rdXqBaYFORKCE7x5AUK3W532N9ieo=; b=dcEV+uRbnEk9Yf sf4ZlyBVtt71DdvAczTmZf2gYODTMGTBIbIfZLqec7OckDEb+j14Q3Ov8sUpvXHQjHbtm5FiCAlnw c9p6iaD/+LdPbW6xKGm4dnRvifkhKRvFfCoQAk+JntO6bhW6xAriWE7XVRLGbjg6KcmteG+mqjdph a1TYBPep4/kN85+Z6NMX8wapYsTfwWKySvEpncK71tc72AssyZYNydvXz8AIyeehBhQF62XiFibsC EOOlv16xagwlYJyAHJU6dcw3J86SQ0sKBhAbEIcigwtifawbU6y08dkl5JEI0H0zYBw7kO7Tg8OpT SY3yQ+lR7Shl18ps6ZVA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhqXD-0001K5-5o; Fri, 22 Apr 2022 10:29:07 +0000 Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhqX9-0001IT-Tx for linux-arm-kernel@lists.infradead.org; Fri, 22 Apr 2022 10:29:05 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5459A61E8A; Fri, 22 Apr 2022 10:29:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C4F27C385A0; Fri, 22 Apr 2022 10:28:59 +0000 (UTC) Date: Fri, 22 Apr 2022 11:28:56 +0100 From: Catalin Marinas To: David Hildenbrand Cc: Andrew Morton , Christoph Hellwig , Lennart Poettering , Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= , Will Deacon , Alexander Viro , Eric Biederman , Kees Cook , Szabolcs Nagy , Mark Brown , Jeremy Linton , Topi Miettinen , "linux-mm@kvack.org" , "linux-arm-kernel@lists.infradead.org" , "linux-kernel@vger.kernel.org" , "linux-abi-devel@lists.sourceforge.net" Subject: Re: [PATCH RFC 2/4] mm, personality: Implement memory-deny-write-execute as a personality flag Message-ID: References: <20220413134946.2732468-1-catalin.marinas@arm.com> <20220413134946.2732468-3-catalin.marinas@arm.com> <443d978a-7092-b5b1-22f3-ae3a997080ad@redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <443d978a-7092-b5b1-22f3-ae3a997080ad@redhat.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220422_032904_088604_4F00EABC X-CRM114-Status: GOOD ( 32.65 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Apr 21, 2022 at 06:37:49PM +0100, David Hildenbrand wrote: > On 13.04.22 15:49, Catalin Marinas wrote: > > The aim of such policy is to prevent a user task from inadvertently > > creating an executable mapping that is or was writeable (and > > subsequently made read-only). > > > > An example of mmap() returning -EACCESS if the policy is enabled: > > > > mmap(0, size, PROT_READ | PROT_WRITE | PROT_EXEC, flags, 0, 0); > > > > Similarly, mprotect() would return -EACCESS below: > > > > addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0); > > mprotect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC); > > > > With the past vma writeable permission tracking, mprotect() below would > > also fail with -EACCESS: > > > > addr = mmap(0, size, PROT_READ | PROT_WRITE, flags, 0, 0); > > mprotect(addr, size, PROT_READ | PROT_EXEC); > > > > While the above could be achieved by checking PROT_WRITE & PROT_EXEC on > > mmap/mprotect and denying mprotect(PROT_EXEC) altogether (current > > systemd MDWE approach via SECCOMP BPF filters), we want the following > > scenario to succeed: > > > > addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0); > > mprotect(addr, size, PROT_READ | PROT_EXEC | PROT_BTI); > > > > where PROT_BTI enables branch tracking identification on arm64. > > > > The choice for a DENY_WRITE_EXEC personality flag, inherited on fork() > > and execve(), was made by analogy to READ_IMPLIES_EXEC. > > > > Note that it is sufficient to check for VM_WAS_WRITE in > > map_deny_write_exec() as this flag is always set on VM_WRITE mappings. > > > > Signed-off-by: Catalin Marinas > > Cc: Christoph Hellwig > > Cc: Andrew Morton > > How does this interact with get_user_pages(FOLL_WRITE|FOLL_FORCE) on a > VMA that is VM_MAYWRITE but not VM_WRITE? Is it handled accordingly? For now, that's just about VM_WRITE. Most vmas are VM_MAYWRITE, so we can't really have MAYWRITE^EXEC. The basic feature aims to avoid user vulnerabilities where a buffer is mapped both writeable and executable. Of course, it can be expanded with additional prctl() flags to cover other cases. > Note that in the (FOLL_WRITE|FOLL_FORCE) we only require VM_MAYWRITE on > the vma and trigger a write fault. As the VMA is not VM_WRITE, we won't > actually map the PTE writable, but set it dirty. GUP will retry, find a > R/O pte that is dirty and where it knows that it broke COW and will > allow the read access, although the PTE is R/O. > > That mechanism is required to e.g., set breakpoints in R/O MAP_PRIVATE > kernel sections, but it's used elsewhere for page pinning as well. > > My gut feeling is that GUP(FOLL_WRITE|FOLL_FORCE) could be used right > now to bypass that mechanism, I might be wrong. GUP can be used to bypass this. But if an attacker can trigger such GUP paths via a syscall (e.g. ptrace(PTRACE_POKEDATA)), I think we need the checks on those paths (and reject the syscall) rather than on mmap/mprotect(). This would be covered by something like CAP_SYS_PTRACE. Not sure what would break if we prevent GUP(FOLL_WRITE|FOLL_FORCE) when the vma is !VM_WRITE, basically removing FOLL_FORCE. I guess for ptrace() and uprobes that's fine. We could also make this only about VM_EXEC rather than VM_WRITE, though we'd probably need to set VM_WAS_WRITE if we ever had a GUP(FOLL_WRITE|FOLL_FORCE) in order to prevent a subsequent mprotect(PROT_EXEC). Anyway, this can be a new flag. My first aim is to get the basics working similarly to systemd's MDWE. -- Catalin _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel