From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A877AC83F22 for ; Thu, 17 Jul 2025 13:14:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 251AF6B00B5; Thu, 17 Jul 2025 09:14:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2021C6B00B6; Thu, 17 Jul 2025 09:14:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 118B86B00B7; Thu, 17 Jul 2025 09:14:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 021C56B00B5 for ; Thu, 17 Jul 2025 09:14:50 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id A00C6C0771 for ; Thu, 17 Jul 2025 13:14:50 +0000 (UTC) X-FDA: 83673801540.12.F1D39B2 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf19.hostedemail.com (Postfix) with ESMTP id CF46A1A0006 for ; Thu, 17 Jul 2025 13:14:48 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=R+TOZSCQ; spf=pass (imf19.hostedemail.com: domain of bugbot@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=bugbot@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1752758088; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=jOxHZsj85CYRwxMiS2Tr9D/xDHNamgvw+rZEMVE2Sig=; b=Ok1mD23xcR0cCzV7FyEXSACGfhxGIit4CI6p2raX0ypLyFDPSBm7fh7USHRqCsrG4SsOwT EuoA5MTdaU+iToX7J43KwT1KpcBuRk9J/51ebyw3I8Loq6zsJdehmr8OxoDzyX5114BDfB 1prQwnLCAXuWPmNiKYA5htlqf7xx1nM= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=R+TOZSCQ; spf=pass (imf19.hostedemail.com: domain of bugbot@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=bugbot@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752758089; a=rsa-sha256; cv=none; b=jWTfA+dGfzMidPTQE0HxLjVYPbJKCjLd9LmWAlydtufeAa1/Q3WdQ94eIMhiXW+5gU4JPh 5BWcfVKUW5h0LeVma5CNERG52lkhcVktvxOROO1i3MdWZZP4lu6qweZEJsBPTykmdTJpvI Anj8mgmzgqHkbTA48Zaz9gTgBIt47/s= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id E2DA85C5D2C; Thu, 17 Jul 2025 13:14:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 91949C4CEE3; Thu, 17 Jul 2025 13:14:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752758087; bh=B1YcIXcXHVFB4FuRRJOQJwwi4NqFplSHFDdWkYlmwD0=; h=From:Date:To:In-Reply-To:References:Subject:From; b=R+TOZSCQaRuM/uBEiH0194NCexnHyfluu0fWM1M5XazHLpNqAqPUw9KJoarM1py92 pbWLWQiD93oA420jpCGvrUUJxKX1OubcnJiHj6aFgAlcZwJEMU2uE66bvC1TtAmljB XAjpzEGA/ee/nN8ft6ZkI4GNi9QxGsYojcCdYpb/2hd7dLAVHb3ZixzcXtTQOKLzMS 2J/J4D4bPJWFs7fWHoqNeZKNaFl3j4m/s2HLWQSzQT8tRx1mqYMnsVfy3br0so7kz8 yVAKJ2vP4NBqOlTWzIoVaChwqdjecT0e1T/xpcfPqzfCwnrGbb4mZ962iMH/GV/hPi bi9t3VQlL9ubQ== Received: from [10.30.226.235] (localhost [IPv6:::1]) by aws-us-west-2-korg-oddjob-rhel9-1.codeaurora.org (Postfix) with ESMTP id B1BB9383BF47; Thu, 17 Jul 2025 13:15:08 +0000 (UTC) From: Ali Polatel via Bugspray Bot Date: Thu, 17 Jul 2025 13:15:08 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: bugs@lists.linux.dev, linux-mm@kvack.org, akpm@linux-foundation.org Message-ID: <20250717-b219227c5-426a315d1e51@bugzilla.kernel.org> In-Reply-To: <20240912-b219227c0-78bee9e213fc@bugzilla.kernel.org> References: <20240912-b219227c0-78bee9e213fc@bugzilla.kernel.org> Subject: Re: MDWE does not prevent read-only, executable, shared memory regions to be updated by backing file writes X-Bugzilla-Product: Linux X-Bugzilla-Component: Kernel X-Mailer: bugspray 0.1-dev X-Stat-Signature: 66gxuzsiczpjbhf8ddwtaj3x8atswyty X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: CF46A1A0006 X-Rspam-User: X-HE-Tag: 1752758088-717287 X-HE-Meta: U2FsdGVkX19wjFx5ZTKkkRQILSP1YHBDBC6sRZGq/moe5XOkvQ/j0030+ite/oMlzf7AIN6TWtrmv+RPsTzz5/kDXo9KInlN+UxUgSUviUh8JVWROvfaGCEWrybkoYkBjAmBTyMlCrA4oayQrwi61ZGBtvG36lILmkITtUhrIAj/zrpJJx248GW0NbjPYK2eBDPFcKNWAJczQzmMqHT6VzK4uT2tKQZ6EbdDECwe0NEfc8JuQmlp0oqOFGaBORIVbKLU2SyuDoYMkprZ1dy6NEZZ4piCTZrhqlu2sgJ8NvTZTmkLgnH4HXrM808sJZ46FhjAiPVn8lcrFGTOgAj3Kliv+eNgeopXiyus+E4/YQQSIvSrBHvL7s7njGdHo9d3/gudxglbZEyUHFGXCUA5ITezMcWWVjNiD/PltY3MI7oG2PRT6+vwcGMmmhGqIqxH9jslk05c722wCytB2f/dN+4PIRGuku0+GCJHQ8PKWiI8bQQ79VTVGD/+4I44Ni3IXY9oqoVAXhxeYnKG4lDG/2pC8QwGbH71B3sELIRUNFB8x3W217knqNgviGS3PBsUqLys53/fwvfP9uZ3+neIy/Xm2zeL/XJXXjeY5z2uM3v6sS6I7jeB1JOr20Hn167axLEr4/RhSVP1qyFpMkegS3AZBq9FeXdg67t3HM7Oo0HTRp/CwBHMx3lgSr8g8DaXQaNNkmBFwZk+CpKXiQCTsWOFU4NUwMf7656UBYTXl2+CMONmaCoJcpgDVnmmeSB9xXarWKFAsXzEnKy43gv3gGxafX9DvfC3eq/CQIV7ImlsBfQGthhUOsmpqVlqLtNVPu/GnC5Ego/p2cstmJAPLSF49XgbhK0uOM4w6OrtxCjAu+2ihD4fSgSPhIZU4OOBvsH+lSs8tbeiM4onklR13dEcAYNAsbjYlLMtuVxsIZiaiZQ/feC3r/TMrSA1QaQJYDDqniAffmOk4inskrz fFQZSZ6P 1ZYWffKkys7s6EV6jfx8RpSfQq0CkJlfq7+i8a9NjStphzw5VuyK31UIms4G+OBJyn35Rj5JoDnfaSegm9wxen2k8GfPQqCRM6lF050SrNfkL5rfHUj90reJCIm1oHgiZmUzUT1esRqrkH8WvWxl4sWk+prks+YLZvpIol2Pj1leZJIkmc+TA5YBsKbfYzK1eUrCnIZXt1pHz09e7EzgKNuV2Oooc8XalAueZxQiG1lhcQTtcLrUa8Zi5/Q1iVS5eg/40fyL875EVyikY4r64EfKhHw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Ali Polatel added an attachment on Kernel.org Bugzilla: Created attachment 308384 Proof-of-Concept: MDWE bypass via file-backed RX mapping on Linux x86_64 Attached is a more complete POC which (ab)uses this bug to pop a shell. If I am correct, this means as an attacker I can use this to inject shellcode to most file-backed memory mappings and have it executed despite MDWE. Tested successfully on Linux-6.15.4 on x86_64. File: mdwe-bypass-poc.c (text/x-csrc) Size: 1.94 KiB Link: https://bugzilla.kernel.org/attachment.cgi?id=308384 --- Proof-of-Concept: MDWE bypass via file-backed RX mapping on Linux x86_64 You can reply to this message to join the discussion. -- Deet-doot-dot, I am a bot. Kernel.org Bugzilla (bugspray 0.1-dev)