From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC828C04FFE for ; Tue, 14 May 2024 23:47:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 35E488D0053; Tue, 14 May 2024 19:47:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2E7148D004F; Tue, 14 May 2024 19:47:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 188128D0053; Tue, 14 May 2024 19:47:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id EE8798D004F for ; Tue, 14 May 2024 19:47:33 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 980C71C1831 for ; Tue, 14 May 2024 23:47:33 +0000 (UTC) X-FDA: 82118640786.19.CB708EE Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by imf26.hostedemail.com (Postfix) with ESMTP id 8499A140008 for ; Tue, 14 May 2024 23:47:31 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=openbsd.org header.s=selector1 header.b=w3jmiolY; spf=pass (imf26.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1715730452; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=RXkD+08DWBlwaFroc2I5n3ptE5/nDwu28gXKRKG7eJE=; b=M6SICnIZVt8FxwSGkB/S8xNCw83hFGEgl64bznBVAs1clWpxczNHLwOblGVLD8DCZAwiJ+ G6rmzpbf9B4/tlLmoY5uRNQLuxL//RC30Kd7AQGhpNYjed9C3MhXh8fv8/DwFFFQKaSwlN CdDRpVS4q6BWlMrPx6dYIWTSX4dtlxg= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1715730452; a=rsa-sha256; cv=none; b=0rSW6HD9A45hQEcrbFm4ADCzx0TtWoDD65LWUiXQl5GrJ5uDpwUEP89jZUsb+uEm+W14RX VvYc8zNMkn0DuvNWw5uUB02Cx8douM6fnsCF0Whup4JJTzKR8LEbKVy0B8lo32/TFDpQJI lToUKdyjuAyqGiNkhJWfrvdq3zBMh1I= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=openbsd.org header.s=selector1 header.b=w3jmiolY; spf=pass (imf26.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org; dmarc=none DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=1rwfNpf50a TPtb80Ip2O+B+pjU7fjXSF51Ls8a9PAtY=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=w3jmiolYozzwXCDaJGlzE5ZoZaKGpcix0 0z5OoNzmAs0Pm443g2gWqiJee/dXJ8hyt1VSANoXCAjPfbosI7dWN1YGKtnq8Ov6CV/qNG zwkrtcAPKRaLMALsW+JNjcs4cj6NrLtvfYtahvZpBzTZx4IaBRTBu5BRYdvHF/Jfo3fC3B osPSeUaZSTQdt9mWAVJR++Gx5nvHxLWInVSGLBqLUDaJyRAUVb3QNkv8qNdN0/pWS1qYJZ 2rHibAKs2IvwBkqQkjTz5jv7Fab+MtUsZl5Dx1M+XBDQIYLMOxG3OnzokZAtPlrQCmfjW8 f5KGRZSe4qM95Hm3t7KbGcEFpyL5g== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id ba1c6f5b; Tue, 14 May 2024 17:47:30 -0600 (MDT) From: "Theo de Raadt" To: Andrew Morton cc: Matthew Wilcox , Jonathan Corbet , jeffxu@chromium.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, usama.anjum@collabora.com, Liam.Howlett@oracle.com, surenb@google.com, merimus@google.com, rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v10 0/5] Introduce mseal In-reply-to: <20240514160150.3ed0fda8af5cbd2f17c625e6@linux-foundation.org> References: <20240415163527.626541-1-jeffxu@chromium.org> <20240514104646.e6af4292f19b834777ec1e32@linux-foundation.org> <871q646rea.fsf@meer.lwn.net> <56001.1715726927@cvs.openbsd.org> <20240514160150.3ed0fda8af5cbd2f17c625e6@linux-foundation.org> Comments: In-reply-to Andrew Morton message dated "Tue, 14 May 2024 16:01:50 -0700." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <45809.1715730450.1@cvs.openbsd.org> Date: Tue, 14 May 2024 17:47:30 -0600 Message-ID: <92453.1715730450@cvs.openbsd.org> X-Rspam-User: X-Stat-Signature: 145wgyheuiq4c3rn4d7f6iydmf7sx9it X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 8499A140008 X-HE-Tag: 1715730451-35518 X-HE-Meta: U2FsdGVkX1+iNFXts3H9hy0RJMcJf5O7LFo+IdWwPO+SNjYhKrBPkSsM1NBxiUtxEHBJhRU7LpGySOx+1iVhFac1Fy2fzJswoS3c6uu4pSnMLaEB4FTTfQZWYIl37VuzjRVPj9bQ+KYYin1Bq3JFL+9yHP+QHcaveawpBwPnu/YHklIUpxiU32LihTz6BsIH+0nmjwJyhswDTSu8qI7o0IxW9Z1kPLCc4fu5f70sFVtQf2E4SI8x80V3qu8IUxkgvkH/f/apBUwhA6Nc7MBsuZapu5pJ4dot8iooEwZ9kJAimXxdhABmN6wtTa+/x8ETJjHYwQz0LZhMFVoLMLGO6KvwGsOI4w2W7soZpBgI+ABDeFBzGUUVxWlSpJFKKqeZtI/1YA/q62aKBcC/aeSa49dpY2uoQCkWKhP/pF9v0jscSKhRtMkL+RiVoM+IXBhdZV2QwgXoZOdBuiu8UlqQbG7gEfjBt1rAnTdjVdAcQszzkyXNAu6FvHOi5f3GUjG83MGs+9E1OLq07RO4M1TqgHjdoAb0zK4Qm9p6mtNeL+lXc12KHXCk4tBeFoBjDF2DSfGWDB+/JxZL4m/fL2NeDYR4RsSeTOZUkToRdjdZgds1C4feGrmzma5fIdDRlIZJw8fTU2VPkIV7S0WR+jyAfH5fyBIimurHlKZl1zwu0pVaK2bEWRH7AoKd4NKJiYOm7r3vBOOiaHI/PJ70uFJbRADnrpJomBd6rsQ6aAs5Rt1uiUtLn480nkpNzMnIbYt3OR0Hivt8jFyegAcvJWk6yPRReNZuzc+wxQBmeG1q43v+TmVxy8CzzV/ptGAmYqVm2fMU+2OzGwaVZrcKyH8Lsz2KQ1F2aJbprK6kcr5Jy0yce9RL+sLLdZ0oGcNxLrOG2WfmjXvdZg0fQInI57hXRPEDdWH2aGG9WmMG/xF0y9TnvLcR92z34wrE5nvxM4deEMBqV9nDCfir/AE+q+S 5VPLvZSR y3r8tqSJ/scTAfKo8k1lMT8bE7BlhIIVKNsyzQx75AiWtXHsc+51EwIMvvMXehPKGLFYsowsXErFvH+5XzvBraQ8lJ+q0XKujLVK4SRrJ+Y9KeJY1lj13Gnj/oVbmgbZQ1370Gbtas+wcDgI5DHdTdrEpgDE/4oExDu8p0hBXz637eJPkJAX5lRLFuJoaKkoJhj+vYaCk5pZbEwj8udK8j+wLlaKHMw+iWrXTHlzjYhEvw3ogfM1vv5yjIW84DRlRnO8VmW1zJ+NYCXQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Andrew Morton wrote: > > I worry that the non-atomicity will one day be used by an attacker. > > How might an attacker exploit this? Various ways which are going to be very application specific. Most ways will depend on munmap / mprotect arguments being incorrect for some reason, and callers not checking the return values. After the system call, the memory is in a very surprising configuration. Consider a larger memory region containing the following sections: [regular memory] [sealed memory] [regular memory containing a secret] unmap() gets called on the whole region, for some reason. The first section is removed. It hits the sealed memory, and returns EPERM. It does not unmap the sealed reason, not the memory containing the secret. The return values of mprotect and munmap are *very rarely* checked, which adds additional intrigue. They are not checked because these system calls never failed in this way on systems before Linux. It is difficult to write test programs which fail under the current ENOMEM situation (the only current failure mode, AFAIK). But with the new mseal() EPERM condition, it will be very easy to write programs which leave memory behind. I don't know how you'll document this trap in the manual page, let me try. If msealed memory is found inside the range [start, start+len], earlier memory will be unmapped, but later memory will remain unmapped and the system call returns error EPERM. If kernel memory shortage occurs while unmapping the region, early regions may be unmapped but higher regions may remain mapped, and the system call may return ENOMEM. I feel so gross now, time for a shower..