From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D45BC7EE23 for ; Tue, 16 May 2023 20:07:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F37E4900004; Tue, 16 May 2023 16:07:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EE7AA900002; Tue, 16 May 2023 16:07:04 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DD6DC900004; Tue, 16 May 2023 16:07:04 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id CC0D3900002 for ; Tue, 16 May 2023 16:07:04 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 9CCF7403DD for ; Tue, 16 May 2023 20:07:04 +0000 (UTC) X-FDA: 80797201968.05.5E82C5C Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by imf13.hostedemail.com (Postfix) with ESMTP id 6FD6020007 for ; Tue, 16 May 2023 20:07:01 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Xnhb742H; spf=pass (imf13.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.178 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684267621; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/QuCuVjhhcOO3Zea8Ojz72a0aDME+xDMZBjsMgaOVPM=; b=bIcr3kWVQ9798S8JSVnyT8TDD7dWBqJbrmHJUgygA99NPlpikr0yBiYPl/VhIGAkghJp9A MRAIvi9HNK1c0lISSRNpEu7SvcBaYGlsU2u8H7Tqdh6By4+N1uhadFgwz93G0oOvYce6ue y7iuLj6FSpIkzWgwqzhFvO9J96Kf4wc= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684267621; a=rsa-sha256; cv=none; b=hY6DVNYb+XBXg3hZ9YuqH+3DdTfylX06oOUQkZ8B7GZHXrV4JhZwuV9PkZV9Da8TJrMXRm mfkP31P0IaMqFzabYM1Hyys5/0nd1jYFTlXXoJiNdm+cewON+LSbARurpzeU6qpgi7tqPS w+aQ3NJLcO5YXJkt29QrPgDupZw6p3c= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Xnhb742H; spf=pass (imf13.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.178 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-6434e263962so10743255b3a.2 for ; Tue, 16 May 2023 13:07:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1684267620; x=1686859620; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=/QuCuVjhhcOO3Zea8Ojz72a0aDME+xDMZBjsMgaOVPM=; b=Xnhb742HBOFC+of4j29jqaBDFsMcnI2bBWd2I/rn2BPnPk+DXMds2VZTMFH3h+70b7 qJlfias3tguctur3g0m0oImJ3aVRiO8XaNedAn6a5mMRBF2q+hwKHlNrmoz+tnv32Cxr tIShdQ3TA1x3sxS+Hq0LsMhE8Wa49Mq+bwx5Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684267620; x=1686859620; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/QuCuVjhhcOO3Zea8Ojz72a0aDME+xDMZBjsMgaOVPM=; b=aISp8CIXnT6NCWaFZTIIiYWEc/vB/j1jmP+CE9aipQIFrbS0vMvP3w8CEAlbe3kPDU OyLl545fN4n6c1N4IBc3G0VjEUCUFNr8LyHaVhLL6aHYEBwtsHh5A1uylOFgKrK1zQOB RWe+n8na2DVyuxx+h67xx0BbZeEXGffEjMaDffeT9E2P6x5UpPttLVFEzNug5U3OukM1 tXVqic63HkADAFP9G2JIhVQrqCKd6ne4wkvClDZICCqUvn95M3T6j2IXq4n+NPEnWVyw xnPcHqKplnVPZ55CTiQnwXSGN4LBmJVIToB2DE5aI/Da8Dbiba+krvcFhSfetejHV3lo pPhA== X-Gm-Message-State: AC+VfDzKjdD9jFvWIU+e/ZrLN5T8HkKF3EG0RwLtDrS3Jh19i4dOk7Y+ ELlycCawpAfm2nYZzmSQP+Cndw== X-Google-Smtp-Source: ACHHUZ61o74nD4V5qCSGwRh6aCfStbDhEb2FBGoOYWddCCvlaJZ07qYwJhvr1vAOJVXOZ4rnCA8s2g== X-Received: by 2002:a05:6a00:98a:b0:643:85a0:57fe with SMTP id u10-20020a056a00098a00b0064385a057femr59504516pfg.2.1684267620306; Tue, 16 May 2023 13:07:00 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id fe25-20020a056a002f1900b0062dfe944c61sm13654396pfb.218.2023.05.16.13.06.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 May 2023 13:06:59 -0700 (PDT) Date: Tue, 16 May 2023 13:06:58 -0700 From: Kees Cook To: jeffxu@chromium.org Cc: dave.hansen@intel.com, luto@kernel.org, jorgelo@chromium.org, groeck@chromium.org, jannh@google.com, sroettger@google.com, akpm@linux-foundation.org, jeffxu@google.com, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH 5/6] KEY: Apply PKEY_ENFORCE_API to munmap Message-ID: <202305161302.16BF756DEA@keescook> References: <20230515130553.2311248-1-jeffxu@chromium.org> <20230515130553.2311248-6-jeffxu@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230515130553.2311248-6-jeffxu@chromium.org> X-Rspamd-Queue-Id: 6FD6020007 X-Rspam-User: X-Rspamd-Server: rspam06 X-Stat-Signature: r1nm7o9nfieckr9zfq6x9n1jn6xjh5bg X-HE-Tag: 1684267621-657333 X-HE-Meta: U2FsdGVkX1+VIjeH/p0C1iW+HkbLs7hcHvsFqATevy1BGkQShyyebyIN1qD3ssPllRJDkw5VD6TpGz2YTS54qaZQN097ql9/dmcva1etdyIMEXymTuOCa5Dhf4yo8dUtoJgj2SrtGo0kO3R8hPZdh11wVGARImqrZRzXjgAAx3nDatSaJ8NfEY4NYgViYaHsa7u6nnOYW6L0NXo+CP+9VzFsr60n0+NnH1t3mldAygp1sAGV/nFL8lABb85fgEkCQX8CazY7NTmqBYJyWRvdserF+Xsqvgg9XCIxj5/+hqotWGkvHDg9Q7PK2Bd2cQrMJHyFFipzqPpjC7D15DiCtJVPscPRkbgZOnW+7IfBXIZ+Kw7WpgwRn+A0uLwb246pShuClMR1+uTtTd0XJimoWeJhm+aWAkXH0p8O0d6ezo2XqRLts0P2C4ryEHsKTmXWeZY6TlEvECThhucSFEh9R1CvaymWGki1IT64eJ0/VcJRCRVDkNaukn48xdVI4XBgXzbnXD2iKw2TJWp0sF6o0SoHgql5kb2LOX+xFraxykpS5Rzi36oxxS9ltm1BU1e2lLaAANhZe0ggnF2Zs/98W/WgV5/HzewkNn3J8pwAhchFUlCYzayvQASit7puUMh3t3s1AeC6gKLp4RYzPtwtjBoKo7urTVODJSZmX+wrmBbt7KGWM0gOlHb0YGQdxzguk7RLwbs1+dOvotpspNJ4ZomFaMIhtEN9929PjykM4zNUh2nrbdWdLZoOdOGn9vFv2ZO6F2bqNPoLFsY6f0cEA+NubCw+WA90UNenLFfGAVLG6rKisIaHsR8tllvfwLa64ABdA5NUXnowlKelbmE0hcGPyvylnQLEAH89Gy5HHs89PnEY8loR4S+X8gnf9SDnQDLb3zLPBEbdrOm1PuvLfgGV8y5U9toxZQaILL0G1be0ikerS3NMYRMJvBU+JtqoNK/V9l3JwUHfZUPFhAl k3PvJWoh gzDGXLLzHppHIF+LecP9sck9cbxp2y18QZqOAs4pVDJhVmDMHvDcWvi1bXy6UQOx+Omp/tC6mavvftxfDwDD7brSb4Q4iHlbCfZlh6pcJTlzZSghQ6QBOql10fKUdRVgHclCpUWBtBSSjIiuVb+C53qtaPlcHgCk7lzME/EaCwABVKKWCa+s6gQmxtkRck5ZHYWJI2XSEyMxZvSIqGbairVDMR7Vnvwxpo2DQ48IimZjBWauCm4S143KxqH5fDOuBjgqwxxf3D0QJOaiTTxD/KAaK+Zu1gSR1VkhPuKLFMtaRTRhriMvOJuOlM215wsp0Ztgz7un84YzqUW7OW5trJWM5KWnQSgLefAwOqE9OgBlabZsQhd7TLGUjz6Eql/EXwMS7Q/4kukjjwcu7T6/LkPklNo4pBZath+QzIVpMuNn30i+OzFmYyIkM6t0ni9atip5ii298/oFQDZZ+h1khCENmbmVgcxUKY0/e X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, May 15, 2023 at 01:05:51PM +0000, jeffxu@chromium.org wrote: > From: Jeff Xu > > This patch enables PKEY_ENFORCE_API for the munmap > syscall. > > Signed-off-by: Jeff Xu > --- > include/linux/mm.h | 2 +- > mm/mmap.c | 34 ++++++++++++++++++++++++++-------- > mm/mremap.c | 6 ++++-- > 3 files changed, 31 insertions(+), 11 deletions(-) > > diff --git a/include/linux/mm.h b/include/linux/mm.h > index 27ce77080c79..48076e845d53 100644 > --- a/include/linux/mm.h > +++ b/include/linux/mm.h > @@ -3136,7 +3136,7 @@ extern unsigned long do_mmap(struct file *file, unsigned long addr, > unsigned long pgoff, unsigned long *populate, struct list_head *uf); > extern int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, > unsigned long start, size_t len, struct list_head *uf, > - bool downgrade); > + bool downgrade, bool syscall); For type checking and readability, I suggest using an enum instead of "bool". Perhaps something like: enum caller_origin { ON_BEHALF_OF_KERNEL = 0, ON_BEHALF_OF_USERSPACE, }; extern int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, unsigned long start, size_t len, struct list_head *uf, - bool downgrade); + bool downgrade, enum caller_origin called); > extern int do_munmap(struct mm_struct *, unsigned long, size_t, > struct list_head *uf); > extern int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int behavior); > diff --git a/mm/mmap.c b/mm/mmap.c > index 13678edaa22c..29329aa794a6 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -2498,6 +2498,7 @@ do_vmi_align_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma, > * @uf: The userfaultfd list_head > * @downgrade: set to true if the user wants to attempt to write_downgrade the > * mmap_lock > + * @syscall: set to true if this is called from syscall entry > * > * This function takes a @mas that is either pointing to the previous VMA or set > * to MA_START and sets it up to remove the mapping(s). The @len will be > @@ -2507,7 +2508,7 @@ do_vmi_align_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma, > */ > int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, > unsigned long start, size_t len, struct list_head *uf, > - bool downgrade) > + bool downgrade, bool syscall) > { > unsigned long end; > struct vm_area_struct *vma; > @@ -2519,6 +2520,19 @@ int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, > if (end == start) > return -EINVAL; > > + /* > + * When called by syscall from userspace, check if the calling > + * thread has the PKEY permission to modify the memory mapping. > + */ > + if (syscall && arch_check_pkey_enforce_api(mm, start, end) < 0) { if (called == ON_BEHALF_OF_USERSPACE && arch_check_pkey_enforce_api(mm, start, end) < 0) { > + char comm[TASK_COMM_LEN]; > + > + pr_warn_ratelimited( > + "munmap was denied on PKEY_ENFORCE_API memory, pid=%d '%s'\n", > + task_pid_nr(current), get_task_comm(comm, current)); > + return -EACCES; > + } > + > /* arch_unmap() might do unmaps itself. */ > arch_unmap(mm, start, end); > > @@ -2541,7 +2555,7 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len, > { > VMA_ITERATOR(vmi, mm, start); > > - return do_vmi_munmap(&vmi, mm, start, len, uf, false); > + return do_vmi_munmap(&vmi, mm, start, len, uf, false, false); + return do_vmi_munmap(&vmi, mm, start, len, uf, false, ON_BEHALF_OF_KERNEL); > [...] > SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) > { > addr = untagged_addr(addr); > - return __vm_munmap(addr, len, true); > + return __vm_munmap(addr, len, true, true); + return __vm_munmap(addr, len, true, ON_BEHALF_OF_USERSPACE); etc. -- Kees Cook