From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93D2EC77B7F for ; Tue, 16 May 2023 21:02:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 20320900004; Tue, 16 May 2023 17:02:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1B39C900002; Tue, 16 May 2023 17:02:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 07C38900004; Tue, 16 May 2023 17:02:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id E933F900002 for ; Tue, 16 May 2023 17:02:16 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 653DC1A040D for ; Tue, 16 May 2023 21:02:16 +0000 (UTC) X-FDA: 80797341072.29.AD409C5 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by imf04.hostedemail.com (Postfix) with ESMTP id 286AC4000E for ; Tue, 16 May 2023 21:02:13 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=KtyRC9F1; spf=pass (imf04.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.182 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684270934; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=e4gb25Ei0JSEmyaarjaFRwAmoHZeJNXvUZ7mQGmJMkM=; b=d0kHnkXzz85NWeh9ptMQdRcoxRMIO0OCp/ysnhfjTQcS0krD7mO5Py3K5rzuBC2b4cd5GN /sj21FiX19a+TqzmSJmfo2wlw0laxQjPxixbnz75NyoEpMSVcjbQBdbma0nsJQYeQ6HXH7 GkNzP17S6WgkMqCbCwElzE9SvMbmMx0= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=KtyRC9F1; spf=pass (imf04.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.182 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684270934; a=rsa-sha256; cv=none; b=wko3+C8owgGqGaoX3u4oWM8OwWb9+lVPsrEzoL9ojTs794hxz+HrG+FUnSYS8KV4tLHBoM 9aA9MSVyYVoDRQTPHEYkItqCCqbmWk7GMabuL67j+M/x/OyzYOVUtYeyQ7iQV5DkbiNpB1 XNkOd0xiBfXJIfuJqOoZ7awOaUREfSM= Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1ab032d9266so1521895ad.0 for ; Tue, 16 May 2023 14:02:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1684270933; x=1686862933; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=e4gb25Ei0JSEmyaarjaFRwAmoHZeJNXvUZ7mQGmJMkM=; b=KtyRC9F1fE4nz8CrqDbA2xaYHOUBWDoNH74nB2uDcEebJO2VwplriHX7LlB09nU3G6 YEGNUg62dGFEI4no7AG3GW9J9lI/ZY4XPoDo6M0Rkq8hKgaouJ+v7vi0a45NctboVC/I NSeJx6HcEkLywbA2pd4HCmOIKTzRc699Uyuv0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684270933; x=1686862933; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=e4gb25Ei0JSEmyaarjaFRwAmoHZeJNXvUZ7mQGmJMkM=; b=NUsYhsmSl9MesGWeSVWKr+2LdFDquchiUh31i/xy+cEJfHcik2xm805LsxPhN6nZaS Z2ob4GZdODSffLPde5tzuNRTvvwn5vACzF5WSzpZUi2uiizYMap5xEvy138tSMcrFSsZ SUtF+rCug9qIYA4F4VR+Hlh4TM2eumgNZ3mwDliMiwi8koZV+S/ZEipDdHzQUiSdTbRe ZItXksht39s7HZ9Ug/V1NX1uAhRSmErFc/CLIKQ9gkKg6/uANadbDo+uGqKXW9VftsG4 Qzn3LZwKsaojTOiP0YWQs3PidqGhJ0hh32XDJ3TiTbTxeU95AxO5SP6ECbvF2qZ/PHkF /IXQ== X-Gm-Message-State: AC+VfDzszlHk2xbRBcQSvO87/WqJCjyJG8go0skAfFE1OSel2+jEVeGt OkmmCWjlcQwtV5v0FJ8aQ5NhIQ== X-Google-Smtp-Source: ACHHUZ7KotVRk+nJvBcqkyJKzbRGNTueF40ja0SXderHguWoH0vVOUylN9pvJx4d8nNrjCwTTD4G+g== X-Received: by 2002:a17:902:e545:b0:1ac:544c:12f4 with SMTP id n5-20020a170902e54500b001ac544c12f4mr45522015plf.2.1684270932915; Tue, 16 May 2023 14:02:12 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id ji1-20020a170903324100b001a9b7584824sm15940769plb.159.2023.05.16.14.02.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 May 2023 14:02:12 -0700 (PDT) Date: Tue, 16 May 2023 14:02:11 -0700 From: Kees Cook To: Kent Overstreet Cc: Johannes Thumshirn , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-bcachefs@vger.kernel.org" , Kent Overstreet , Andrew Morton , Uladzislau Rezki , "hch@infradead.org" , "linux-mm@kvack.org" , "linux-hardening@vger.kernel.org" Subject: Re: [PATCH 07/32] mm: Bring back vmalloc_exec Message-ID: <202305161401.F1E3ACFAC@keescook> References: <20230509165657.1735798-1-kent.overstreet@linux.dev> <20230509165657.1735798-8-kent.overstreet@linux.dev> <3508afc0-6f03-a971-e716-999a7373951f@wdc.com> <202305111525.67001E5C4@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 286AC4000E X-Stat-Signature: 9xqy76zxkioa9stskjeerx99pzn7g89x X-HE-Tag: 1684270933-737915 X-HE-Meta: U2FsdGVkX1+v116eP61ezSYKHTrxmPPzf3MBtRbX3gn3FYX4s63OvLtQsJHP0VqYKgnKIYqxfKVSFa6Hm100FXMJwOLqmVg/PWMdjAA8Lx9GeOTizYIij9tr8LmUr2pbupH7i06gLhnz44PowxL7KEQUercCFVU8iM8/BoCLdv7/W6M0RQjmBChGgaAUfeqoAONIMhFjzfBF1oR9g/VSGsM+S26QLuNrJh10VzfaHqLXFoQDi2zhZEqOJk08N49ZJPplFgid0QSNZRHnxgCA9i8jHCkpGVsSx3CDebaS1M1EtIysNN0Y6yNts08APMVDuYqvtneqKGgGB2VL7bK8SlPwUvTwmBgbToiOVfFtv2YpqlJ1tAfldEw2U33Rla+nDMhzB1ezsPGts1lQZ4tykqudpvO8LEoidDNaYnRRxCrFSgCTOvG3e6KLtvaAmLICLa/Cxc+CeE+osZcCYqGa7ZyhN6SdIWpOfecuDHpKVsPPtywfhKvb9kXmhMgSGvN836D9PqK0o9W9OZkH7LWH35n9qNuEwQDp8DUo9F35I+lrDkMhWdMVfAwz4IVjpzRuK4stzonWc5pLpgMSm5dTfeVmV6BsNWNBDPyt/h8XadsGSbCH0XIkp5UW09mYRPBpAjfYAsTamMg9lJP4E6VghU/bsLndJQ8G+QvTcQDxttbJE6S0ahK7g8mG9hYS5gSRbgm6Ni/xSkNO20PIgdzLGcgjL4gk1fSF1bDgMoGI4R8yPFDOfaY37nNQv+ADm5jT5ucxXz0wGhdlD47SpRCf77dqbIIeKefVMIRq7xwAj89BRnfFa90AVakQ/dy4B48CV2KX+PUgf56U8IXPZntXg337AjIwzlZEq0w8LGLEm86yV3iAHmPWHZTDjmBjbr2gBzX8s6fbqozhVlJ1YceA2BgOZczNxHUxtFA5A14ERfTJj+FW+llY8ZIlgw7GF02v/n4hjnaL30PvuedR0zZ gsqmxyWF /KpkOBfOeWXG3Ww/lMfLWlWUHKc/jdJ7KiTuCOI7WlXmDkoT+pkp3Q3HkCVjlkm8bORHi3a8vapvXPbU9jd0KMYIgaV4lZVygXXL08IW4IgCZJ9ii2Ayo27d31ACUMls+ItpJbSB8KtlByITtEa4CQr4MsUUs7+ebSOnhcj/Rim4iIpE8QoE6Ugm+a+rKcP8iwHS0ODEqVfRYipgctAoG/TPi+8a5pRft1sag5QgYh/lNwPMMeQJ2Z2kv7f3exWqeOR+yvWkKLZeL4IHWDFA6UP1dWvgfat93Ow62koGvGDNQuDYqva5g/MwoxjMYwxA+Us+WMtzfU51tktTbx/6aJM9sqQK9nxRFf3kEBlfYuKGyKNHRmFZA7wZS/ueeL+lqGdyrSpuN+gAv3RV5p7zdbdDSxymJFWImdo1SAH3OiyZOceg8C2fk865yG1xK0mqN/z5uOkrt9OZe4sAmhnkhktR5dC1wHxbBdfNKZEoKxWsRxMBx61EQOJCiMlwpNq+4sNFy X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, May 12, 2023 at 02:41:50PM -0400, Kent Overstreet wrote: > On Thu, May 11, 2023 at 03:28:40PM -0700, Kees Cook wrote: > > On Wed, May 10, 2023 at 03:05:48PM +0000, Johannes Thumshirn wrote: > > > On 09.05.23 18:56, Kent Overstreet wrote: > > > > +/** > > > > + * vmalloc_exec - allocate virtually contiguous, executable memory > > > > + * @size: allocation size > > > > + * > > > > + * Kernel-internal function to allocate enough pages to cover @size > > > > + * the page level allocator and map them into contiguous and > > > > + * executable kernel virtual space. > > > > + * > > > > + * For tight control over page level allocator and protection flags > > > > + * use __vmalloc() instead. > > > > + * > > > > + * Return: pointer to the allocated memory or %NULL on error > > > > + */ > > > > +void *vmalloc_exec(unsigned long size, gfp_t gfp_mask) > > > > +{ > > > > + return __vmalloc_node_range(size, 1, VMALLOC_START, VMALLOC_END, > > > > + gfp_mask, PAGE_KERNEL_EXEC, VM_FLUSH_RESET_PERMS, > > > > + NUMA_NO_NODE, __builtin_return_address(0)); > > > > +} > > > > +EXPORT_SYMBOL_GPL(vmalloc_exec); > > > > > > Uh W+X memory reagions. > > > The 90s called, they want their shellcode back. > > > > Just to clarify: the kernel must never create W+X memory regions. So, > > no, do not reintroduce vmalloc_exec(). > > > > Dynamic code areas need to be constructed in a non-executable memory, > > then switched to read-only and verified to still be what was expected, > > and only then made executable. > > So if we're opening this up to the topic if what an acceptible API would > look like - how hard is this requirement? > > The reason is that the functions we're constructing are only ~50 bytes, > so we don't want to be burning a full page per function (particularly > for the 64kb page architectures...) For something that small, why not use the text_poke API? -- Kees Cook