From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB1A4EB64DA for ; Mon, 19 Jun 2023 19:45:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 79AC18D0002; Mon, 19 Jun 2023 15:45:49 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 74ADA8D0001; Mon, 19 Jun 2023 15:45:49 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 613CF8D0002; Mon, 19 Jun 2023 15:45:49 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 4E1F28D0001 for ; Mon, 19 Jun 2023 15:45:49 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id F24D0AFD9D for ; Mon, 19 Jun 2023 19:45:48 +0000 (UTC) X-FDA: 80920527576.24.AF65FE0 Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by imf05.hostedemail.com (Postfix) with ESMTP id B5C6A100009 for ; Mon, 19 Jun 2023 19:45:45 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=VbyQLRYN; spf=pass (imf05.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.177 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1687203946; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2mZiRdSqt+8wYLSRq7eLPC9b4RpYVG9iNh28AaCGdYw=; b=vwM6/iUGyUz/W3aQNr5zPWmMQOeLB25AyJQ2zovIKDTIgQA6Qedgh/KnbOYs9UmC00ETvj K7ORFm8zeyOC9gUZTC+Jawv0oP4r7MgMWeopHXJwCodxyvqOKeesaWOUh9jkF8S3vg8jy2 tv5ZxonEVEQ36hoKb+Vc0WoBAepdN08= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1687203946; a=rsa-sha256; cv=none; b=vD9bimj0BqKTQCHqmxk2H7eyfoMi6umb9TcUHeU98ceenYM3SOIvLHtIrU3nxzEnBOEUvP nhRF2soIVDqy1x7Sa5k6z57cif+n51hLLh9NvfIUXsH+h1rmuFXR861S8fYDtqfr6KUVZQ QQ+SFqF0irr0cCzjAL0nNUJNgVJlPw8= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=VbyQLRYN; spf=pass (imf05.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.177 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-6685421cdb3so1398541b3a.1 for ; Mon, 19 Jun 2023 12:45:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1687203945; x=1689795945; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=2mZiRdSqt+8wYLSRq7eLPC9b4RpYVG9iNh28AaCGdYw=; b=VbyQLRYNz3Mu4xhjfuwM6hsK60V4+prvJC2X+UK9XAc/Elig3W+lZfOdm3lsaFffXc aLwRhEXpqpl49PVYjZsMWtH3rA+TStqTAEBqKAhOrHyss+uM65w2xGYEfuipVtRsXjG5 f8D6Fx7Bv1krhLICrN7S8Z1r0/mK+azg85Gk8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687203945; x=1689795945; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=2mZiRdSqt+8wYLSRq7eLPC9b4RpYVG9iNh28AaCGdYw=; b=EnJ1zowW0UORNzUBNrI3Vvfz8yrq7LjoGJUk/2zRNDriq1izlh/lwbzATz3Y9qjmiP KVcgTfFEv5LdEY3MrM9jKUp+AekpbG/fiMyrTcoxRM7B7qagsCRNPF37IyT4sf7zNPNW Vrek9gAYTBS5Tx1EG9n54bxT/MqTGmuAJQRpqCGEmWONk02UNnsad0FAD6gfOFQiZM6P HtZ5zR8i5CnEnnAebmvmDxDyo9cSHERsML64P6OabiGnN4wv6YSwo45X+l7TKfrbnYZr fb7PfCD2ZJkdZKHErcCeBM7ofmpRgnxThwtgIFuPA+WmSyGy95glWLwonApg/d7oGAgq LN3g== X-Gm-Message-State: AC+VfDzs12SZW4EE9cZT4dGFHC/qUaXaOyOC/cxPtn9rOURHrV/cku+h A4Ghu819pU15afQZOo9TFZ0g7A== X-Google-Smtp-Source: ACHHUZ7onSh5feYj5qpymA9lTfUnolVSYLdS9M5+I0v+eTgmIbWulfKky2Q6Tl0VqKEkRqo1tB/S/w== X-Received: by 2002:a05:6a20:9389:b0:121:637e:f0e5 with SMTP id x9-20020a056a20938900b00121637ef0e5mr6130614pzh.5.1687203945205; Mon, 19 Jun 2023 12:45:45 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id h18-20020a63f912000000b00519c3475f21sm76437pgi.46.2023.06.19.12.45.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jun 2023 12:45:44 -0700 (PDT) Date: Mon, 19 Jun 2023 12:45:43 -0700 From: Kees Cook To: Kent Overstreet Cc: Andy Lutomirski , Johannes Thumshirn , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-bcachefs@vger.kernel.org" , Kent Overstreet , Andrew Morton , Uladzislau Rezki , "hch@infradead.org" , "linux-mm@kvack.org" , "linux-hardening@vger.kernel.org" Subject: Re: [PATCH 07/32] mm: Bring back vmalloc_exec Message-ID: <202306191228.6A98FD25@keescook> References: <20230509165657.1735798-1-kent.overstreet@linux.dev> <20230509165657.1735798-8-kent.overstreet@linux.dev> <3508afc0-6f03-a971-e716-999a7373951f@wdc.com> <202305111525.67001E5C4@keescook> <202305161401.F1E3ACFAC@keescook> <1d249326-e3dd-9c9d-7b53-2fffeb39bfb4@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Stat-Signature: 9m6thyibwwzst9x5si11ujmuui7q4e6u X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: B5C6A100009 X-Rspam-User: X-HE-Tag: 1687203945-997020 X-HE-Meta: U2FsdGVkX1/4ls4SIs6b0wvqkk+ss6zVDtwkA44YsY2j+yqsxmW1gvCOHIUgv47uJUahxJXD3nRsfpGWlUHBRZgBN6AHoUZ4yuYNTqeJg8VI5h1g+ZKB0mdyGKjSfoSz1DPsyJGs6L5WOkTRXg5MJYogxGq3pbxAOe4zMpOcXxWrddppHy7GRUpJ0d++tBQVmZtLvm5y6ObZBdb8cKKsXd+Qz/kiAT/ywjW8Z7oJ81gLkAltVICrR8s/xtuyGc5UGJerQblNNKAt9F04Euoc/W8JxXzLfpskkPsxP2jvPae2WPZGlyL0yiGYoUVuUOQRVoggBJ/Tb59n/Dla2w/ChtAXouq5jB/do6kE7/YvJV72Nt0JTRoAy8+gJb7jyj6oEr1aYiec2DrUyzdspx8/SMyJEbC0mkdUldOk4EFmjMMjU+kLQoaloFB88quEp2ThEkSkjyMzIB7Os2iDirvoHrfUiIYgMaCFVXi7EtnDKG4d8VTEQz33JXx6SHoNBtWkHbeeBCHOhvm2jPuh8QNhhkhKuhpfvO9B37pH3PL73YCdfUTNs0M3aV4gEwpSzdG6+m1WxSMuBKMdSehUwUthEzhYkUdt73o+TtOqRcHT8sWvzpLfyhWS7qowAZxEf0NGYrthui96c+9ARlbJssKt7a2JyClI2spHBPosbExGp2Rzuyza4bpOKxjh9I0x9OYtVnS/MNqh5GQq9D0tMQ1+tsahy9qLQN4DKSCLxWrVYJ2IWWRObVfKWwsXAB9if3WxUWXd/1PlRTWW13wk6TYCJTZ1dPyq/oKlc7G1irmJZU3Q9IKbVhGGvRq4APNZE/FnE14myHIiud6baYLP69uJqmVyBG7sRJ8ANw974FGsdkA9TwZXTlhEcyVbmd1XC6y9pxSV23bZdykKyCBKq3I/dxhqqwgpFFZV1MyEKSvuanlzxXuegwNEIR4g6M9ICK+5CoCs3c5Ig7mknGJVoJP +yLZBPZi +FX3QyeV25qe5qWTPZJpiFrXGkTuQQgH0LBph/0NnE8dJOKjw/g1TLJIyI7EroqbSidydR+Bnag2A8nB3I6Zb2+E7pgGbJe3wRptrppxA1R66xP+OLK7FSzYP3gia6D+a8QHqeuErHE8xnBuqd2L+mXWpbr8yKhXFQ6nfc53ViE47niEQOAPZnKfj3ElR3R/cVVETmTg4QoirRy//I5QrQhFA3hczDWsBZ+F7hUgcIkOW/7XjpCI+U/u+HTdgt8vtPu16ji3LEx08hfiEepaxMnEl5/gd7zc09sZqG0uRZ1gOFMYA15qQT9xNdw2DCAYdYaDnp30lNTeUwdu6EUCbPVFtwt0mJm8BoLYzRX7wzA07JO8+PFgu/QYjcbKU077mf2edsAMTR+KQjqvX1EEvGjytV/zf7+8ghjgB/Ps0jlA8a3gnjeFO9e+gsK+nFvr+ivD6o69JrDJjNS6r1TiiaIUhWghmX+5W1t2MTutEiksucxSlmjkouvmx6Wf7EBZ1t997MEmHva2vU7E= X-Bogosity: Ham, tests=bogofilter, spamicity=0.011321, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, Jun 17, 2023 at 11:34:31AM -0400, Kent Overstreet wrote: > On Fri, Jun 16, 2023 at 09:13:22PM -0700, Andy Lutomirski wrote: > > On 5/16/23 14:20, Kent Overstreet wrote: > > > On Tue, May 16, 2023 at 02:02:11PM -0700, Kees Cook wrote: > > > > For something that small, why not use the text_poke API? > > > > > > This looks like it's meant for patching existing kernel text, which > > > isn't what I want - I'm generating new functions on the fly, one per > > > btree node. > > > > Dynamically generating code is a giant can of worms. > > > > Kees touched on a basic security thing: a linear address mapped W+X is a big > > no-no. And that's just scratching the surface -- ideally we would have a > > strong protocol for generating code: the code is generated in some > > extra-secure context, then it's made immutable and double-checked, then > > it becomes live. > > "Double checking" arbitrary code is is fantasy. You can't "prove the > security" of arbitrary code post compilation. I think there's a misunderstanding here about the threat model I'm interested in protecting against for JITs. While making sure the VM of a JIT is safe in itself, that's separate from what I'm concerned about. The threat model is about flaws _elsewhere_ in the kernel that can leverage the JIT machinery to convert a "write anything anywhere anytime" exploit primitive into an "execute anything" primitive. Arguments can be made to say "a write anything flaw means the total collapse of the security model so there's no point defending against it", but both that type of flaw and the slippery slope argument don't stand up well to real-world situations. The kinds of flaws we've seen are frequently limited in scope (write 1 byte, write only NULs, write only in a specific range, etc), but when chained together, the weakest link is what ultimately compromises the kernel. As such, "W^X" is a basic building block of the kernel's self-defense methods, because it is such a potent target for a write->execute attack upgrades. Since a JIT constructs something that will become executable, it needs to defend itself against stray writes from other threads. Since Linux doesn't (really) use per-CPU page tables, the workspace for a JIT can be targeted by something that isn't the JIT. To deal with this, JITs need to use 3 phases: a writing pass (into W memory), then switch it to RO and perform a verification pass (construct it again, but compare results to the RO version), and finally switch it executable. Or, it can use writes to memory that only the local CPU can perform (i.e. text_poke(), which uses a different set of page tables with different permissions). Without basic W^X, it becomes extremely difficult to build further defenses (e.g. protecting page tables themselves, etc) since WX will remain the easiest target. -Kees -- Kees Cook