From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08AD4EB64D9 for ; Tue, 20 Jun 2023 00:40:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DBE3C8D0002; Mon, 19 Jun 2023 20:40:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D6E9A8D0001; Mon, 19 Jun 2023 20:40:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C35F38D0002; Mon, 19 Jun 2023 20:40:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id AFEC98D0001 for ; Mon, 19 Jun 2023 20:40:00 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 758FFC04E6 for ; Tue, 20 Jun 2023 00:40:00 +0000 (UTC) X-FDA: 80921268960.20.6D92E8E Received: from out-18.mta0.migadu.com (out-18.mta0.migadu.com [91.218.175.18]) by imf30.hostedemail.com (Postfix) with ESMTP id 7AB2F80005 for ; Tue, 20 Jun 2023 00:39:57 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=KzSvOqKf; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf30.hostedemail.com: domain of kent.overstreet@linux.dev designates 91.218.175.18 as permitted sender) smtp.mailfrom=kent.overstreet@linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1687221597; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2Zfq6ittE0IV5j42l7ltYn23CXJNIzl2rvAKGvH0VyM=; b=3SDgTYDzFJhrZl8PcxstYTg3EGj3xu57Giji/AZaITrgmsq/smqTOcTJ2L+k8eLvY3DP35 X9top9pMk3MHBPRqoYHCQnQHeERVuGluxhNVrVtRePcOJsOHZuuSDaoP6/hKtGYUjakn6K fX4Qy0BBC09ZWW/j61SbgEXosaljrEw= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=KzSvOqKf; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf30.hostedemail.com: domain of kent.overstreet@linux.dev designates 91.218.175.18 as permitted sender) smtp.mailfrom=kent.overstreet@linux.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1687221597; a=rsa-sha256; cv=none; b=mt9Rg5mMKjS3M070sy0uWf+mCEh0AVjeuqjyfYV0Iviymuc/eZMwyn4sj8oeQOTGSUajQQ EmQ9upL4Prnm+KY8xtDE9VsiqWakrvp3o45VLumI35jljrKBqtM+sNF2jxOGTP7zGkVRCf R21Vl4CqJl0ZCOV/JSGwy9zrJ/GmedA= Date: Mon, 19 Jun 2023 20:39:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1687221595; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2Zfq6ittE0IV5j42l7ltYn23CXJNIzl2rvAKGvH0VyM=; b=KzSvOqKfcMmVN0w3Me9IkrmC6QouMRyyeBRH9zO6fPglTbdqGSKPREw3qxo0JuMprczB+a gBh1CcjSxjKA3BjoaGZbjBi7W8Crd4fevq+XE9cwgXwlSom7mcz3T+IDoDO/tyZEexRtCl jpWFuxuqDHgVBnAVdPv5to1A6xKl/Zs= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: Kees Cook Cc: Andy Lutomirski , Johannes Thumshirn , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-bcachefs@vger.kernel.org" , Kent Overstreet , Andrew Morton , Uladzislau Rezki , "hch@infradead.org" , "linux-mm@kvack.org" , "linux-hardening@vger.kernel.org" Subject: Re: [PATCH 07/32] mm: Bring back vmalloc_exec Message-ID: <20230620003949.kjs2z524hodwwcnt@moria.home.lan> References: <20230509165657.1735798-1-kent.overstreet@linux.dev> <20230509165657.1735798-8-kent.overstreet@linux.dev> <3508afc0-6f03-a971-e716-999a7373951f@wdc.com> <202305111525.67001E5C4@keescook> <202305161401.F1E3ACFAC@keescook> <1d249326-e3dd-9c9d-7b53-2fffeb39bfb4@kernel.org> <202306191228.6A98FD25@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202306191228.6A98FD25@keescook> X-Migadu-Flow: FLOW_OUT X-Rspamd-Queue-Id: 7AB2F80005 X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: yutib85z15uar8o8kuus9p9hydmx44mz X-HE-Tag: 1687221597-186519 X-HE-Meta: U2FsdGVkX1/q76VlQuZ6fbWWxvcGRpzEvk3OoxEDQvP3Wuz86XTqo/ylnb5+y2ft91Dr/fVwovzJXR9TmU626PJRClW4cdr9KIC7BJNKmE/10X4V+HqyvcpRMBF6sucsg2BNaSCdwzcHmek5r4reOmsHxVE634GNcplsFlATeVMTsrdxLAWmeLxk8Rfn8Cu3MBwn4ZsP0atmgfAParSYRKGgyv08fy84417dYU+kguBHomrmM0/rLcE64MzHsf1hbgKKyHFfCLdFrXbO145YG5cIxKQ6OjQIGbUPZhlcR6SCzX0FK3Mr9CZTCpXP2yez1lef6Wr3VJuouE7E5ksUhmauhDN4/v+lFD36B8KwVDqNcv3FDOMXya0Jf9tX4tuCkBqGyyv51A115LEE5G+UjlzO89ZFDWpqOR/UIeaieE51MgocUtLY47OWe9/QCTVRNYhKANv9zpp42+w+3ywlvA006I/waHW0T18UbhZ2lX/nsxUB8XgAaJ7iLcOmIv27Zd5sWHjifFluPHYrazLqvh4h/HesH+BsC25LtxUgLSpk1/wI0hCRvEpJ3tpW5N1RYs+byagDZwosJdm5qeesbdZPjhADxe1s/p17UFte63A5XCEFSbkvgZxgSwl/ZE0/9ZM4eYshQ9OchWmfcNy+1eVF3HrbHEVSrf4HSsOZds8nkRu7O62Oo7JyjfVEtjdJXeC1yGvOll8HOtyfRjbsCbYT6g4aMs/OcArSA9gmJ8uHqsYV6CK575h8pZ5dPpoW3uMfYXt//yQecsods/p4ftq7N3UEw0+V/6jzbMPQU4JFEVrNQdSQD6MCxYzHKOdNQFcMkPr9IVUhHQMvNTYvGdtGajhI4KcGmx1YpCYQPR34UgXrWLx23Vdds0Qs9ESJMAO0ZjZzabV5lo7qt0ImsxGATg03CItBuXFRX75dTG9mTDAaZBv954LGKzr4wsPtGDcaPazmtZAFrGeCIDS fSbv5xe8 d59jNIaojyD6eFNqH63+0ggco9Nqcq2FG6ghMxadmSBj/kbp3vCJYaTgLD5uCg70U6V+x+zBgkf9OhpQlnZDa4N83OHhVRCdJvNlDGaraiiuKgKATtFdrb8kG4dVPrPGXejh8FfMDmgpffXx4Mk5uEtZu16tYM4IwZFJOzXZjdoxAdHfarN0S2MyIEJVvei3snBTRreC8Vu7l8S4= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Jun 19, 2023 at 12:45:43PM -0700, Kees Cook wrote: > I think there's a misunderstanding here about the threat model I'm > interested in protecting against for JITs. While making sure the VM of a > JIT is safe in itself, that's separate from what I'm concerned about. > > The threat model is about flaws _elsewhere_ in the kernel that can > leverage the JIT machinery to convert a "write anything anywhere anytime" > exploit primitive into an "execute anything" primitive. Arguments can > be made to say "a write anything flaw means the total collapse of the > security model so there's no point defending against it", but both that > type of flaw and the slippery slope argument don't stand up well to > real-world situations. Hey Kees, thanks for the explanation - I don't think this is a concern for what bcachefs is doing, since we're not doing a full jit. The unpack functions we generate only write to the 40 bytes pointed to by rsi; not terribly useful as an execute anything primitive :)