From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DCF2EEEE25C
	for <linux-mm@archiver.kernel.org>; Thu, 12 Sep 2024 21:10:14 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 6ED3F6B0082; Thu, 12 Sep 2024 17:10:14 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 69E776B0083; Thu, 12 Sep 2024 17:10:14 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 58C126B0088; Thu, 12 Sep 2024 17:10:14 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 3D7B96B0082
	for <linux-mm@kvack.org>; Thu, 12 Sep 2024 17:10:14 -0400 (EDT)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay07.hostedemail.com (Postfix) with ESMTP id E2981160938
	for <linux-mm@kvack.org>; Thu, 12 Sep 2024 21:10:13 +0000 (UTC)
X-FDA: 82557329106.11.CF0BD88
Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91])
	by imf12.hostedemail.com (Postfix) with ESMTP id 4710A40012
	for <linux-mm@kvack.org>; Thu, 12 Sep 2024 21:10:11 +0000 (UTC)
Authentication-Results: imf12.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=PIAaK7S+;
	spf=pass (imf12.hostedemail.com: domain of bugbot@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=bugbot@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1726175271;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=Uzqs07P8G8NIpU4rPdhGCCXZjtMuWgV2UMtAI2W9KvY=;
	b=JraYn+b26PEq7MgD9YLTKqv0rMTbdBWoI8/0vA5++9Xmfe/zgcqA+lEcacSnldl4BllRV8
	lRfUD2NwMnkpaDT9YHasxkalVFL4hB+CEXSZ0GE8hWy+nVr+NHssUCV/AoNmiGLfreRZzn
	ly/qBKrGUJ+jSnObhtbbdi7b4yd1qx0=
ARC-Authentication-Results: i=1;
	imf12.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=PIAaK7S+;
	spf=pass (imf12.hostedemail.com: domain of bugbot@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=bugbot@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1726175271; a=rsa-sha256;
	cv=none;
	b=gF+DCVqG2B6kjRYVbHM6itTWHEhs6A9GAwl3NeKoIppJ2WVe7vjz0WbW1EWZweTo40Ug/n
	NjG+JKp0c33m14nY1i7d1JQMacXDYFNL6vsl3PFw04UCgOcAO8CjHfihDV79mloeEFrqIu
	8pYe2kxUbMMqfy/6/i8HQM2sjlUuVIs=
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by nyc.source.kernel.org (Postfix) with ESMTP id DC6C1A4585B;
	Thu, 12 Sep 2024 21:10:02 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 322B3C4CEC3;
	Thu, 12 Sep 2024 21:10:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1726175410;
	bh=ANu42i/Y8a6NCqfIWLwoTdQTuAZqF40CAqc3bCmxprw=;
	h=Date:From:To:Subject:From;
	b=PIAaK7S+oa0+s8SMt4xomkGRKrecqsI0LOC2CT9nzBPxZAM9y3TbjCftm8dQAm7Tk
	 KabT2EQHwYW47M1T/bCD97Jq7RYNO4lVcGuNsRH8Lu39Q+WBNd/zV2dNC+8f5queI1
	 gIColkamk07zN8G8CUB67EYnlNs1iGBICEWR6tn9LkNr9t8q7JR9KwXGkMZ9EiDVI8
	 wEyht5kyEvFym1UmmeAhPprp5n4IRubK7RMS9gxhHFDiueH2RrF2GltEtrx2u5kUoi
	 qsTL9km9sXygU1jMzDaoEjFOnSbD0xFEci94ciVPLtd493lrmHcLhkzTbVPISPSHMK
	 tkUXNWjNcu+ig==
Received: from [10.30.226.235] (localhost [IPv6:::1])
	by aws-us-west-2-korg-oddjob-rhel9-1.codeaurora.org (Postfix) with ESMTP id 776AB3806644;
	Thu, 12 Sep 2024 21:10:12 +0000 (UTC)
Date: Thu, 12 Sep 2024 21:10:09 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Bugspray Bot <bugbot@kernel.org>
To: akpm@linux-foundation.org, bugs@lists.linux.dev, linux-mm@kvack.org
Message-ID: <20240912-b219227c0-78bee9e213fc@bugzilla.kernel.org>
Subject: MDWE does not prevent read-only, executable, shared memory regions
 to be updated by backing file writes
X-Bugzilla-Product: Linux
X-Bugzilla-Component: Kernel
X-Mailer: bugspray 0.1-dev
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: 4710A40012
X-Stat-Signature: x7zzjurwcg9x8ffpht6mq7z5ioh3xqh8
X-Rspam-User: 
X-HE-Tag: 1726175411-607392
X-HE-Meta: U2FsdGVkX1/pNaKYIWNJ4LbngDB4lgGaNFRDN71bBUsHGBQ3svNdr4/90FPdjLv8Izwf3no2obkRB8k0q53iY6w4x6/UlNgtCgMohTfHwdIWCpmxWsxWzfQ03KPYY3KAJJ6SLTaluissIsxRrJlIUSqSzleH7MNdRq27LCCupvxUVxJ6u0nU5Hb6RuX3bEi17jhEgeV1+0J6bkCd5Pq8bh5dA0ySGdmdWpqn08m+WX5STfNwNE+XD7fH8NA/RXf8dSwlX/Uw6VCWPL5xwW7AQm1tjoXmlkKFTG5IayoHD4KNepiFcY3PLEZRVBA84uQtJHAz+EeEixR2bZ+MBq6P8G2G8nVrsDEWYGgAD0X50c9doMVAVDCC340aN0N/qSbmp7W+s0gz9IPKgginc2RUDcvmdvUIBmqBbr/Pe+rvXIlwgwi23Fhf/m7yfPJ4fq6c+vLgwhRsrUsiq/YRXAh3MmCaL8LUYv88KibFjBi5m/joofD3r2LkwLIWwzyB6gy8kWC7EXws3Z00OkLQ2JK7hPDKrT8lpZJut0dvsIQMSRV0Z3gQ7n8boa8Z033C1X2iqxvhzkT8VvGeqIz1i2UE7t2WxFmEygqHeKaAPsN8JpqR4NOclm3a+nAtY+UpBlUD+6pRWOgvW/ULwZRVO2+2JKDVnoSmM6EtZpsp8Shydp32XYcXz1FIVnCaBC96dJiBcw9EFt7TdgB61gSAHEDuRABiHFLH6+cLQDcT6lorNFk9yrxpMl4hvJswwmt94oMzkny1t5hViumMrruz90DQNxCooqjp1nlpue38iRhgYEyk6E+hP7abdkTD07HPRBIZ+0JTe7W5khV2VBXipEZt+8ejJweujI8KRuP2HD7tjIVxSo4prlBYK2Qg+8DsKQUp9saO7CfrDMOh1KvWBscaxC1AMBZLd8eAHaq06ZPUlglUuOviVwBbEoOmYHV76JcZ5/n29GfR3PNHD75+J3C
 PmAHHFjZ
 oqzjb5W3F5aTNLDIoPDjnol1DA1bKlhb4rKrFr4RyAH5Oh49UWKy3yR5/V7YMeHiQyxap0wftYV8KxqQMGBBSVWYv+yuANAXF21CI9H1GcotU6oyJtVOLw6VxdVbHmBMH4+HF1v2ZFpgvtUtTHxTSiZm9mHRz3X9IzM2Hyn9bIxF/Fr+xh5mxDVaUv4IxuOpyFfLqHFkqG2WeL+s8yUtDIUalDpul/Y6MvCtHAU4+pYrvmTazr5eUgxk3jac0WpbcpboCT79R5s3RRHeXmwjXr40sGIE1ti1Q5H8+/RPDLpUZ4AQEMA5NGwyeHA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

alip writes via Kernel.org Bugzilla:

Arguably this breaks W^X. Similar implementations such as PaX prevent this. About private mappings, POSIX leaves unspecified whether changes made to the file after the mmap() call are visible in the mapped region. My basic tests show it is not visible on Linux. That said, if there's a chance for them to ever be visible somehow MDWE should also prevent it.

Proof of concept:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#include <sys/prctl.h>

#ifndef PR_SET_MDWE
# define PR_SET_MDWE 65
#endif
#ifndef PR_MDWE_REFUSE_EXEC_GAIN
# define PR_MDWE_REFUSE_EXEC_GAIN 1
#endif

int main(void)
{
	int fd;
	char *addr;
	const char *data_x = "benign code";
	const char *data_X = "malicious code";
	size_t len_x = strlen(data_x);
	size_t len_X = strlen(data_X);

	// Step 0: Set MDWE to refuse EXEC gain.
	if (prctl(PR_SET_MDWE, PR_MDWE_REFUSE_EXEC_GAIN, 0, 0, 0) == -1) {
		perror("prctl(PR_SET_MDWE)");
		exit(ENOSYS);
	}

	// Step 1: Open file.
	fd = open("./mmap", O_RDWR | O_CREAT | O_TRUNC, S_IRWXU);
	if (fd == -1) {
		perror("open");
		exit(EXIT_FAILURE);
	}

	// Write initial content.
	if (write(fd, data_x, len_x) != len_x) {
		perror("write");
		exit(EXIT_FAILURE);
	}

	// Step 2: Memory-map the file.
	addr = mmap(NULL, len_x, PROT_READ | PROT_EXEC, MAP_SHARED, fd, 0);
	if (addr == MAP_FAILED) {
		perror("mmap");
		exit(EXIT_FAILURE);
	}

	// Write new content to the file.
	if (lseek(fd, 0, SEEK_SET) == -1) {
		perror("lseek");
		exit(EXIT_FAILURE);
	}

	if (write(fd, data_X, len_X) != len_X) {
		perror("write");
		exit(EXIT_FAILURE);
	}

	// Close file, this will sync the contents to the read-only memory area.
	// This breaks W^X and MDWE should prevent this.
	close(fd);

	// Check the mapped memory.
	printf("[*] Mapped Content: %s\n", addr);
	if (!strncmp(addr, "malicious", strlen("malicious"))) {
		printf("[!] RX memory updated thru a backing file write under MDWE.\n");
	}

	unlink("./mmap");
	return EXIT_SUCCESS;
}

View: https://bugzilla.kernel.org/show_bug.cgi?id=219227#c0
You can reply to this message to join the discussion.
-- 
Deet-doot-dot, I am a bot.
Kernel.org Bugzilla (bugspray 0.1-dev)