From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2D680C433F5
	for <linux-mm@archiver.kernel.org>; Fri, 22 Apr 2022 11:04:37 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id BBC336B0074; Fri, 22 Apr 2022 07:04:36 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B44476B0075; Fri, 22 Apr 2022 07:04:36 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9BF086B0078; Fri, 22 Apr 2022 07:04:36 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28])
	by kanga.kvack.org (Postfix) with ESMTP id 8B7B76B0074
	for <linux-mm@kvack.org>; Fri, 22 Apr 2022 07:04:36 -0400 (EDT)
Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 5A29A25620
	for <linux-mm@kvack.org>; Fri, 22 Apr 2022 11:04:36 +0000 (UTC)
X-FDA: 79384231752.05.7C40454
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by imf06.hostedemail.com (Postfix) with ESMTP id E3D7E18002B
	for <linux-mm@kvack.org>; Fri, 22 Apr 2022 11:04:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1650625475;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=jRi6fF/wPrjuetNQMKTMoWZvwVCVWmt81i4fHNIav04=;
	b=JOjRo0WYvAss5Zie7LJE55tz5MfT8Q9UUxxpYvZ26llTqgQVocFirR/MU9kQRwDwud+NV/
	UjVpA0a8SCoA4ulLTFNIy4Q7Q6XEJBOtZ/Ot51rZn1DKppbn3k5iWIWR3G89D6Jv4/dsLD
	Mwm2NE2FEtFvyiKK2IKEf7RhUmojlJc=
Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com
 [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-619-Bnr57yU7PlW4XBopFPQCgA-1; Fri, 22 Apr 2022 07:04:34 -0400
X-MC-Unique: Bnr57yU7PlW4XBopFPQCgA-1
Received: by mail-wm1-f71.google.com with SMTP id q188-20020a1c43c5000000b003928f679c42so3617679wma.5
        for <linux-mm@kvack.org>; Fri, 22 Apr 2022 04:04:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:cc:references:from:organization:in-reply-to
         :content-transfer-encoding;
        bh=jRi6fF/wPrjuetNQMKTMoWZvwVCVWmt81i4fHNIav04=;
        b=6dLPGCU9KdAsVPVRh3rJqo2ls/hHkxj0pmjdwSjcf/MgB5FlyZWRu8IJrK2edrwev6
         x44o1BvkF1l4ol9FoDKmWeuv2V+6K3oaCePvooVrN6HoLvwTsRErG4JCoR50bT2mDjpz
         we3SdehqNl7bLRpgIsUXfmd4n1dzLEWIRfzNrqcrsvmfwPH+OwfTOa3ED9CxZfwmo0Bj
         X8sbPOf5Ga1bt6bsxwCllCy5zZCn/kHDAC66p4Zr7VPIXo7L+A+MOE0MhoU8zsZY3/Rd
         ykzc+kEV+lSn+sgOqFj/DG5WxQ/2bt5ZOC5G4tw67lIvZftO62n6OlFqGbxdibODGkex
         ByAQ==
X-Gm-Message-State: AOAM532XZJjUyf8tt4FAi67mqK8/xG+HLz4gI4LYuPFCb+ec2YTCtcTx
	rbg+y6/enfh1K2IiTdm/lw4s50VnOGkOSu6d1jkJzKbhKUKF3XUbTrimKgbXytMR056YPd55iro
	TxWkJc5CoLeQ=
X-Received: by 2002:a5d:598c:0:b0:20a:9194:22d4 with SMTP id n12-20020a5d598c000000b0020a919422d4mr3286599wri.124.1650625473028;
        Fri, 22 Apr 2022 04:04:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyOzP+TC7jlZrImUxt5R3LgWdlydQp4XEVcEFtjbin355B40Vrl+xA1tCmlMVyrQnlww3ZSMA==
X-Received: by 2002:a5d:598c:0:b0:20a:9194:22d4 with SMTP id n12-20020a5d598c000000b0020a919422d4mr3286563wri.124.1650625472715;
        Fri, 22 Apr 2022 04:04:32 -0700 (PDT)
Received: from ?IPV6:2003:cb:c702:dd00:745e:20b7:bfa4:2e5f? (p200300cbc702dd00745e20b7bfa42e5f.dip0.t-ipconnect.de. [2003:cb:c702:dd00:745e:20b7:bfa4:2e5f])
        by smtp.gmail.com with ESMTPSA id c9-20020a5d4149000000b00207adbc4982sm1416161wrq.94.2022.04.22.04.04.31
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 22 Apr 2022 04:04:32 -0700 (PDT)
Message-ID: <59401856-0e45-0ee6-1e45-667c8e00cf21@redhat.com>
Date: Fri, 22 Apr 2022 13:04:31 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.2
Subject: Re: [PATCH RFC 2/4] mm, personality: Implement
 memory-deny-write-execute as a personality flag
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
 Christoph Hellwig <hch@infradead.org>,
 Lennart Poettering <lennart@poettering.net>,
 =?UTF-8?Q?Zbigniew_J=c4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>,
 Will Deacon <will@kernel.org>, Alexander Viro <viro@zeniv.linux.org.uk>,
 Eric Biederman <ebiederm@xmission.com>, Kees Cook <keescook@chromium.org>,
 Szabolcs Nagy <Szabolcs.Nagy@arm.com>, Mark Brown <broonie@kernel.org>,
 Jeremy Linton <Jeremy.Linton@arm.com>, Topi Miettinen <toiwoton@gmail.com>,
 "linux-mm@kvack.org" <linux-mm@kvack.org>,
 "linux-arm-kernel@lists.infradead.org"
 <linux-arm-kernel@lists.infradead.org>,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
 "linux-abi-devel@lists.sourceforge.net"
 <linux-abi-devel@lists.sourceforge.net>
References: <20220413134946.2732468-1-catalin.marinas@arm.com>
 <20220413134946.2732468-3-catalin.marinas@arm.com>
 <443d978a-7092-b5b1-22f3-ae3a997080ad@redhat.com> <YmKDaEaOpOaKl7m9@arm.com>
From: David Hildenbrand <david@redhat.com>
Organization: Red Hat
In-Reply-To: <YmKDaEaOpOaKl7m9@arm.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Rspam-User: 
X-Rspamd-Server: rspam11
X-Rspamd-Queue-Id: E3D7E18002B
X-Stat-Signature: h9w7ycbr5w63p36fhhyjbgw1oeoquy99
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=JOjRo0WY;
	spf=none (imf06.hostedemail.com: domain of david@redhat.com has no SPF policy when checking 170.10.129.124) smtp.mailfrom=david@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
X-HE-Tag: 1650625474-272542
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 22.04.22 12:28, Catalin Marinas wrote:
> On Thu, Apr 21, 2022 at 06:37:49PM +0100, David Hildenbrand wrote:
>> On 13.04.22 15:49, Catalin Marinas wrote:
>>> The aim of such policy is to prevent a user task from inadvertently
>>> creating an executable mapping that is or was writeable (and
>>> subsequently made read-only).
>>>
>>> An example of mmap() returning -EACCESS if the policy is enabled:
>>>
>>> 	mmap(0, size, PROT_READ | PROT_WRITE | PROT_EXEC, flags, 0, 0);
>>>
>>> Similarly, mprotect() would return -EACCESS below:
>>>
>>> 	addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
>>> 	mprotect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
>>>
>>> With the past vma writeable permission tracking, mprotect() below would
>>> also fail with -EACCESS:
>>>
>>> 	addr = mmap(0, size, PROT_READ | PROT_WRITE, flags, 0, 0);
>>> 	mprotect(addr, size, PROT_READ | PROT_EXEC);
>>>
>>> While the above could be achieved by checking PROT_WRITE & PROT_EXEC on
>>> mmap/mprotect and denying mprotect(PROT_EXEC) altogether (current
>>> systemd MDWE approach via SECCOMP BPF filters), we want the following
>>> scenario to succeed:
>>>
>>> 	addr = mmap(0, size, PROT_READ | PROT_EXEC, flags, 0, 0);
>>> 	mprotect(addr, size, PROT_READ | PROT_EXEC | PROT_BTI);
>>>
>>> where PROT_BTI enables branch tracking identification on arm64.
>>>
>>> The choice for a DENY_WRITE_EXEC personality flag, inherited on fork()
>>> and execve(), was made by analogy to READ_IMPLIES_EXEC.
>>>
>>> Note that it is sufficient to check for VM_WAS_WRITE in
>>> map_deny_write_exec() as this flag is always set on VM_WRITE mappings.
>>>
>>> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
>>> Cc: Christoph Hellwig <hch@infradead.org>
>>> Cc: Andrew Morton <akpm@linux-foundation.org>
>>
>> How does this interact with get_user_pages(FOLL_WRITE|FOLL_FORCE) on a
>> VMA that is VM_MAYWRITE but not VM_WRITE? Is it handled accordingly?
> 
> For now, that's just about VM_WRITE. Most vmas are VM_MAYWRITE, so we
> can't really have MAYWRITE^EXEC. The basic feature aims to avoid user
> vulnerabilities where a buffer is mapped both writeable and executable.
> Of course, it can be expanded with additional prctl() flags to cover
> other cases.
> 
>> Note that in the (FOLL_WRITE|FOLL_FORCE) we only require VM_MAYWRITE on
>> the vma and trigger a write fault. As the VMA is not VM_WRITE, we won't
>> actually map the PTE writable, but set it dirty. GUP will retry, find a
>> R/O pte that is dirty and where it knows that it broke COW and will
>> allow the read access, although the PTE is R/O.
>>
>> That mechanism is required to e.g., set breakpoints in R/O MAP_PRIVATE
>> kernel sections, but it's used elsewhere for page pinning as well.
>>
>> My gut feeling is that GUP(FOLL_WRITE|FOLL_FORCE) could be used right
>> now to bypass that mechanism, I might be wrong.
> 
> GUP can be used to bypass this. But if an attacker can trigger such GUP
> paths via a syscall (e.g. ptrace(PTRACE_POKEDATA)), I think we need the
> checks on those paths (and reject the syscall) rather than on
> mmap/mprotect(). This would be covered by something like CAP_SYS_PTRACE.
> 
> 

I was told that RDMA uses FOLL_FORCE|FOLL_WRITE and is available to
unprivileged users.

-- 
Thanks,

David / dhildenb