From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E0B33C48291
	for <linux-mm@archiver.kernel.org>; Fri,  2 Feb 2024 17:05:48 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 77F4E6B0080; Fri,  2 Feb 2024 12:05:48 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 7315B6B0082; Fri,  2 Feb 2024 12:05:48 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 61F5D6B0083; Fri,  2 Feb 2024 12:05:48 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 5096D6B0080
	for <linux-mm@kvack.org>; Fri,  2 Feb 2024 12:05:48 -0500 (EST)
Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 183244026F
	for <linux-mm@kvack.org>; Fri,  2 Feb 2024 17:05:48 +0000 (UTC)
X-FDA: 81747490776.23.88C501D
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3])
	by imf04.hostedemail.com (Postfix) with ESMTP id 6A05540008
	for <linux-mm@kvack.org>; Fri,  2 Feb 2024 17:05:45 +0000 (UTC)
Authentication-Results: imf04.hostedemail.com;
	dkim=pass header.d=openbsd.org header.s=selector1 header.b="3zgv7TD/";
	dmarc=none;
	spf=pass (imf04.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706893545; a=rsa-sha256;
	cv=none;
	b=2LuwouR6a+geXEtF7c0I2Ewh8f2vI0jSDozWaE1SMPFsBcX/daL+MOryXJUB1B1n5iLyjd
	qJ6U1Rug5xn1e+bRcsbgk4U05SKqMBQz2OSFr3moILmbuz6BAH7gOtFZTQXHF7FY4hoEgA
	OOdYg/3pAZ+N59OrJDZUxfzukGTRwlA=
ARC-Authentication-Results: i=1;
	imf04.hostedemail.com;
	dkim=pass header.d=openbsd.org header.s=selector1 header.b="3zgv7TD/";
	dmarc=none;
	spf=pass (imf04.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1706893545;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=zWnoe924Wrq6oYpA28mTvKN0Mvp9/G4Dozi/7BNMUi0=;
	b=8XVw0pxuX3SFCpMF+H6VuVuZA6op/5468VAhEk7g3DCmodFDUWDMN3/K2SW3tUObE4509a
	yXKkmpugyqX7u9lKArR6okUR/+Kjqe+FDdULNqBWbqMvdIcEmmnyZygJQkCQwHqBrafWfs
	KXNqEHjgNHB8HtdFnJTxyglB5gYCjeM=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=BAwvHs1egQ
	iGyh3Tep3tXQoRaot7EO9KKStazGkphj8=; h=date:references:in-reply-to:
	subject:cc:to:from; d=openbsd.org; b=3zgv7TD/ZhY+aUl0O7cUsE/W4VVRIWxeD
	MKVJaQwalupXyQ9cd/mhDSVOFEJmr7qpl+Dj4k1x8hh61Ao1qVQdaBTm2vFYSCo+nd0cdN
	jgIAK6z+F94bc6MtyRqcZN9tRbz6V5BzwE4RYcZapApJhS0SQeTS4tTXp9ZDsZkdd1Qwcz
	3K+WKRIiTh/kD/gPXvdQd5CyGmHAjZvja4JxoKYC1Zc7gMu6ztpnhCj1b+gZQ/86FWI2vR
	SKNXSYcY1E0uG8XGN3T8ayov7q1ihEb3QY9kh5GfwMsAP3mS1BQMy4G6bZLcUFNz5mCAM5
	3i29NM/koL7kJT9x3vSOva+ioeorg==
Received: from cvs.openbsd.org (localhost [127.0.0.1])
	by cvs.openbsd.org (OpenSMTPD) with ESMTP id e09d1d9f;
	Fri, 2 Feb 2024 10:05:43 -0700 (MST)
From: "Theo de Raadt" <deraadt@openbsd.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
cc: Jeff Xu <jeffxu@chromium.org>,
    "Liam R. Howlett" <Liam.Howlett@oracle.com>,
    Jonathan Corbet <corbet@lwn.net>, akpm@linux-foundation.org,
    keescook@chromium.org, jannh@google.com, sroettger@google.com,
    willy@infradead.org, gregkh@linuxfoundation.org,
    usama.anjum@collabora.com, rdunlap@infradead.org, jeffxu@google.com,
    jorgelo@chromium.org, groeck@chromium.org,
    linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
    linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com,
    linux-hardening@vger.kernel.org
Subject: Re: [PATCH v8 0/4] Introduce mseal
In-reply-to: <CAHk-=wjqozic6JuRimXD=RamnJmD6FoaQki7RtNYrezzx_OfOg@mail.gmail.com>
References: <20240131175027.3287009-1-jeffxu@chromium.org> <20240131193411.opisg5yoyxkwoyil@revolver> <CABi2SkXOX4SRMs0y8FYccoj+XrEiPCJk2seqT+sgO7Na7NWwLg@mail.gmail.com> <20240201204512.ht3e33yj77kkxi4q@revolver> <CABi2SkWB2eV24LBJtgJ73zEwaAWuFhAwrfqx3Rs=tqnpcJ0qRw@mail.gmail.com> <58408.1706828083@cvs.openbsd.org> <CAHk-=wjqozic6JuRimXD=RamnJmD6FoaQki7RtNYrezzx_OfOg@mail.gmail.com>
Comments: In-reply-to Linus Torvalds <torvalds@linux-foundation.org>
   message dated "Thu, 01 Feb 2024 15:15:27 -0800."
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <95708.1706893543.1@cvs.openbsd.org>
Date: Fri, 02 Feb 2024 10:05:43 -0700
Message-ID: <66496.1706893543@cvs.openbsd.org>
X-Rspam-User: 
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: 6A05540008
X-Stat-Signature: hmopx1ptwsabqu789645oco8z5eg4jk1
X-HE-Tag: 1706893545-475659
X-HE-Meta: U2FsdGVkX1+2hw0TgKtvHcpaUIJgmwIhuHzgSklJ5S9hbmQvVyJhHiND1kW/wRwlVmCf4Fiwm5qehJWYqmYs4agz4EreuEmk+J0mDW6BvkvU5LpvfChMi50q7j8UrGjlg2q17+OzIwLomHEPsexMo12/rJQ5BRFfRuGtnU6Ce84k+u68CCIR4wzMQuuo4vREtee2gkZxIDZeUl4VYqQ0Tl6s4GuNA2kegEQwov9WNEY/jaO4rb7cjVDgIgGc8YBP/sN2SQ8rCS8IV3sXNfYXA0up+aCzKMn7kbNSjfwc4qIrW3es/bWDlk9P1wniZ2GFMMndBWSTRQDI9Rd6ZGHvhpAP1M7hXIRihafh7DNdFN7rMlohN2EMv2CgMCbxSf+lDtGWvdgzrCzwW7pMRBDRsEiV172RKkAQMfhuV/4RfGIK50aJ/c55i3DNebpN0HeQB7eXJygLxMCB7ucGZG+VGKJeFA3lPjxq9LFHGzcPcEvs+TwfyTQmkoSvVe0H3925I6JFFoL6UJEpejplGBcxN7ENUuGIZsAK9IQ6wJA7/6CUAgi+xYRcC7VdWVLT8NYdFoGit37/Lea3f8bLdMMh82toRjZTufYlws28jQkr/q4/r3nPSRXURV4kNj7hJTOimm0BQRsU2nbyWIbO1Lhd3mr3blo+5Ix6+3bGeQHyWvd0xiOz3U9Ebjn3zKwp23fsO7Cm6279C8Fg9hu2GIAP4l/gGmlzhRIYbRpsvw3587hH5Hvf6IYm3kKlEQLYpcaSdYW5/YEg20Gyj+UlFnk0z94d8pkxFyAULy5/zY5bUrXxdyUzjOrFUiOWje5qgbHHxL1vNGYK1b8fKwEk1BI0pG6WZwK2KBZ4+EJ7YAOmqP2nBelDnvERXxTcTHv60BZ5ApAWRXobPB6xDo/tkaqSEw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Another interaction to consider is sigaltstack().

In OpenBSD, sigaltstack() forces MAP_STACK onto the specified
(pre-allocated) region, because on kernel-entry we require the "sp"
register to point to a MAP_STACK region (this severely damages ROP pivot
methods).  Linux does not have MAP_STACK enforcement (yet), but one day
someone may try to do that work.

This interacted poorly with mimmutable() because some applications
allocate the memory being provided poorly.  I won't get into the details
unless pushed, because what we found makes me upset.  Over the years,
we've upstreamed diffs to applications to resolve all the nasty
allocation patterns.  I think the software ecosystem is now mostly
clean.

I suggest someone in Linux look into whether sigaltstack() is a mseal()
bypass, perhaps somewhat similar to madvise MADV_FREE, and consider the
correct strategy.

This is our documented strategy:

     On OpenBSD some additional restrictions prevent dangerous address space
     modifications.  The proposed space at ss_sp is verified to be
     contiguously mapped for read-write permissions (no execute) and incapable
     of syscall entry (see msyscall(2)).  If those conditions are met, a page-
     aligned inner region will be freshly mapped (all zero) with MAP_STACK
     (see mmap(2)), destroying the pre-existing data in the region.  Once the
     sigaltstack is disabled, the MAP_STACK attribute remains on the memory,
     so it is best to deallocate the memory via a method that results in
     munmap(2).

OK, I better provide the details of what people were doing.
sigaltstacks() in .data, in .bss, using malloc(), on a buffer on the
stack, we even found one creating a sigaltstack inside a buffer on a
pthread stack.  We told everyone to use mmap() and munmap(), with MAP_STACK
if #ifdef MAP_STACK finds a definition.