From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE8C4E77188 for ; Tue, 14 Jan 2025 22:42:24 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E41E8280005; Tue, 14 Jan 2025 17:42:23 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id DCAD0280004; Tue, 14 Jan 2025 17:42:23 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C43F7280005; Tue, 14 Jan 2025 17:42:23 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id A34F5280004 for ; Tue, 14 Jan 2025 17:42:23 -0500 (EST) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 254F4A0268 for ; Tue, 14 Jan 2025 22:42:23 +0000 (UTC) X-FDA: 83007532566.26.B290FDE Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by imf29.hostedemail.com (Postfix) with ESMTP id 441C112000A for ; Tue, 14 Jan 2025 22:42:21 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=gorVT9Ey; spf=pass (imf29.hostedemail.com: domain of isaacmanjarres@google.com designates 209.85.214.182 as permitted sender) smtp.mailfrom=isaacmanjarres@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1736894541; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=swMA7a3HQZ6EnlfLP67EfqYFg1OFOpUwx/BZEKqDMMM=; b=nR03P+trJQyzH+TcjhqPAZZoK2W2WCXvQ6kSVdMYEGwKX76wcAasMtOwq06GPR6g55Ql0Q NsYYYqC4JvCOrwWkqMVoZVriiSJgi8+1v8tzE5/jJIzFaEAfOAeilL+9Pyf8ZDzuQVht04 xELJJcW4c51RQs68WADHIkhXV263lZ8= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=gorVT9Ey; spf=pass (imf29.hostedemail.com: domain of isaacmanjarres@google.com designates 209.85.214.182 as permitted sender) smtp.mailfrom=isaacmanjarres@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736894541; a=rsa-sha256; cv=none; b=AJrShqk9geFP9M0F+1M1eHQzng7y9sTssiyGUoOAaOyN7MEFYSOe1N6BOpatnXNXfD7J8G C3m42Q/I/KudaCAusvdrNVw4vGRk/p2HdEfj+ElJBKkGVzTFOmD8Jl+WGg4s+RDQU31Bgs Du3GoeJw9rdyoQDDBwPjctozbaTMCp4= Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-21625b4f978so192115ad.0 for ; Tue, 14 Jan 2025 14:42:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1736894540; x=1737499340; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=swMA7a3HQZ6EnlfLP67EfqYFg1OFOpUwx/BZEKqDMMM=; b=gorVT9EyPambCukbxpEeTbfwyNAsoILaQ09DzcbTQt2zHGpXl216LQS1nl2Kqrj+fb VS3Hv9YuEP1vAYa6NYGAN8Ii0I0nMGNLA4Vnz4Tzhu24nZ+7y9YoFUlP4vQdTQ2aWXax JGxfmIgovVNGo6akUEw4JNoMRkYBUQ14TqgQFNDRF/0G7smb+TCfjWz8d177gGIsVdql vF6AHIlNE+W1yQGfObhAO1comHXhCDLvbO5Sjb812wrahg4w1Gv4IMw/nS2yOBMlGCWT UCTiL5jiwXMWzw3ewP2V0W+6FLRZfND13sU34zlLD3WVkiuPQ7E6KML5bK0uEqOHcSy9 icrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736894540; x=1737499340; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=swMA7a3HQZ6EnlfLP67EfqYFg1OFOpUwx/BZEKqDMMM=; b=jFvurVUTO4uFt1A4tQvcIFms+afBonBnLOgzzB98JoX+ah8y6DEQgz4b0CNt/M26n9 OT/9fjucvozgXZxK5tcJDDpUj/cK7JxZHpuMQyNz91wnXqQaVy99ZDGrcvwUb4Tk5aak oAdMTBV0b3NfMkJjVv+72i7CeE+v+UCwJM2Kegsmt256m2b7hb0DMcnu5uq/nPEtwo4g OWbUKMEN1LZEnYNPdM/jwmqWso5fdpSy3EK8RE/2udGdBOmNn1gYWaeOFRRwR3D/8erG nrRZtBUXDDmIKaJNywOwhoeKNvT/5szWZ5tWs5lM+qzDh0BPeYCNEWu7Gu09bT6mYuhV ZRPQ== X-Forwarded-Encrypted: i=1; AJvYcCX6yhohpfdtZ72650Yq4LMXG6oiMAyHPLw5Dm6XBpMQogi8SeeevzAIF/WDS0v88Be1UxJqB3vQEA==@kvack.org X-Gm-Message-State: AOJu0Yx3/eO+v4HhvNvU/e+CZOP9p4jCv5gxoALdxhwI1XEBt1jOXk92 S8zvZkHpNAMkq4VKT+ShoY9NzqzCzzyzZtU91LwHj5nvg475LO4P9hu247EIyQ== X-Gm-Gg: ASbGncsPRJdNXqq5IlvLgajR/tOXmQMK5fUy2Sc+QUza60/Hwoebm2tYOo7IjQlJew3 kAk+zxfnintI8o95JFEMut+xssoRTZ9HC+phYPuQIw6BszGbUrEpIIXfZOQUHdMHPT+YLTip0MJ 25mH2oZWCmGeJZKtKyy/5uta6CTVgIDYWosRIrquwYO9XgSXJWHYoYHUhXVXmobGiMMVXXMTOl+ RTZpdT18mmft2d4/a/VWjl0aUqv8hRRSO7ix6yzoCOQ0xV3ZrUcY4ZLLA== X-Google-Smtp-Source: AGHT+IGoegfwlqw2q5WVfOTyFF4JK79h9BcAugnc0Xv9CPqMRMnAP3WIacvl0pdW6tR1pdom6vRMig== X-Received: by 2002:a17:903:48f:b0:215:44af:313b with SMTP id d9443c01a7336-21befee6a7cmr867865ad.0.1736894539639; Tue, 14 Jan 2025 14:42:19 -0800 (PST) Received: from google.com ([2620:15c:2d:3:5f58:5aa8:70b1:12b6]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-a318e055feesm8811734a12.30.2025.01.14.14.42.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Jan 2025 14:42:19 -0800 (PST) Date: Tue, 14 Jan 2025 14:42:14 -0800 From: Isaac Manjarres To: Kees Cook Cc: Jeff Xu , Lorenzo Stoakes , Jann Horn , Andrew Morton , Jeff Layton , Chuck Lever , Alexander Aring , "Liam R. Howlett" , Vlastimil Babka , Shuah Khan , kernel-team@android.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, Suren Baghdasaryan , Kalesh Singh , John Stultz Subject: Re: [RFC PATCH v1 1/2] mm/memfd: Add support for F_SEAL_FUTURE_EXEC to memfd Message-ID: References: <20241206010930.3871336-1-isaacmanjarres@google.com> <20241206010930.3871336-2-isaacmanjarres@google.com> <0ff1c9d9-85f0-489e-a3f7-fa4cef5bb7e5@lucifer.local> <202501061643.986D9453@keescook> <202501141326.E81023D@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202501141326.E81023D@keescook> X-Rspamd-Queue-Id: 441C112000A X-Stat-Signature: wfpoo8enzg4n9kepihjs7sqaf5n4szne X-Rspam-User: X-Rspamd-Server: rspam11 X-HE-Tag: 1736894541-475443 X-HE-Meta: U2FsdGVkX1/0Q/tPt2qIg8zTfvwHyIZCW25U9W/seOwip5IfLC4B+oJh3ouPoCbBkp5t8xBDpr3P386gUN3Sx/RdnmOQSe5s5S6nGpzzyE+edJhbt6VZfdSD51j9JCXnAEuTuLxVe+2peLswgogpT0xk3IFyb3BmdsYOQ6PDpsv65qrU9TPArfRsuYz2Fwd+qsBx7LSNCbVT3vm74gKjiwzDC2ZUvoZY1VPj2xn2h619Su3sCYSVAAo8PwHfnLuuJ7MobBZupgqFRFFtysz3fhsPUJK6xtivNX/clX/iD9N5DV/s5LEApnB39cHAdWpGfkJdsmIJ7IQyyQ22CUTNJ+vbHM5QzDT1UmgGsfqMwMjY6agWvKKygUUZZNYkw8OvJBXrYfLlxCbwQB93xF3DI1getVg7fzFNPuO8OcFEQraQu8HtGazsnWyg+lFEp6BqNjYpCVICOvl8Tkf+gC5sTvT1Eeoymj3nKeyIZ0gIzXUFk+gzvNtha4aw2HFFdfLgXg8zhdr9w9duM7jvLi+Af/yCEqTmHQsgxkJzpWvgZTKsAjyPM61Bn89uByLpVwK8+YTRCCtNHke5guEIV2qHUr+eOPbf9L+HK1PYu0URVfXK+RIs5/SUdWaIjXGt1Avylop+UaBymdrS/2wPRtvqJoGAfObkQygtA+cziBt/1xuLF7YbsVD0/Fw6wXewJZ7YUDju4kgRfuqmTDUPsQaQNAev08YuIBeMpZg4ppmVrVZDjaDnYWOrmoybXkxYNjaeo/0QiCOr2gXUAD79soWsGvstRKE6dPKA2tZ1LiSUEjquuGmOo5Lpaw4egD0abPJOwN71NLvNxJgXbOdMUe68ipUK2X28ZsCLUxaT0O1ckh1RTjs9SwTM5oc6v75Q0nh7R4NfEfi699iybhZQpgGfWXf2toceLRpKVJ1iNk3Q//7i9k9pyoasTMKLXdCuqIgosMFfzY69SbFKLpZGbKa xku6ZT0D Oanye51CpHcyUu+R/1hzsasMkyWPfdE28uUoxwftS45mytE190HirPch/t7NQGgjQpobnOzRrWosBaTgGbC7DlyzvTgjG+4GfCTmn2oUSeMWyvk09bnstEcDSfLiwTxCkfM3SDLSQBd4/k6g/r5mR0CDC/EB7ZMcYQyUepAJnUbScMh+efTbAz9goNRygWsLdtOJaKygRZOv21FoC4PzncbvaODLLX2M3RZdxHRyM5WR+fTald02ZeFc0yyngQNnCUWSrhtWROR38aeiYVVCyymSsiipIsxV3dKULgzs29urvg+/BgvuPWOw+AOgSICCewlDhMUxxl7BOOLJtLSbkxej1BJEzkKZ/tYUTaRNCqc8tS5spswXI+rKrUtio5+Vbqu7ttwMvTRy4jUOMgcJCgEzgA37xyMe+iz331u+equ588m5QJcUKudUWgpmbuJnTaRQ8irzxEp4UD+netvqCYNNu0G2LJJaA4QXO1Ag1QiFfDDs= X-Bogosity: Ham, tests=bogofilter, spamicity=0.280011, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Jan 14, 2025 at 01:29:44PM -0800, Kees Cook wrote: > On Tue, Jan 14, 2025 at 12:02:28PM -0800, Isaac Manjarres wrote: > > I think the main issue in the threat model that I described is that > > an attacking process can gain control of a more priveleged process. > > I understood it to be about an attacker gaining execution control through > a rewritten function pointer, not that they already have arbitrary > execution control. (i.e. taking a "jump anywhere" primitive and > upgrading it to "execute anything".) Is the expectation that existing > ROP/JOP techniques make protecting memfd irrelevant? > Is arbitrary execution control necessary? Suppose the attacker overwrites the function pointer that the victim process is supposed to return to. The attacker makes it that the victim process ends up executing code that maps the buffer with PROT_EXEC and then jumps to the buffer to execute the code that was injected. I don't think having the ability to seal memfds against execution on a per-buffer basis entirely addresses that attack. Can't the attacker craft a different type of attack where they instead copy the code they wrote to an executable memfd? I think a way to avoid that would be if the original memfd was write-only to avoid the copy scenario but that is not reasonable. Alternatively, MFD_NOEXEC_SEAL could be extended to prevent executable mappings, and MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED could be enabled, but that type of system would prevent memfd buffers from being used for execution for legitimate usecases (e.g. JIT), which may not be desirable. --Isaac