Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751820AbdCDFxp (ORCPT <rfc822;w@1wt.eu>);
        Sat, 4 Mar 2017 00:53:45 -0500
Received: from mail-pg0-f66.google.com ([74.125.83.66]:35941 "EHLO
        mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750751AbdCDFxm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 4 Mar 2017 00:53:42 -0500
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (1.0)
Subject: Re: [RFC] arm64: support HAVE_ARCH_RARE_WRITE
From: Hoeun Ryu <hoeun.ryu@gmail.com>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <CAGXu5jKwDdwrdZ8z90e4Q5Xv4KeHjBoVtb7btxPGfmHpdaEwMQ@mail.gmail.com>
Date: Sat, 4 Mar 2017 14:53:20 +0900
Cc: "kernel-hardening@lists.openwall.com" 
        <kernel-hardening@lists.openwall.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Mark Rutland <mark.rutland@arm.com>, Andy Lutomirski <luto@kernel.org>,
        Emese Revfy <re.emese@gmail.com>, Russell King <linux@armlinux.org.uk>,
        PaX Team <pageexec@freemail.hu>, "x86@kernel.org" <x86@kernel.org>
Message-Id: <E00348D0-114B-4803-B80E-0500BF3D96D7@gmail.com>
References: <1488466831-13918-1-git-send-email-hoeun.ryu@gmail.com> <CAGXu5jKwDdwrdZ8z90e4Q5Xv4KeHjBoVtb7btxPGfmHpdaEwMQ@mail.gmail.com>
To: Kees Cook <keescook@chromium.org>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v245s2sE004789
Content-Length: 1894
Lines: 51


> On Mar 3, 2017, at 1:02 PM, Kees Cook <keescook@chromium.org> wrote:
> 
>> On Thu, Mar 2, 2017 at 7:00 AM, Hoeun Ryu <hoeun.ryu@gmail.com> wrote:
>> This RFC is a quick and dirty arm64 implementation for Kees Cook's RFC for
>> rare_write infrastructure [1].
> 
> Awesome! :)
> 
>> This implementation is based on Mark Rutland's suggestions, which is that
>> a special userspace mm that maps only __start/end_rodata as RW permission
>> is prepared during early boot time (paging_init) and __arch_rare_write_map()
>> switches to the mm [2].
>> 
>> Due to the limit of implementation (the mm having RW mapping is userspace
>> mm), we need a new arch-specific __arch_rare_write_ptr() to convert RO
>> address to RW address (CONFIG_HAVE_RARE_WRITE_PTR is added), which is
>> general for all architectures (__rare_write_ptr()) in Kees's RFC . So all
>> writes should be instrumented by __rare_write().
> 
> Cool, yeah, I'll get all this fixed up in my next version.

I'll send the next version of this when you send yours.

>> One caveat for arm64 is CONFIG_ARM64_SW_TTBR0_PAN.
>> Because __arch_rare_write_map() installes a special user mm to ttbr0,
>> usercopy inside  __arch_rare_write_map/unmap() pair will break rare_write.
>> (uaccess_enable() replaces the special mm and RW alias is no longer valid.)
> 
> That's totally fine constraint: this case should never happen for so
> many reasons. :)
> 

OK. Thank you for the review.

>> A similar problem could rise in general usercopy inside
>> __arch_rare_write_map/unmap(). __arch_rare_write_map() replaces current->mm,
>> so we loose the address space of the `current` process.
>> 
>> It passes LKDTM's rare write test.
>> 
>> [1] : http://www.openwall.com/lists/kernel-hardening/2017/02/27/5
>> [2] : https://lkml.org/lkml/2017/2/22/254
>> 
>> Signed-off-by: Hoeun Ryu <hoeun.ryu@gmail.com>
> 
> -Kees
> 
> -- 
> Kees Cook
> Pixel Security