Received: by 10.223.185.116 with SMTP id b49csp3025101wrg; Mon, 12 Feb 2018 19:40:56 -0800 (PST) X-Google-Smtp-Source: AH8x22663ZDC/iDucrsS/UbTVUYa1ydotZBBTP5Tnrq7TjHA494zMfFzo1v8A2mTchAi/mEjbEJf X-Received: by 10.99.67.197 with SMTP id q188mr10695129pga.255.1518493256126; Mon, 12 Feb 2018 19:40:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518493256; cv=none; d=google.com; s=arc-20160816; b=NqLOD7PGVeeUlVPeLJORh1V7ppKFo8+eJ1dsbSfZr9tX+i9KObCuVH34IWMlMX1hdc vvGxO9jF+pk10bTH9Au/496mEXJVmbqMKUprNgFXoI15V7bL9DBg5jXUYHCux16HS8Dr QmlKrEnVcVWncbLJ0aUojVlZ2RUwWynpkwGNTt99bLI1tZ2m0+pVDG7+9UM4SrUeF6G4 ON7oEOBX91SVnWB2tMoho6bzUIQr98GU12c6uzCnisC6+GhiINzxRNPXe5jQGJh7LeXu gv2xC0WVPfrHB4vBh98+hSIRNOS5HRa+tqUEjLYLIpVq3A9CSK7zP5do2z5bQQdkAGLP sNfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=RPx+ERycomcx9uhafJCpNVwWw+q8GP39Z3VnY5DYFgQ=; b=uCvldwOO1jMFhlfUqU5jL6vjLfoLPiQUYQ7ZgDz1iBUWhJj7ESL+MKzyTqYz00Eibs mGFzAV0/W2BgL9ZJfp5NuuRbtb++hjo1D2gGpPjUsDJTjDRYmZBphFfKpwPOSIH4iyGH 168ful3hz6qrlkUOzWvQUpq9w9TdMwBFsBIX9sy5Jrq5H2Ab4YQtMoCRKtLubnasZ+fi n6dqUkOQyUFFlYmeK3w1zNovJJqw2SMqiKggvEA8cFgfnUrCNCxy3Ha6QpxhQei+oDjl S0K4f8YcLOJYweboUn2vOL3j2CHFP3c1Vy+9/G3PPaDPu4yDVBKvl7VBSwV+9XJG2py8 /trA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sfXRynr0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a3si992632pfh.413.2018.02.12.19.40.40; Mon, 12 Feb 2018 19:40:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sfXRynr0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933410AbeBMDkB (ORCPT + 99 others); Mon, 12 Feb 2018 22:40:01 -0500 Received: from mail-ot0-f195.google.com ([74.125.82.195]:42748 "EHLO mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933323AbeBMDj7 (ORCPT ); Mon, 12 Feb 2018 22:39:59 -0500 Received: by mail-ot0-f195.google.com with SMTP id a7so16055282otk.9 for ; Mon, 12 Feb 2018 19:39:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RPx+ERycomcx9uhafJCpNVwWw+q8GP39Z3VnY5DYFgQ=; b=sfXRynr0LIm3OH/QGdjt1eNV2eN4TdQVflfW8unsoq4cZ+7fkMupPeDhGLf5CLbIMH 4Y44TAI2mfRkU+VSAbTJz473RUqgq9dnYyXHI8vezOtYsPKa43DMUZgAopkM7hc+vK3i WIIVjhh8N0fVba9yh8NifrTiKgZ3QNUN6kiN6gX9iJHWB5XIqgFv2/xxCCif0Trn6hs9 pMjHrCU490O77/UgGfED98a1bhrM5YovqsEdgC94VcTLyzghN9otG/kytaPGL0+lhQd+ 2nHd0N8euwyxTz/RaBCmvifuPWevvyEX5jkAMsFYn/IkcYGbbjr2Jy/Uky1WC65rnu+m UXYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RPx+ERycomcx9uhafJCpNVwWw+q8GP39Z3VnY5DYFgQ=; b=ZW3RhbaexBjVDcsApLvt6shZi6+GslCWmX1U7QF3H5MbXj7ENrmKx/lKXrtjkIG4lr 5EdhwWja9xImue10McdIohdERuoJ3Rs3Fguxw26+pRVoc7eB+Q3UKIUvniBlzb/nErGs L5tqQY+MG/7NieENiKiNh0p7g4OqpwR/HhQZqf/OA1YcW6cqK96fDmqOzkJWFiW2DwFC LCyDfSk7QG/xGQZhl43Kf9MVG8R+nFE5wuwwvjivt4mNaoFjyr7R2xAxKZcamSu4X2eZ +tcVjnK5r95OVLp2TEyQKUsiMxm+uhyQBQ4mBKGsGPCYlYYDjt/0Y5xq4yyMAjjvsXZ6 jajQ== X-Gm-Message-State: APf1xPBghFRhJUXd7ekT9GpACZVlX+LdXiMD/18s+SPXuaVFWORV+6xM LoaH2aYGHTDl81sEhTnglK4F5XnCsrWgSzS7oCvzfQ== X-Received: by 10.157.63.225 with SMTP id i30mr1290036ote.51.1518493198718; Mon, 12 Feb 2018 19:39:58 -0800 (PST) MIME-Version: 1.0 Received: by 10.74.183.132 with HTTP; Mon, 12 Feb 2018 19:39:38 -0800 (PST) In-Reply-To: References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> From: Jann Horn Date: Tue, 13 Feb 2018 04:39:38 +0100 Message-ID: Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory To: Kees Cook Cc: Laura Abbott , Igor Stoppa , Boris Lukashev , Christopher Lameter , Matthew Wilcox , Jerome Glisse , Michal Hocko , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 13, 2018 at 2:25 AM, Kees Cook wrote: > On Mon, Feb 12, 2018 at 4:40 PM, Laura Abbott wrote: >> On 02/12/2018 03:27 PM, Kees Cook wrote: >>> >>> On Sun, Feb 4, 2018 at 7:05 AM, Igor Stoppa >>> wrote: >>>> >>>> On 04/02/18 00:29, Boris Lukashev wrote: >>>>> >>>>> On Sat, Feb 3, 2018 at 3:32 PM, Igor Stoppa >>>>> wrote: >>>> >>>> >>>> [...] >>>> >>>>>> What you are suggesting, if I have understood it correctly, is that, >>>>>> when the pool is protected, the addresses already given out, will >>>>>> become >>>>>> traps that get resolved through a lookup table that is built based on >>>>>> the content of each allocation. >>>>>> >>>>>> That seems to generate a lot of overhead, not to mention the fact that >>>>>> it might not play very well with the MMU. >>>>> >>>>> >>>>> That is effectively what i'm suggesting - as a form of protection for >>>>> consumers against direct reads of data which may have been corrupted >>>>> by some irrelevant means. In the context of pmalloc, it would probably >>>>> be a separate type of ro+verified pool >>>> >>>> ok, that seems more like an extension though. >>>> >>>> ATM I am having problems gaining traction to get even the basic merged >>>> :-) >>>> >>>> I would consider this as a possibility for future work, unless it is >>>> said that it's necessary for pmalloc to be accepted ... >>> >>> >>> I would agree: let's get basic functionality in first. Both >>> verification and the physmap part can be done separately, IMO. >> >> >> Skipping over physmap leaves a pretty big area of exposure that could >> be difficult to solve later. I appreciate this might block basic >> functionality but I don't think we should just gloss over it without >> at least some idea of what we would do. > > What's our exposure on physmap for other regions? e.g. things that are > executable, or made read-only later (like __ro_after_init)? I just checked on a system with a 4.9 kernel, and there seems to be no physical memory that is mapped as writable in the init PGD and executable elsewhere. Ah, I think I missed something. At least on X86, set_memory_ro, set_memory_rw, set_memory_nx and set_memory_x all use change_page_attr_clear/change_page_attr_set, which use change_page_attr_set_clr, which calls __change_page_attr_set_clr() with a second parameter "checkalias" that is set to 1 unless the bit being changed is the NX bit, and that parameter causes the invocation of cpa_process_alias(), which will, for mapped ranges, also change the attributes of physmap ranges. set_memory_ro() and so on are also used by the module loading code. But in the ARM64 code, I don't see anything similar. Does anyone with a better understanding of ARM64 want to check whether I missed something? Or maybe, with a recent kernel, check whether executable module pages show up with a second writable mapping in the "kernel_page_tables" file in debugfs?