Received: by 10.223.185.82 with SMTP id b18csp85465wrg; Thu, 8 Mar 2018 19:56:07 -0800 (PST) X-Google-Smtp-Source: AG47ELvimAHJnJluXWLKv+2eVC6WmXcJaGaCkJZOzqiJu1bCjzsUET5Pe/tQad3JP/HnhPpi0Zde X-Received: by 10.98.18.143 with SMTP id 15mr28917754pfs.104.1520567767880; Thu, 08 Mar 2018 19:56:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520567767; cv=none; d=google.com; s=arc-20160816; b=TNYZ1WWCBp8r/wRJOM8FNaxAh7JgOCP8XgNcKzIxHlplcYOqpJ6VGuzHpw76pShZB9 iUb1GYIuhL0sigRJw+LhvY7unUG5pZS6ufTUspRCxOaHSf9lktybowjQOEQV+tQzb8ac aC4QD+bol4imWbq+WJ1ARmCEgBZ6DnO/pYzuolo6mGuYPR3Q1MgSjZRmgpDXGxekpoyS vqLckm3BtPsrcv7n5Q3KMe2SmEhSyb7J7MbwxPSnwoYWjCXaxOt8IAuq0vT7Pxl3OPaE xEMWWSj5zjVrhhlzZ24ZzC4jMdtuKsp7xQaMYXWLeoEPdythhRA5+hJigQ2lht1xKfuF 6xIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=76DwQHkz3r+bjmUrgT5MxQtiykysbuoFq4k00notvGE=; b=ScZhkfoDEPpAvfDD+v4J3FEZqMJgDFk+oEonJM/wAWWkmAt5YiXtkdvnprnsLkrIoE XBET5rw6hv/YjD3c/h9wmezMQ30tjkQqV1QpWLTNlBEn6sQObpaWDads8kOwF8AmnSC/ xiZ7z3mhMXhuOjm4ScuiTKXY549l/ixCAc8bmQFAoRoEiu6K51HyCrkkXNNC4uxdFZVf pbabNIi+0YthyMB/eWqFaSk6d4zEhwE+hFP3UnSqR/WlkHXxmigGcgljjf7ZK7WzcYuA CPvElPa1jCeFdg6dd7LXMUIisrKSWc0KsnGjjUJJxhcHDhB42LY2XwE07siMsO0X/p2t asPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=fj0XTYve; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 70-v6si131865ple.465.2018.03.08.19.55.41; Thu, 08 Mar 2018 19:56:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=fj0XTYve; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751058AbeCIDy0 (ORCPT + 99 others); Thu, 8 Mar 2018 22:54:26 -0500 Received: from mail-pf0-f172.google.com ([209.85.192.172]:43237 "EHLO mail-pf0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750848AbeCIDyY (ORCPT ); Thu, 8 Mar 2018 22:54:24 -0500 Received: by mail-pf0-f172.google.com with SMTP id j2so812131pff.10 for ; Thu, 08 Mar 2018 19:54:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=76DwQHkz3r+bjmUrgT5MxQtiykysbuoFq4k00notvGE=; b=fj0XTYveer+Bb8QJOrTsIVyTFUjlVxKPaqei97saYzhr7hl4sJWZsx4ZUd8Ju4Se3+ DovMrOJAGgtPjOrNDoyHjelTyR4HpJcSPz3cs6y4N65lTS0VJfTL8lz+0lUElD8jgkRs ijOCaI40AvKXA1LpZiOC4NseDhb6HYo9dW7LCBe2dM23EL9bR/P5u7/Pkk7eeFBiavIO iYNjUE/6EdlDum7Ffq+Ld0tW8b3bYcjZPK47DcoHWRm8d4BMeQ/YvkS2p0VYbBFTB3Nr cZ0R1Rw/huAK0O8J+ZwSVZSvJ5Am+Lexz5tf0NuziSxyWjQY5NN43hyI9uCzms5KANIz 62WQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=76DwQHkz3r+bjmUrgT5MxQtiykysbuoFq4k00notvGE=; b=j9f/doFinEXIkWH1ct503BVLExvHgyvc0/YPjX/ub47rbI9524ovcEtq1UXCmyuRLo /ve4AVN4Bg6uuoWBFNTrjY8llFPtUGscp+pH8z8CbiYOeYykFrqTZX+2PLVeIZgnC2m1 TQbioCAuW0BhgqsIqUc9ukVQNSYcD/JrOWsewzxFSI5TVsHlrsxuPCMNVAfn/812KXAE lwnMg05lfpuNvcNpprNnpNuSAON1ZrkffgOnusWA26ffbqQmsF3vXfr+kLPRpvPvh0Eq h8EJjpwjA9yIoF1rZkcqFhcYLhYwPz6f6c6nHGh/SgSjYQLx1iF0w+0seP8ZKUs8tY/D kDfQ== X-Gm-Message-State: APf1xPBFU2YScu7KExurSzG8/pknT0gKa+1zEtRJsDZaRaGbi2/LU7Wu uQpHZsdQkgU8f1ZGK7YMzIfSFQ== X-Received: by 10.101.92.138 with SMTP id a10mr23091209pgt.129.1520567663350; Thu, 08 Mar 2018 19:54:23 -0800 (PST) Received: from ?IPv6:2600:1010:b05d:dc76:e069:cad1:42ef:c98b? ([2600:1010:b05d:dc76:e069:cad1:42ef:c98b]) by smtp.gmail.com with ESMTPSA id r1sm207352pgq.41.2018.03.08.19.54.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Mar 2018 19:54:21 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries From: Andy Lutomirski X-Mailer: iPhone Mail (15D100) In-Reply-To: Date: Thu, 8 Mar 2018 19:54:20 -0800 Cc: Kees Cook , Alexei Starovoitov , Djalal Harouni , Al Viro , "David S. Miller" , Daniel Borkmann , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team , Linux API Content-Transfer-Encoding: quoted-printable Message-Id: References: <20180306013457.1955486-1-ast@kernel.org> To: Linus Torvalds Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Mar 8, 2018, at 7:06 PM, Linus Torvalds = wrote: >=20 >=20 > Honestly, that "read twice" thing may be what scuttles this. > Initially, I thought it was a non-issue, because anybody who controls > the module subdirectory enough to rewrite files would be in a position > to just execute the file itself directly instead. >=20 On further consideration, I think there=E2=80=99s another showstopper. This p= atch is a potentially severe ABI break. Right now, loading a module *copies*= it into memory and does not hold a reference to the underlying fs. With the= patch applied, all kinds of use cases can break in gnarly ways. Initramfs i= s maybe okay, but initrd may be screwed. If you load an ET_EXEC module from i= nitrd, then umount it, then clear the ramdisk, something will go horribly wr= ong. Exactly what goes wrong depends on whether userspace notices that umoun= t() failed. Similarly, if you load one of these modules over a network and t= hen lose your connection, you have a problem.=20 The =E2=80=9Cread twice=E2=80=9D thing is also bad for another reason: conta= iners. Suppose I have a setup where a container can load a signed module blo= b. With the read twice code, the container can race and run an entirely diff= erent blob outside the container.=20=