Received: by 10.223.185.111 with SMTP id b44csp500096wrg; Fri, 9 Mar 2018 08:26:11 -0800 (PST) X-Google-Smtp-Source: AG47ELuhYxK4cTKtqQXek/V0pL2OEFRXJ7pESix8TzMnHinTNVuEXmX+3fRjcIL3XecygNrRzzDQ X-Received: by 10.99.119.79 with SMTP id s76mr1980458pgc.291.1520612771443; Fri, 09 Mar 2018 08:26:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520612771; cv=none; d=google.com; s=arc-20160816; b=B9VM03vNBN35fudvNm5iaKdfLAZ9bn6c45+PTQnNNXDteAR/IZhqGwwuB+7Gwk+jt2 xyJs6Sz17ZbSiMkRX14qhAhTRE36uQVOR1vMs0Ix7YyDAaHULkL4Nkj04bZiwuDDSyoj OiIy9nwiVO3dTEpiPIueI8AToRyT7NOyOG3CmuY96xNeIoO8GVaOymnVTl2Vb0j61Qt3 GUzKe28mUccpc/XFNy/zlOIhEjEtQvm4Q0psWis3pNIwVsfG2INb2hYaBHQuYYOlO/6A cNljztpk3OMMjn0z6JG0kw+oViwp4Rly4kOUJqEkVidXc7ZXo1zotMCPNPa+OOGiySpr bynA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dmarc-filter:arc-authentication-results; bh=Vn1SCU5lSvC4fjeOb1j0B7QcOdaFG8TurNxdIZjpM0o=; b=LGltRN5xOKqO6gC9I/KOAdwIMXuFK2jyf6kAfc1r8PfiFfR+DUUDwtw/lViOm671EN vQ2L7r0pi5lFc1/+V8+SIpDsWi5ZU2GmMAHlGuMa/B+JBghrWoVBtxcN3SXhxbkfcSTz 3h+oNfvXM7UZqfc0k3fAfzGO6ODijQlOP9vV2IbRwkVYwhs0toT6+1M+MEw9FdLB2qLk 0xb7TECnr9VgtSA/vxhhNFIZeYDv8NgJ8UYIZuq0TiJJ8mgs560KITrs6C6zpJ0sD2HL 6Zk2Vemr5vwnMRNGvb0Pz2VDy47kZmCJTOvqROJo/R7xOdtp2W1qPPEhM87o8eCSY5HO 0tbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a10si930747pgq.174.2018.03.09.08.25.56; Fri, 09 Mar 2018 08:26:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932234AbeCIQY4 convert rfc822-to-8bit (ORCPT + 99 others); Fri, 9 Mar 2018 11:24:56 -0500 Received: from mail.kernel.org ([198.145.29.99]:51814 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751193AbeCIQYy (ORCPT ); Fri, 9 Mar 2018 11:24:54 -0500 Received: from mail-io0-f172.google.com (mail-io0-f172.google.com [209.85.223.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CCE7B2179F for ; Fri, 9 Mar 2018 16:24:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CCE7B2179F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f172.google.com with SMTP id e7so4145129ioj.1 for ; Fri, 09 Mar 2018 08:24:53 -0800 (PST) X-Gm-Message-State: APf1xPC8r0wyp/EQtSqpKK0tSecQkjdTk2NPXzMiJcwHs79UsYOV5M3k C9W7u95Fusn7gKqa1Cn3y2scJ8pxGbi2m1kXtn+oTA== X-Received: by 10.107.88.10 with SMTP id m10mr33236669iob.144.1520612693016; Fri, 09 Mar 2018 08:24:53 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.101 with HTTP; Fri, 9 Mar 2018 08:24:32 -0800 (PST) In-Reply-To: <6d2e31fa-d87b-fea6-c919-b7d066bb0385@fb.com> References: <20180306013457.1955486-1-ast@kernel.org> <87478c51-59a7-f6ac-1fb2-f3ca2dcf658b@fb.com> <6d2e31fa-d87b-fea6-c919-b7d066bb0385@fb.com> From: Andy Lutomirski Date: Fri, 9 Mar 2018 16:24:32 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries To: Alexei Starovoitov Cc: Andy Lutomirski , Linus Torvalds , Kees Cook , Alexei Starovoitov , Djalal Harouni , Al Viro , "David S. Miller" , Daniel Borkmann , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team , Linux API Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 9, 2018 at 3:39 PM, Alexei Starovoitov wrote: > On 3/9/18 7:16 AM, Andy Lutomirski wrote: >>>> >>>> On Mar 8, 2018, at 9:08 PM, Alexei Starovoitov wrote: >>>> >>>> On 3/8/18 7:54 PM, Andy Lutomirski wrote: >>>> >>>> >>>> >>>>> On Mar 8, 2018, at 7:06 PM, Linus Torvalds >>>>> wrote: >>>>> >>>>> >>>>> Honestly, that "read twice" thing may be what scuttles this. >>>>> Initially, I thought it was a non-issue, because anybody who controls >>>>> the module subdirectory enough to rewrite files would be in a position >>>>> to just execute the file itself directly instead. >>>> >>>> >>>> On further consideration, I think there’s another showstopper. This >>>> patch is a potentially severe ABI break. Right now, loading a module >>>> *copies* it into memory and does not hold a reference to the underlying fs. >>>> With the patch applied, all kinds of use cases can break in gnarly ways. >>>> Initramfs is maybe okay, but initrd may be screwed. If you load an ET_EXEC >>>> module from initrd, then umount it, then clear the ramdisk, something will >>>> go horribly wrong. Exactly what goes wrong depends on whether userspace >>>> notices that umount() failed. Similarly, if you load one of these modules >>>> over a network and then lose your connection, you have a problem. >>> >>> >>> there is not abi breakage and file cannot disappear from running task. >>> One cannot umount fs while file is still being used. >> >> >> Sure it is. Without your patch, init_module doesn’t keep using the >> file, so it’s common practice to load a module and then delete or >> unmount it. With your patch, the unmount case breaks. This is likely >> to break existing userspace, so, in Linux speak it’s an ABI break. > > > please read the patch again. > file is only used in case of umh modules. > There is zero difference in default case. Say I'm running some distro or other working Linux setup. I upgrade my kernel to a kernel that uses umh modules. The user tooling generates some kind of boot entry that references the new kernel image, and it also generates a list of modules to be loaded at various times in the boot process. This list might, and probably should, include one or more umh modules. (You are being very careful to make sure that depmod keeps working, so umh modules are clearly intended to work with existing tooling.) So now I have a kernel image and some modules to be loaded from various places. And I have an init script (initramfs's '/init' or similar) that will call init_module() on that .ko file. That script was certainly written under the assumption that, once init_module() returns, the kernel is done with the .ko file. With your patch applied, that assumption is no longer true. RHEL 5 uses initrd and is still supported. For all I know, some embedded setups put their initial /lib on some block device that literally disappears after they finish booting. There are livecds that let you boot in a mode that lets you remove the CD after you finish booting. Heck, someone must have built something that calls init_module() on a FUSE filesystem. Heck, on my laptop, all my .ko files are labeled system_u:object_r:modules_object_t:s0. I wonder how many SELinux setups (and AppArmor, etc) will actually disallow execve() on modules? > >>> >>>> >>>> The “read twice” thing is also bad for another reason: containers. >>>> Suppose I have a setup where a container can load a signed module blob. With >>>> the read twice code, the container can race and run an entirely different >>>> blob outside the container. >>> >>> >>> Not only "read twice", but "read many". >>> If .text sections of elf that are not yet in memory can be modified >>> by malicious user, later they will be brought in with different code. >>> I think the easiest fix to tighten this "umh modules" to CAP_SYS_ADMIN. >> >> >> Given this issue, I think the patch would need Kees’s explicit ack. I >> had initially thought your patch had minimal security impact, but I >> was wrong Module security is very complicated and needs to satisfy a >> bunch of requirements. There is a lot of code in the kernel that >> assumes that it’s sufficient to verify a module once at load time, >> your patch changes that, and this has all kinds of nasty interactions >> with autoloading. > > > not true. you misread the patch and making incorrect conclusions. So please tell my exactly how I misread the patch and why Linus' conclusion (which is what I'm echoing) is wrong. > > I think you need to stop overreacting on non-issue. > Can you please try to have a constructive discussion here? It's not so enjoyable to review patches when author declares review comments to be non-issues without actually explaining *why* they're non-issues. Alexei, I'm willing to be shown that I'm wrong, but you have to show me how I'm wrong rather than just telling me over and over that I'm wrong.