Received: by 10.192.165.148 with SMTP id m20csp4765379imm; Tue, 24 Apr 2018 08:05:10 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/3cMzIqk1/hVPRxS4iByBgsPBn3Xx8BsfRH95DX7wU/wetvP8WVeGUc353CbncfLi0uRK7 X-Received: by 2002:a17:902:7c02:: with SMTP id x2-v6mr25810182pll.186.1524582310249; Tue, 24 Apr 2018 08:05:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524582310; cv=none; d=google.com; s=arc-20160816; b=Kz04KtqH1dQYQaVbk0KR0LPWMhlGMwo2hSuBgcT6KytFcf5F6AJcsIry3vYIAMSBzl W94jM5K4v2xWug1EEkNS5AjNpO6uq3T4B+59rGrFZYrZQUHU5Xhgc91H9o1mkGBSexDI sLXe7TLsbIOuz59D0PIjotB1ut37mjznwaThJuoPDC8zCKk5FUIZ76oQonFwCwV3iZLs FxvzfzYE5iAIBI02yHBqbFQG9VSzmENH3dr/6yQq8hupLWLdRTp7h5TbcakkywnhY+96 ZitIf+gRzt3Z2GFEHHeZ86PHJf+MT7auQa1kvowIWGUAerrZ1YuujgO18O6/S0cdTp9l WZiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=Rrr1wZYOcV/oSVGRw5kJ9SBE6NWwZikLyYHyczv+g+I=; b=jy/Uddlzk2wKLHMKRHkcKhcb7fN/aQTC8FWUZI7EUxTloDLU/sl6E+AFLcHwRZ6jrp gqjpde5pC3jU/848Qbug3xuO+XEsrC6E0yDmPAPRf7cGVXV5JF9FE2XPhOKOsFUZQDqr Td0fsWbGLLr3RzA8dt5XKRDcbsOs0P8w9scrSZXIqvqQmwGvDyxQu5IrZDsqYC72M4yN S9G5PYJfhNnGZXQDQtWdkWoKwLDgv7MRgg98GIwbmhZtJV8gsBV+cnUqkuc+5Gn4SGWH 7pJmCHwk/z4X8qNduJJUhqEZuOGtnQ1XptacY75jYSuRdJqCcSZxMtObbzC9ZDEj28VK FPWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=AONbjbkL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h186si12019663pge.324.2018.04.24.08.04.54; Tue, 24 Apr 2018 08:05:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=AONbjbkL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752819AbeDXPDu (ORCPT + 99 others); Tue, 24 Apr 2018 11:03:50 -0400 Received: from mail-wr0-f193.google.com ([209.85.128.193]:37282 "EHLO mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752778AbeDXPD3 (ORCPT ); Tue, 24 Apr 2018 11:03:29 -0400 Received: by mail-wr0-f193.google.com with SMTP id c14-v6so10179036wrd.4; Tue, 24 Apr 2018 08:03:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=Rrr1wZYOcV/oSVGRw5kJ9SBE6NWwZikLyYHyczv+g+I=; b=AONbjbkLIGB1qYah5FnAZIe7VwrJnTEhLLmXp3UavSUwRKlPeXJ/srPQtHyp6eZ1Sg 7bzbgB9uOO48sP/F+r173Cynbmq/BEyzDnsA17qW3wB3TFzlu+YU6eF0ZpyMyQ0l3bqp A7qr7+frP9IVnEIG7aFR6wlGjCxcCgVqwyB2HDy6Abfv5EisnEjhSDrAFJrx0Z/uyiFa v+xg1JlWtIiynwNrDRalYmFOQ+zw1OOdyxpniA4XJTqaf41Te00ODHRHrt2FuG5fYiFm VCycQhk1/3qHF3P3wdmBrPdJPGn0a+aLh/mmOVJ9Wvt7wBB3KDWlp8T+j7gppr+avV9K qFyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=Rrr1wZYOcV/oSVGRw5kJ9SBE6NWwZikLyYHyczv+g+I=; b=YlPycOhcm1bITmrUbpZOBhfpZbK0OGDMNpJwzzaY7YYyShtwTiLv5Ry4VJiztBC/+h fBNaKqkeX6BlyXIPVlZjPnA/w1PGe0P7t1UpQyVqThkSd/XXQTnR7YkiGiFPpWsczNGw MlELgT5WRRdGHeVD4cCSL4IR91IPw1F0jXm0hq9gaQaLg7EBfIXJziBKexubzC4fwCpU ScS6IRgoXk0X9ULMjcRY9LGNbn5Aec7vVPvT3OjLpPdHzfi8ksxMQ7bX6fPbdWR2U2Nt xxUbDxHcjRtW88uOL8oMe1NkEtWjYJkKY4ObZXEm+nFJ5La+cefE5pfZ0C+9/K/TO0Gp Y8QQ== X-Gm-Message-State: ALQs6tCgdXks9eITeYWhp6WThZzS/T2dzRm6g1CocW6k4i/cwLKRy9t3 Rcyz9VGKEm0nY70jFXFXShI= X-Received: by 2002:adf:e0d2:: with SMTP id e18-v6mr20936988wri.2.1524582208229; Tue, 24 Apr 2018 08:03:28 -0700 (PDT) Received: from [192.168.0.9] (host187-135-dynamic.116-80-r.retail.telecomitalia.it. [80.116.135.187]) by smtp.gmail.com with ESMTPSA id r200sm16119870wmb.39.2018.04.24.08.03.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Apr 2018 08:03:27 -0700 (PDT) Subject: Re: [PATCH 7/9] Pmalloc Rare Write: modify selected pools To: Matthew Wilcox Cc: Igor Stoppa , keescook@chromium.org, paul@paul-moore.com, sds@tycho.nsa.gov, mhocko@kernel.org, corbet@lwn.net, labbott@redhat.com, linux-cc=david@fromorbit.com, --cc=rppt@linux.vnet.ibm.com, --security-module@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Igor Stoppa , Carlos Chinea Perez , Remi Denis Courmont References: <20180423125458.5338-1-igor.stoppa@huawei.com> <20180423125458.5338-8-igor.stoppa@huawei.com> <20180424115050.GD26636@bombadil.infradead.org> <20180424144404.GF26636@bombadil.infradead.org> From: lazytyped Message-ID: Date: Tue, 24 Apr 2018 17:03:25 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180424144404.GF26636@bombadil.infradead.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/24/18 4:44 PM, Matthew Wilcox wrote: > On Tue, Apr 24, 2018 at 02:32:36PM +0200, lazytyped wrote: >> On 4/24/18 1:50 PM, Matthew Wilcox wrote: >>> struct modifiable_data { >>> struct immutable_data *d; >>> ... >>> }; >>> >>> Then allocate a new pool, change d and destroy the old pool. >> With the above, you have just shifted the target of the arbitrary write >> from the immutable data itself to the pointer to the immutable data, so >> got no security benefit. > There's always a pointer to the immutable data. How do you currently > get to the selinux context? file->f_security. You can't make 'file' > immutable, so file->f_security is the target of the arbitrary write. > All you can do is make life harder, and reduce the size of the target. So why adding an extra pointer/indirection helps here? It adds attacking surface. > >> The goal of the patch is to reduce the window when stuff is writeable, >> so that an arbitrary write is likely to hit the time when data is read-only. > Yes, reducing the size of the target in time as well as bytes. This patch > gives attackers a great roadmap (maybe even gadget) to unprotecting > a pool. I don't think this is relevant to the threat model this patch addresses. If the attacker can already execute code, it doesn't matter whether this specific piece of code exists or not. In general, if an attacker got to the point of using gadgets, you've lost. On the contrary, it opens the road to design trusted paths that can write to or access data that would generally be read-only or not accessible (with, of course, all the complexity, limitations and penalties of doing this purely in software on a page sized basis).             -   Enrico