Received: by 10.192.165.148 with SMTP id m20csp4794316imm;
        Tue, 24 Apr 2018 08:30:47 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/QBHR88/ZUbnTLEbZ102B2ZYBIvaGXQnW4RMq2H4keiEWsqKtnJw+tL6LUOH2bMKTqKL5D
X-Received: by 2002:a17:902:8bc6:: with SMTP id r6-v6mr25680354plo.66.1524583847277;
        Tue, 24 Apr 2018 08:30:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524583847; cv=none;
        d=google.com; s=arc-20160816;
        b=xzFQ1HkPgU+CdbgfRjrZkD6+aQDC5kkBac7f7YxwFPaBary4EDxdJ2G6g3OG807Uuq
         x5HM8P0TVSUAPlcFmqBT50n5Trn0Z+veZcchKAkOGyfZ3F9iKHvcDb/xPdhjEUWwhQyE
         RSHseITQlN8qTNUvHj9BgLwRv7AheXE1VMVO5GzB9Cxl+U4cyM5cTuvin34ztvVF1EMI
         qAtyhfkIIkru5kwGkEJpx8+tjnpGrkgC+SvMrTzC3LxLXo84J6sgLCdfgWC/4OOm8ukf
         p6iXJUsOqv3DFStDJ5rCI/OtXVPlIeXZtpO7sVG9mHIAsEpZLjK6qxi7D+lYQNwdFiNW
         vglw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=fengJc3/RWUkTJvsa3BFD/1Cj8ARDj/NgFG2d6ciGN8=;
        b=aBwLQEi0pvCycwEUUDOB7m90rjuBNyv7X+nK1FPUEyY+0uidvu/duMhz8cJkjXXozX
         YC1hNgRacjVE2FZuubMiN0PQ+1k1sBiXNTV3lC1UsEf7VyqX7eKmYfCjPAOOXSNmx80Z
         QVGuwl6XVoCVjU9OfyY5gkvQGrLPdr3lJBq8WgiuoqtKdIA6lc06kFDjHM1QkcG3oz4H
         Y6Fybk0G98bzDrd2EMRmNlr88OQC3gUpK2qV73zfJydaKQOURjfTOrCSjgN9OlBlvlGu
         WnJtKA4Fcxl98XG2F56d8LXLxRBI1kA37q8fFFZ3IDjN14VZg4SEV3KlbNI+gHA2oszw
         6RRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZhdnJZd5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p11-v6si16927791plo.276.2018.04.24.08.30.32;
        Tue, 24 Apr 2018 08:30:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZhdnJZd5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751906AbeDXP3K (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Tue, 24 Apr 2018 11:29:10 -0400
Received: from mail-pf0-f176.google.com ([209.85.192.176]:34733 "EHLO
        mail-pf0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750749AbeDXP3I (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Apr 2018 11:29:08 -0400
Received: by mail-pf0-f176.google.com with SMTP id a14so2047925pfi.1;
        Tue, 24 Apr 2018 08:29:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=fengJc3/RWUkTJvsa3BFD/1Cj8ARDj/NgFG2d6ciGN8=;
        b=ZhdnJZd5MF/rw75YVs9Ncc2lDrztvZNgcRcXW6TYZhimYiLHQqxDRA/ubxmMCFcflA
         /mTS3zg+zdDq15Q76j6t9+Pp4E/LoERude8CIHZ7h7zKDYw+5AUT3BUofOyF23A38UFf
         ncNQ02d0ILNqB2OKY5gVVVePRhTH9p7HI2UELrYDae7JeCXL6kWJXFEnaLTePS0jSEzi
         hgVdA5NPrOmhLPIYN21QuJr/OgSKBPfXzGnNqm8uBa6rHh8iUGRXnVFfiIs7OFlxeMBP
         Ci69RJ8NuJ2No0GCZUHDZVgtjVrPUoAk71eqSIjwut9Tn5BMk1mt5yMwAtuVV1XK1atJ
         b7yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=fengJc3/RWUkTJvsa3BFD/1Cj8ARDj/NgFG2d6ciGN8=;
        b=hIK81geKqcLH41FV3iYJ5s3akS/YSTAwoZLro6ChpHR3ghZOCtMzgJjJ0fQuTTG/+3
         8kD/OlLx+s0Zs+LW9VVJIT2fQoyINA7u87VZgPkFtKKbyQAOlkytlrZ8wO5Z4Ix5GOYy
         e6ba+iWT8Suv63sQGrXQJGvg5CFRK6h3TFxK68T6SwWsDFCzvu1qWIE2Qenb7YOPzHtU
         t8vj7IbpQ7VlBqZ+ThUcPfm2NTXEGrooC8HDHwUZEDP+TuoOeWAPyJnIPOjIlBFR+InY
         cSC38BhEYOAGilMhQb0FPpW2HC+UGJCTRxfC4K0F7CY0VWoZ7pBqBCgaUvrGZ2g9KeDi
         Y6cw==
X-Gm-Message-State: ALQs6tDIdEln0Az+gagS+UxeWVlBfeJfFB2/f2jEf7hXMLZ/JGPbc3uf
        pZCcu0eIKZ5aw8MHjccB2zU=
X-Received: by 2002:a17:902:6181:: with SMTP id u1-v6mr25131467plj.272.1524583747667;
        Tue, 24 Apr 2018 08:29:07 -0700 (PDT)
Received: from [10.11.17.54] ([198.233.165.212])
        by smtp.gmail.com with ESMTPSA id k66sm25531781pgk.24.2018.04.24.08.29.06
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 24 Apr 2018 08:29:07 -0700 (PDT)
Subject: Re: [PATCH 7/9] Pmalloc Rare Write: modify selected pools
To:     lazytyped <lazytyped@gmail.com>,
        Matthew Wilcox <willy@infradead.org>
Cc:     keescook@chromium.org, paul@paul-moore.com, sds@tycho.nsa.gov,
        mhocko@kernel.org, corbet@lwn.net, labbott@redhat.com,
        linux-cc=david@fromorbit.com, --cc=rppt@linux.vnet.ibm.com,
        --security-module@vger.kernel.org, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com,
        Igor Stoppa <igor.stoppa@huawei.com>,
        Carlos Chinea Perez <carlos.chinea.perez@huawei.com>,
        Remi Denis Courmont <remi.denis.courmont@huawei.com>
References: <20180423125458.5338-1-igor.stoppa@huawei.com>
 <20180423125458.5338-8-igor.stoppa@huawei.com>
 <20180424115050.GD26636@bombadil.infradead.org>
 <eb23fbd9-1b9e-8633-b0eb-241b8ad24d95@gmail.com>
 <20180424144404.GF26636@bombadil.infradead.org>
 <b1efb813-3629-518c-4eeb-7d15eb5e7319@gmail.com>
From:   Igor Stoppa <igor.stoppa@gmail.com>
Message-ID: <a8ea4455-3be8-153e-0ac4-52ef27a942b4@gmail.com>
Date:   Tue, 24 Apr 2018 19:29:05 +0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <b1efb813-3629-518c-4eeb-7d15eb5e7319@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 24/04/18 19:03, lazytyped wrote:
> 
> 
> On 4/24/18 4:44 PM, Matthew Wilcox wrote:
>> On Tue, Apr 24, 2018 at 02:32:36PM +0200, lazytyped wrote:
>>> On 4/24/18 1:50 PM, Matthew Wilcox wrote:
>>>> struct modifiable_data {
>>>> 	struct immutable_data *d;
>>>> 	...
>>>> };
>>>>
>>>> Then allocate a new pool, change d and destroy the old pool.
>>> With the above, you have just shifted the target of the arbitrary write
>>> from the immutable data itself to the pointer to the immutable data, so
>>> got no security benefit.
>> There's always a pointer to the immutable data.  How do you currently
>> get to the selinux context?  file->f_security.  You can't make 'file'
>> immutable, so file->f_security is the target of the arbitrary write.
>> All you can do is make life harder, and reduce the size of the target.
> 
> So why adding an extra pointer/indirection helps here? It adds attacking
> surface.
>>
>>> The goal of the patch is to reduce the window when stuff is writeable,
>>> so that an arbitrary write is likely to hit the time when data is read-only.
>> Yes, reducing the size of the target in time as well as bytes.  This patch
>> gives attackers a great roadmap (maybe even gadget) to unprotecting
>> a pool.
> 
> I don't think this is relevant to the threat model this patch addresses.
> If the attacker can already execute code, it doesn't matter whether this
> specific piece of code exists or not. In general, if an attacker got to
> the point of using gadgets, you've lost.

Realistically, if the attacker can execute arbitrary code, through 
gadgets, there is nothing preventing a direct attack to the physical 
page, by remapping it, exactly like the patch does.
Or even changing the page table.

Wrt re-utilizing this specific rare_write() function, it would be 
possible to mark it as __always_inline, so that it will be executed only 
with the data and pool it is intended for.

Then, if one has access to a compiler plugin that does CFI, it becomes 
harder to reuse the inlined function.

Inlining should not be too bad, as size overhead.

OTOH, having the pointer always laying around at a specific address, 
allows for easier scanning - and attack - of the data

The remapping to a temporary address should make it harder to figure out 
where to write to.

Again, the whole assumption behind pmalloc is that the attacker can do 
read and writes, maybe limited execution, in the form of function calls.

But if the attacker can execute arbitrary code, all bets are off and the 
system is forfeited.

Really critical data should go into a TEE or similar isolated environment.

> On the contrary, it opens the road to design trusted paths that can
> write to or access data that would generally be read-only or not
> accessible (with, of course, all the complexity, limitations and
> penalties of doing this purely in software on a page sized basis).

I had considered the COW approach, where I would allocate a new page and 
swap it atomically, but it is not supported on ARM.

--

igor