Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp843718img; Wed, 20 Mar 2019 12:04:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqyzFQEyDUE1oMXKszM74Kw0I+bO3SoRqKUEuuZLLDOXmI1a3Np1P5swM6DGh5Q9W0GG0zQF X-Received: by 2002:a17:902:2bc9:: with SMTP id l67mr9533050plb.102.1553108676262; Wed, 20 Mar 2019 12:04:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553108676; cv=none; d=google.com; s=arc-20160816; b=P+yEMPhdwiyGW62Lv2NJi4LrVkrbOcTSx1ELeKnL5ugstoZWqJN4cIcJVh+fjGqDXy ozZ4uiJysLaXagNWT9aa/iSE5f1Y2PaaEDp04m3uuKaYsY7Wc9uXtPp+a5ot1UUPyG8o A7U/JZRYs92nN+HB3ObJWnnKE5EFplCVlzo3nPg/myxK+ClqbhV3MiJQ+LYXatMwXFTv u59EgHLdefWH/3QkIrCvQXDdHHRhvo+w/yjIxrXKfH4tJrUThBb1+lopUgfmaTjknJ3n Ms0FlN+0HORkC4WJQWnkJ9NaE6CifubOBiYPfIfeTlMBreunWqyXoAzOuRjKdEzawf+w ucpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=aRCR+a3ksABse4inSLhWXoW+DTZZJel0b5kXwJ9saVg=; b=jki1Zt1AvYebNiRQqEQzNcn/Qd4+8numZK5x6BHhvunI8mxPvEdFHOs5B/PX5B1XhF DzLsIkJ3UbkqxhqLn7nf9h6INHsSQ9/PUV+tbygPAwM73xxrEcHzYDEK8a3D1pBen4cr rQWaHbIsVbuL1QuVLbrvSnBl3I6OyZPHip/iIOH6YY85Me09bsD8D/1KhDH1QHrddOHQ Baz+y1PcpSkjh+/ivmNRdW8+YOmhf1wIM4YPPf09yWJse2NcfL0l1iK4pVJLksdGs4Jk gGy7jBbpqHmDMe830/JxRAmyhoDuJUrkNJTwqJYAVSy2Mn6D7BhIdgm853CyBqXGulYH RoDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 65si2256434pff.260.2019.03.20.12.04.20; Wed, 20 Mar 2019 12:04:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727600AbfCTTBZ (ORCPT + 99 others); Wed, 20 Mar 2019 15:01:25 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39988 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727103AbfCTTBX (ORCPT ); Wed, 20 Mar 2019 15:01:23 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B337C307B48B; Wed, 20 Mar 2019 19:01:22 +0000 (UTC) Received: from sky.random (ovpn-120-78.rdu2.redhat.com [10.10.120.78]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1864460852; Wed, 20 Mar 2019 19:01:13 +0000 (UTC) Date: Wed, 20 Mar 2019 15:01:12 -0400 From: Andrea Arcangeli To: "Dr. David Alan Gilbert" Cc: Andrew Morton , Peter Xu , linux-kernel@vger.kernel.org, Paolo Bonzini , Hugh Dickins , Luis Chamberlain , Maxime Coquelin , Maya Gokhale , Jerome Glisse , Pavel Emelyanov , Johannes Weiner , Martin Cracauer , Denis Plotnikov , linux-mm@kvack.org, Marty McFadden , Mike Kravetz , Mike Rapoport , Kees Cook , Mel Gorman , "Kirill A . Shutemov" , linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v2 1/1] userfaultfd/sysctl: add vm.unprivileged_userfaultfd Message-ID: <20190320190112.GD23793@redhat.com> References: <20190319030722.12441-1-peterx@redhat.com> <20190319030722.12441-2-peterx@redhat.com> <20190319110236.b6169d6b469a587a852c7e09@linux-foundation.org> <20190319182822.GK2727@work-vm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190319182822.GK2727@work-vm> User-Agent: Mutt/1.11.4 (2019-03-13) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Wed, 20 Mar 2019 19:01:23 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Tue, Mar 19, 2019 at 06:28:23PM +0000, Dr. David Alan Gilbert wrote: > --- > Userfaultfd can be misued to make it easier to exploit existing use-after-free > (and similar) bugs that might otherwise only make a short window > or race condition available. By using userfaultfd to stall a kernel > thread, a malicious program can keep some state, that it wrote, stable > for an extended period, which it can then access using an existing > exploit. While it doesn't cause the exploit itself, and while it's not > the only thing that can stall a kernel thread when accessing a memory location, > it's one of the few that never needs priviledge. > > Add a flag, allowing userfaultfd to be restricted, so that in general > it won't be useable by arbitrary user programs, but in environments that > require userfaultfd it can be turned back on. The default in the patch leaves userfaultfd enabled to all users, so it may be clearer to reverse the last sentence to "in hardened environments it allows to restrict userfaultfd to privileged processes.". We can also make example that 'While this is not a kernel issue, in practice unless you also "chmod u-s /usr/bin/fusermount" there's no tangible benefit in removing privileges for userfaultfd, other than probabilistic ones by decreasig the attack surface of the kernel, but that would be better be achieved through SECCOMP and not globally.'.