Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp20096490ybl; Sat, 4 Jan 2020 17:20:27 -0800 (PST) X-Google-Smtp-Source: APXvYqy3MWwzD3VIZJP6Oyr8WbNsLAwP1VqzElnDzz/Xcvc+zD48eoYBnlWPfDmeyS4NN0/LgtVg X-Received: by 2002:a05:6830:451:: with SMTP id d17mr102850537otc.53.1578187227578; Sat, 04 Jan 2020 17:20:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578187227; cv=none; d=google.com; s=arc-20160816; b=pN1F9RyDH38z9ubAy9ozBcKTqjEw9T6aAisoR9K72R4jmiqqDmZ7VjH409fYi9yJai /XyQtdMdunJvYexLB0dFwLwuNSBETzXFzNli8Wt+clJSuY27KG/V4vlA3qm8w2GoB+/i +MnLNgx2vbvYCH+J/e0THIhVbY7HrIQDpGGl5Q5QTffPxUsXcoCC857n9B+GvKdzbbAs /lzIyDJuG+MsA8viY35KubGBJey3lJyBdinHzEJerCucusT86leqOZ8gLITudJMp8lGa DVGZH8qdUsj/3y5tPgSJA+bYfzVwZO7DB1nuuFS1DpEETcJl7Hg5OcXB9dVbTeGQOTpI t4mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=rjpqbK93O/iu5o//OmgzmyGJYgPRsECTez5RhFbPj4o=; b=eKOyZS5UBlf6e7/j2hrgzTNE63ZH5r5TTVCjevvR1K1apaMwRZyKTjX6BSvG0G6tI2 qJXVhBTXUDXus1LGyFLaCzJmK+wl9SWtkPTcNg+T8g52s/Tkx2KsqVa6vnjH0oAVJx44 pN6QvGO6Z6GfGFPexe0fZGZlySZL+cNKyuel3jRPwjDkv5Km4ktRb9uQpUyi5oGrNQF7 qud/L+/GKjpqi97tmXDWr4iC70SeCxyNPGLSOpyGrH2Wr6pLd8HYs2Hz2cDrVT1UxPpo Xa9qcB1co0XeI2GjMxFPYqijrnTuuNBqdN6Vv+C841DG3afdDwCS1ZRIGP3HKJ29Nj2B Gd0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Hqpa6/nF"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u25si31875785otg.170.2020.01.04.17.20.15; Sat, 04 Jan 2020 17:20:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Hqpa6/nF"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726382AbgAEBT1 (ORCPT + 99 others); Sat, 4 Jan 2020 20:19:27 -0500 Received: from mail-ot1-f68.google.com ([209.85.210.68]:33483 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726240AbgAEBT1 (ORCPT ); Sat, 4 Jan 2020 20:19:27 -0500 Received: by mail-ot1-f68.google.com with SMTP id b18so44681727otp.0; Sat, 04 Jan 2020 17:19:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=rjpqbK93O/iu5o//OmgzmyGJYgPRsECTez5RhFbPj4o=; b=Hqpa6/nFMt1k6Gacb/LNwp7rvTpRgL96QMH2uL2Mvi2jOAk1KerRRAvklfHVZvReYD 91VPWQLdhtrbwEw10Mg0bO3VH9jI7Sk9vhp4Qh8YKHQx+wU/rVwfrrzhekSIVl+GJ4MW ET8Vv/SmK6dxspqTTZR8JPpr3Li1VFK8p54X3xa6ucd23uiJlW8TCvXE8h4EJMeplk7z jQARTTMTedqp+AREiD/XcaUjKVk72yu90lWgxzUWoyt8c46jYSvvmZQBy7hizMz6/4rt fuXdHhIkcAihhYErtRKj993KME6Ci+shJVKflL5hiAYDcJ0mTYCc3ev+GvbVkOlXerTW v0cw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=rjpqbK93O/iu5o//OmgzmyGJYgPRsECTez5RhFbPj4o=; b=rfV5sYzqAbE1a/jtkhRe4GScWpVqjIJcnpBa6gExZVb3xisD6P3HRXl/BV+e5FLVks 9HevBcV+8qsyFTFxGrm/eyhhC4mvQIOttdLQS3vG4qnixKdjsZYExq922uUMHvBINDTk MX36mVeWL1bMJePGQpNEuIYd4XS2d529Ykv7W9QgILyNz9B9R3g5/KKu3XqSXCST2w7Z WgrhV+yGg52OPveWMgs/wkTSfwuEGAAF+dpCUWYWbfFD+rtE+LUQTcX2tqYAJl8qm1fi gCQ/LQIbaEjZArz+p0iD+F7l98RTT8riXJNZC0vQqS+mFVC3+/q8F50RhCprbUO7RxN9 6CbA== X-Gm-Message-State: APjAAAXZspQbUyst6OHgBluq/42CFYA1AYWR7BgCayYKjUH036+5v/yZ 0adEicJw8l5KZhh0W8fVVKOD1Oi8jqCtbKmStTE= X-Received: by 2002:a9d:6c92:: with SMTP id c18mr92355757otr.157.1578187166437; Sat, 04 Jan 2020 17:19:26 -0800 (PST) MIME-Version: 1.0 References: <20200103234725.22846-1-kpsingh@chromium.org> In-Reply-To: From: Justin Capella Date: Sat, 4 Jan 2020 17:19:14 -0800 Message-ID: Subject: Re: [PATCH bpf-next] bpf: Make trampolines W^X To: KP Singh Cc: Andy Lutomirski , Rick Edgecombe , LKML , bpf@vger.kernel.org, x86@kernel.org, linux-security-module@vger.kernel.org, Kees Cook , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , Thomas Garnier , Florent Revest , Brendan Jackman , Jann Horn , Matthew Garrett , Michael Halcrow Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I'm guessing 2 pages are used to allow for different protections? Does only the first page's protections need to be changed? Is that "old_image"? + set_memory_nx((unsigned long)image, 1); + set_memory_rw((unsigned long)image, 1); + set_memory_ro((unsigned long)new_image, 1); + set_memory_x((unsigned long)new_image, 1); Because + void *old_image =3D tr->image + ((tr->selector + 1) & 1) * PAGE_SIZ= E; + void *new_image =3D tr->image + (tr->selector & 1) * PAGE_SIZE > > - Mark the memory as read-only (set_memory_ro) > > - Mark the memory as executable (set_memory_x) > > No, thanks. There=E2=80=99s very little excuse for doing two IPI flushes = when one would suffice. If there were checks between these steps to verify the trampoline wasn't tampered with while the page was writable it would make sense to do so before enabling execution. Could some of these int's be unsigned to be extra cautious? One last thought, if the extra checks are implemented, maybe comparing against the old image prior to setting rw would be worthwhile?