Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp347566ybg; Tue, 28 Jul 2020 07:33:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzeHT9Jh4vJTuOKufFQxkOgwgWr4J3hI6zV+DjHGk55RIglFvqWjlSzPToMICqWhrf4myul X-Received: by 2002:a17:906:7e05:: with SMTP id e5mr11549059ejr.252.1595946806321; Tue, 28 Jul 2020 07:33:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595946806; cv=none; d=google.com; s=arc-20160816; b=SM/MQD4vNHaEgG5t5rcLWU7xTdI4CxbEKGbRmQdqvV0WVeFicR71olKtRzldqxqiTQ 2qlDAY2OOff4cI2tsIKozAYNjsc9bSfBqSHLx6SbjNzi1CfkmVSiIUqlUnhgPOYFeMuG NFW2IpxlmfOJ4myEhi2+GAplIWgIPWHNXnKiqj4h5xicDbM2dXs6BXkLVkLlem5unPL9 zrqQ7CAj1LbN8kVQLN6D5YyZ69fIoyBotvUf0xwzAKplLTH+jjNZZYWYzEkZq671d3j5 iVX2//brxRbvTu54VyY7NwEnGzZXAZBFbVFG3Q3ILlIFX8hKxsXbecjp6dFSwmaYl8XV BdLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject :dkim-signature; bh=y8nRRhLN76Gwdv6TWjBbydsC8jIHLobFpUQt86BWPsY=; b=iIUjEaT6xOKDLVr6Hm5otvQY6DdtM1/1vpzK2njZJ81CzvnlP4rEm9InVjGiNqK9hR jav5sW22mEbh68PunhsFlhmv0N6CLG+wG8Su72XWCpq73qtw/gFjvcmdaE0niUW5N79L LqNe+tNaqRORQIuCN8eh0j94oXSGfQMh2lCIRwkMk3aVnt69L1hSdyHiOTWiz0TaLWrR tO9KZ6bIyrU1srL9ullaWsZGVjV+MoNYKRwKdCXAdtVWkmtUhAvc/9VB5OeLrt2LE0GS Ttbh47TYlMMWE3Nfj28i8ykqAa3byQtdM/Ss76Ao2owssRe1LrkV/rXdzKJf/1pw7foL 8GVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b="vkMbbZV/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c11si8326649edy.498.2020.07.28.07.33.03; Tue, 28 Jul 2020 07:33:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b="vkMbbZV/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730421AbgG1Obl (ORCPT + 99 others); Tue, 28 Jul 2020 10:31:41 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:59162 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729410AbgG1Obl (ORCPT ); Tue, 28 Jul 2020 10:31:41 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06SERiHc170671; Tue, 28 Jul 2020 14:30:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2020-01-29; bh=y8nRRhLN76Gwdv6TWjBbydsC8jIHLobFpUQt86BWPsY=; b=vkMbbZV/fcuVoPAdAm2bnVKwhjUpJrQeuFup74jUcdeMFSVB6NMvDDvMHSKYXPSlQuGZ q+vnDlQQJonIJRLOWE5PZnxfEEw+fM6A0EQ19EYLT30r5asL+xwE/rzdNesWu91snpuh akKWpVib71YeaHKh35MBFpSpdWbJj3ZAopIy+4wGvcxopkcl5uE4lpMgdA8KrOCwHXD2 j9NbZ3FCXMY0jAlu8w5KVQTJxwUR+PHUm99l0NsvT/xbqPXPHTy4ufinvEW5t1IEdm5H BstCBqpoE9y27OkfC6IbL0I9zMs9oRopKmCtuxJjqoPC9HARM4JkdEh6Uw3Ky9KWgjpK Bw== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2120.oracle.com with ESMTP id 32hu1jfucq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 28 Jul 2020 14:30:55 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06SETMwu090377; Tue, 28 Jul 2020 14:30:55 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userp3030.oracle.com with ESMTP id 32hu5st7n0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 Jul 2020 14:30:54 +0000 Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 06SEUkvZ012418; Tue, 28 Jul 2020 14:30:46 GMT Received: from [10.39.227.185] (/10.39.227.185) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 28 Jul 2020 07:30:46 -0700 Subject: Re: [RFC PATCH 0/5] madvise MADV_DOEXEC To: Andy Lutomirski , Anthony Yznaga Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, mhocko@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org, hpa@zytor.com, viro@zeniv.linux.org.uk, akpm@linux-foundation.org, arnd@arndb.de, ebiederm@xmission.com, keescook@chromium.org, gerg@linux-m68k.org, ktkhai@virtuozzo.com, christian.brauner@ubuntu.com, peterz@infradead.org, esyr@redhat.com, jgg@ziepe.ca, christian@kellner.me, areber@redhat.com, cyphar@cyphar.com References: <1595869887-23307-1-git-send-email-anthony.yznaga@oracle.com> <1764B08C-CC1E-4636-944A-DB95B81C7A8E@amacapital.net> From: Steven Sistare Organization: Oracle Corporation Message-ID: <54599ed9-99f1-378e-bccf-ba41ef1f8217@oracle.com> Date: Tue, 28 Jul 2020 10:30:41 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <1764B08C-CC1E-4636-944A-DB95B81C7A8E@amacapital.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9695 signatures=668679 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxlogscore=999 mlxscore=0 suspectscore=0 bulkscore=0 malwarescore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007280111 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9695 signatures=668679 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1011 mlxlogscore=999 malwarescore=0 impostorscore=0 priorityscore=1501 spamscore=0 phishscore=0 suspectscore=0 bulkscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007280111 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/28/2020 10:23 AM, Andy Lutomirski wrote: >> On Jul 27, 2020, at 10:02 AM, Anthony Yznaga wrote: >> >> This patchset adds support for preserving an anonymous memory range across >> exec(3) using a new madvise MADV_DOEXEC argument. The primary benefit for >> sharing memory in this manner, as opposed to re-attaching to a named shared >> memory segment, is to ensure it is mapped at the same virtual address in >> the new process as it was in the old one. An intended use for this is to >> preserve guest memory for guests using vfio while qemu exec's an updated >> version of itself. By ensuring the memory is preserved at a fixed address, >> vfio mappings and their associated kernel data structures can remain valid. >> In addition, for the qemu use case, qemu instances that back guest RAM with >> anonymous memory can be updated. > > This will be an amazing attack surface. Perhaps use of this flag should require no_new_privs? Arguably it should also require a special flag to execve() to honor it. Otherwise library helpers that do vfork()+exec() or posix_spawn() could be quite surprised. Preservation is disabled across fork, so fork/exec combo's are not affected. We forgot to document that. - Steve