Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp609610pxk; Wed, 23 Sep 2020 11:11:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwaQxaMUBgXQ/rBXjnvgseol1akgHzeba0tNasU1GAWV7XEZrGxnJkrY8toMOlhfNx+z9qe X-Received: by 2002:a50:cf8a:: with SMTP id h10mr607824edk.43.1600884666911; Wed, 23 Sep 2020 11:11:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600884666; cv=none; d=google.com; s=arc-20160816; b=IT6rJxFhbVLclnTKU6WrI1dbG76ixxmVFvWliz4r6bKX4n0aXXZmx7pLPc2ha9MJ/b Fn/GeW+xEx0lZRFg6zu/biXB/mtD3atytkwyC+txtG54wBGL+5fH58Ygui083HvIfwoJ Se+3YiWpyKjujmTKGDiMYR0kQ9zgUns/yZjuR4AZjSobzxrcr+43YwDUg52cfG+6fv3e jJ7uF6lDbZ1ezvanzTKOn6HL5mqiAopzydFsjr7O1BfyUzh+XVFs3ETycymFUm2VkBAB 3ME+amMX0OBgiODJT4yly32nyXZXOSTjzNvp2iTy9kLgMpmg0Oxpp1J29o5dBA0O/2+z 3Q/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=7xZZrv7WnQHjdGL3b2IsK9FPchZ9o3FzSBqEVzMAbBY=; b=0ao6fNCtU9P8bGtecQPzq88sIeclUX6dJgK1AZJzebnLxmSg8QpAiomR3X7dGI0uCb 5xRRxyn3X6wsLpkF3qq6hUl7VjUvjyauhcvik1mxNLL8Cnjhmp0mG3pGmh3FVVk94qFo doLQedUp/GZIPXtqfwAEtrGmP9ckKTjWndAg5NOkSvtDDEQ1iVTsqQ/0YI4aILNo188q nyMtO1w4g8Lyk8PKBwc32IPl3edoOBrvUxD+CGfmWdkh5Kc4qJHN1ZAFr2+JxK1dYCoy c4RJPkQZxsR/wngymBNAgF53AJZvucTsKkiFyObjJn+uT/dr58vH1763JEaFIWUfzvIi 9w/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oGNukZ1X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f26si403567edx.455.2020.09.23.11.10.42; Wed, 23 Sep 2020 11:11:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oGNukZ1X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726697AbgIWSJp (ORCPT + 99 others); Wed, 23 Sep 2020 14:09:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:58434 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726674AbgIWSJp (ORCPT ); Wed, 23 Sep 2020 14:09:45 -0400 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7A216238D7 for ; Wed, 23 Sep 2020 18:09:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600884584; bh=0sQpYjrO1FEOUdJEyt75wZRgQiNVOyCLQf75CE6PFHk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=oGNukZ1XzS6+01unsngiaWE+87lr66kpPInuBoy/nJdJAwRXJ3MMlxk++8egYoI+l uYqjaOFRo6XImKO5Xgc7VG7K8JPLOLjY/WBGg+8qNiErRQvMbi06E9ylJM0RYc2rP3 xNjnr+21fWQcIlSZqvNMaM83CpvisjcgTDpWjjiw= Received: by mail-wr1-f54.google.com with SMTP id a17so1027327wrn.6 for ; Wed, 23 Sep 2020 11:09:44 -0700 (PDT) X-Gm-Message-State: AOAM531UOc9nAWb6jLloUAuuvmft3ctvvjkhvgG1kOyJOHAR+/Tbdrld VP96UZS2eFn6cdVVjbGXeM/Op95g4bsOyfGxDf4fmA== X-Received: by 2002:adf:a3c3:: with SMTP id m3mr947291wrb.70.1600884582830; Wed, 23 Sep 2020 11:09:42 -0700 (PDT) MIME-Version: 1.0 References: <20200922215326.4603-1-madvenka@linux.microsoft.com> <20200923081426.GA30279@amd> <20200923091456.GA6177@openwall.com> <87wo0ko8v0.fsf@oldenburg2.str.redhat.com> In-Reply-To: <87wo0ko8v0.fsf@oldenburg2.str.redhat.com> From: Andy Lutomirski Date: Wed, 23 Sep 2020 11:09:29 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor To: Florian Weimer Cc: Solar Designer , Pavel Machek , "Madhavan T. Venkataraman" , Kernel Hardening , Linux API , linux-arm-kernel , Linux FS Devel , linux-integrity , LKML , LSM List , Oleg Nesterov , X86 ML , Andrew Lutomirski , David Laight , Mark Rutland , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Rich Felker Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 23, 2020 at 7:39 AM Florian Weimer wrote: > > * Solar Designer: > > > While I share my opinion here, I don't mean that to block Madhavan's > > work. I'd rather defer to people more knowledgeable in current userland > > and ABI issues/limitations and plans on dealing with those, especially > > to Florian Weimer. I haven't seen Florian say anything specific for or > > against Madhavan's proposal, and I'd like to. (Have I missed that?) > > There was a previous discussion, where I provided feedback (not much > different from the feedback here, given that the mechanism is mostly the > same). > > I think it's unnecessary for the libffi use case. Precompiled code can > be loaded from disk because the libffi trampolines are so regular. On > most architectures, it's not even the code that's patched, but some of > the data driving it, which happens to be located on the same page due to > a libffi quirk. > > The libffi use case is a bit strange anyway: its trampolines are > type-generic, and the per-call adjustment is data-driven. This means > that once you have libffi in the process, you have a generic > data-to-function-call mechanism available that can be abused (it's even > fully CET compatible in recent versions). And then you need to look at > the processes that use libffi. A lot of them contain bytecode > interpreters, and those enable data-driven arbitrary code execution as > well. I know that there are efforts under way to harden Python, but > it's going to be tough to get to the point where things are still > difficult for an attacker once they have the ability to make mprotect > calls. > > It was pointed out to me that libffi is doing things wrong, and the > trampolines should not be type-generic, but generated so that they match > the function being called. That is, the marshal/unmarshal code would be > open-coded in the trampoline, rather than using some generic mechanism > plus run-time dispatch on data tables describing the function type. > That is a very different design (and typically used by compilers (JIT or > not JIT) to implement native calls). Mapping some code page with a > repeating pattern would no longer work to defeat anti-JIT measures > because it's closer to real JIT. I don't know if kernel support could > make sense in this context, but it would be a completely different > patch. I would very much like to see a well-designed kernel facility for helping userspace do JIT in a safer manner, but designing such a thing is likely to be distinctly nontrivial. To throw a half-backed idea out there, suppose a program could pre-declare a list of JIT verifiers: static bool ffi_trampoline_verifier(void *target_address, size_t target_size, void *source_data, void *context); struct jit_verifier { .magic = 0xMAGIC_HERE, .verifier = ffi_trampoline_verifier, } my_verifier __attribute((section("something special here?))); and then a system call something like: instantiate_jit_code(target, source, size, &my_verifier, context); The idea being that even an attacker that can force a call to instantiate_jit_code() can only create code that passes verification by one of the pre-declared verifiers in the process.