Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp745620pxb;
        Thu, 19 Nov 2020 12:44:51 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxhp5Vz+oWgtI0KBKhKopVQNboy5s3pdopXO6rmwT2U4ghh8fSyS4l5GzLj0xUqUc2KGAwv
X-Received: by 2002:a17:907:411b:: with SMTP id nw19mr29277526ejb.150.1605818691720;
        Thu, 19 Nov 2020 12:44:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605818691; cv=none;
        d=google.com; s=arc-20160816;
        b=H4bW55N9d6GG9XDYpnv5hCVdpbXxvkN12OcObhabsMdOFj+DCx3i3oLl0EBNaBtnnZ
         VD8i+AdKYvVMFf8L7hAt7vZuwaReOqfsQouD98Ysvpp/VZVpB+5g4Q8IHbHu0VIDFWUw
         3WNaIeoy/89ShBJz8mKLzb3yiSHBmI56YZ0jGZHJaXEe7Wcd3ZbF4Z69KeWlLaCBX/3D
         RuVUqp63QD+BP5n213/v7DFpxUFXZvpR2/9+/WTlYZYVf2cCNQ67pGJ1yJfHyH/uo+a7
         vMwUUDIqN2IM04sJH8Az/WFiKw/vnKXa/G1Z11zM1DOsnWutFFbx0gjYSdw+4mPJtK+/
         Qh+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=qJ4yHj2o6CJPlclc4Dlue1pFs+YW5Xtp3Pnvold2gGU=;
        b=n+p6UGxY+hfw3nHPFlMurMRqOxJO1zDTWd8bNaXooI+2HOhb+afq0BajCkqnq3LGqD
         G/w9pdji8PFvQXP98RvG4asZgROo3MsXOMxo/6mHY8zdZCAbKcj2HK1xz6Afv0mNLXWH
         M7hVQY2dzku//W2FIkFNE9m53N0QMc1h3I+fM7qwkvF0iqe2KdNZAR3oBTQwxMzi66TX
         Dp/gfOZsb1S+d00AwZUV/P8vJNymkFYNg3jvlLLmDNAHRyOzcGvkJWqIKxafxCXVPHNS
         5/X5rCiEWhJ5YnLkzZmWcRFkyl9eyIhI//spOGGdFghG0++smjyNX3w0CgH7972uBvO+
         d36Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=bzt7RHlp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y4si539463edv.83.2020.11.19.12.44.04;
        Thu, 19 Nov 2020 12:44:51 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=bzt7RHlp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726341AbgKSUja (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 19 Nov 2020 15:39:30 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36382 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725887AbgKSUja (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 19 Nov 2020 15:39:30 -0500
Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB3CFC0617A7
        for <linux-kernel@vger.kernel.org>; Thu, 19 Nov 2020 12:39:28 -0800 (PST)
Received: by mail-ed1-x543.google.com with SMTP id m16so7271121edr.3
        for <linux-kernel@vger.kernel.org>; Thu, 19 Nov 2020 12:39:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=qJ4yHj2o6CJPlclc4Dlue1pFs+YW5Xtp3Pnvold2gGU=;
        b=bzt7RHlpMxYBkqf5zz9ANDxyXQc65RQ67tJSR3v1pY5U4BJMAXZn1pI/d1T0zkdiPu
         s8sO9+GMASROgyMF5j9RJhjjd9K7nN9ep+hNiSvgYp9G2Iu/3YQVYvfTon/4+VbuDJcN
         H20qyMlRZ/uSGpibuTSbyFGscPAeMGVt7ZU92CMLshWBBIA6M/DP14AOIjjXNbwJqETL
         w5S6LHYV5Y1FhOYbDtECPwtOIKeswdrBwWZDL3gj7MChde2jCFuhrVkfY9opGmun5+d3
         lckS1vhfPZ4LTLvWbdO4GZOeNH1A48CiFvI4XIpe8Nh6tQw81rR5NSxvSStCtxSJHX/Y
         Sccw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=qJ4yHj2o6CJPlclc4Dlue1pFs+YW5Xtp3Pnvold2gGU=;
        b=EjeWXAC2TbFiDADS0N4JJkUUtDqaI2ddE5EQbc4zIwFy0oSnSDcvvQFsVBbx3mqbSu
         Aapy9ZwhRha8Lcwre+5zsMiwb/Ct/GUragiCVKy9H8Gkhi8JFy8YYCManuwv+cVe3gOh
         bery7/UNv8c6JJOxN6nr3DwUhI1cBEp12WLoHGa/+TXlcw6BMDSPu3xUEEDK3Rvyv2hH
         Q0lQXvEvET/MN8THIlSIxCkBiPp9DEHKjknLAlJyHxdJkhMGjjJv8KeIYw3GVzpBTiru
         8CK3YYBbBtnriLIcKQ3+IhQSyujaMvP7YmhctKPujrHtgxmswLuo+pKSn5Q0JLnDDdaR
         i0aA==
X-Gm-Message-State: AOAM5326zleU7mh0c1DcO+RnK7Hq47+l9Z5msYRbdaF7DoIVYq6h3uTR
        ZYiSd91QyTlO4vQovScnCdR0nBp+HYRNXGNFt4zWGg==
X-Received: by 2002:aa7:cc14:: with SMTP id q20mr7978782edt.140.1605818367084;
 Thu, 19 Nov 2020 12:39:27 -0800 (PST)
MIME-Version: 1.0
References: <20201026210052.3775167-1-lokeshgidra@google.com>
In-Reply-To: <20201026210052.3775167-1-lokeshgidra@google.com>
From:   Lokesh Gidra <lokeshgidra@google.com>
Date:   Thu, 19 Nov 2020 12:39:15 -0800
Message-ID: <CA+EESO7N7gFkG_Vqy5j1oCZif8RaiCJ146GrQAKq3P1SCUi+ng@mail.gmail.com>
Subject: Re: [PATCH v6 0/2] Control over userfaultfd kernel-fault handling
To:     Kees Cook <keescook@chromium.org>,
        Jonathan Corbet <corbet@lwn.net>, Peter Xu <peterx@redhat.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Andrew Morton <akpm@linux-foundation.org>
Cc:     Alexander Viro <viro@zeniv.linux.org.uk>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Eric Biggers <ebiggers@kernel.org>,
        Daniel Colascione <dancol@dancol.org>,
        "Joel Fernandes (Google)" <joel@joelfernandes.org>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        linux-doc@vger.kernel.org, Kalesh Singh <kaleshsingh@google.com>,
        Calin Juravle <calin@google.com>,
        Suren Baghdasaryan <surenb@google.com>,
        Jeffrey Vander Stoep <jeffv@google.com>,
        "Cc: Android Kernel" <kernel-team@android.com>,
        Mike Rapoport <rppt@linux.vnet.ibm.com>,
        Shaohua Li <shli@fb.com>, Jerome Glisse <jglisse@redhat.com>,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
        Johannes Weiner <hannes@cmpxchg.org>,
        Mel Gorman <mgorman@techsingularity.net>,
        Nitin Gupta <nigupta@nvidia.com>,
        Vlastimil Babka <vbabka@suse.cz>,
        Iurii Zaikin <yzaikin@google.com>,
        Luis Chamberlain <mcgrof@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Oct 26, 2020 at 2:00 PM Lokesh Gidra <lokeshgidra@google.com> wrote:
>
> This patch series is split from [1]. The other series enables SELinux
> support for userfaultfd file descriptors so that its creation and
> movement can be controlled.
>
> It has been demonstrated on various occasions that suspending kernel
> code execution for an arbitrary amount of time at any access to
> userspace memory (copy_from_user()/copy_to_user()/...) can be exploited
> to change the intended behavior of the kernel. For instance, handling
> page faults in kernel-mode using userfaultfd has been exploited in [2, 3].
> Likewise, FUSE, which is similar to userfaultfd in this respect, has been
> exploited in [4, 5] for similar outcome.
>
> This small patch series adds a new flag to userfaultfd(2) that allows
> callers to give up the ability to handle kernel-mode faults with the
> resulting UFFD file object. It then adds a 'user-mode only' option to
> the unprivileged_userfaultfd sysctl knob to require unprivileged
> callers to use this new flag.
>
> The purpose of this new interface is to decrease the chance of an
> unprivileged userfaultfd user taking advantage of userfaultfd to
> enhance security vulnerabilities by lengthening the race window in
> kernel code.
>
> [1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@google.com/
> [2] https://duasynt.com/blog/linux-kernel-heap-spray
> [3] https://duasynt.com/blog/cve-2016-6187-heap-off-by-one-exploit
> [4] https://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linux-kernel_20.html
> [5] https://bugs.chromium.org/p/project-zero/issues/detail?id=808
>
> Changes since v5:
>
>   - Added printk_once when unprivileged_userfaultfd is set to 0 and
>     userfaultfd syscall is called without UFFD_USER_MODE_ONLY in the
>     absence of CAP_SYS_PTRACE capability.
>
> Changes since v4:
>
>   - Added warning when bailing out from handling kernel fault.
>
> Changes since v3:
>
>   - Modified the meaning of value '0' of unprivileged_userfaultfd
>     sysctl knob. Setting this knob to '0' now allows unprivileged users
>     to use userfaultfd, but can handle page faults in user-mode only.
>   - The default value of unprivileged_userfaultfd sysctl knob is changed
>     to '0'.
>
> Changes since v2:
>
>   - Removed 'uffd_flags' and directly used 'UFFD_USER_MODE_ONLY' in
>     userfaultfd().
>
> Changes since v1:
>
>   - Added external references to the threats from allowing unprivileged
>     users to handle page faults from kernel-mode.
>   - Removed the new sysctl knob restricting handling of page
>     faults from kernel-mode, and added an option for the same
>     in the existing 'unprivileged_userfaultfd' knob.
>
> Lokesh Gidra (2):
>   Add UFFD_USER_MODE_ONLY
>   Add user-mode only option to unprivileged_userfaultfd sysctl knob
>
>  Documentation/admin-guide/sysctl/vm.rst | 15 ++++++++++-----
>  fs/userfaultfd.c                        | 20 +++++++++++++++++---
>  include/uapi/linux/userfaultfd.h        |  9 +++++++++
>  3 files changed, 36 insertions(+), 8 deletions(-)
>
> --
> 2.29.0.rc1.297.gfa9743e501-goog
>
It's been quite some time since this patch-series has received
'Reviewed-by' by Andrea. Please let me know if anything is blocking it
from taking forward.