Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp6840814rwd;
        Mon, 19 Jun 2023 13:20:39 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ4A+tg9h/LKtmQ2aZuxRMCooD6YW0fB/t84eeqRs8A2IIzyUaUiwC8eftum4CDfOddP2ntN
X-Received: by 2002:a17:902:e5cc:b0:1b5:1475:2f21 with SMTP id u12-20020a170902e5cc00b001b514752f21mr18488796plf.20.1687206038985;
        Mon, 19 Jun 2023 13:20:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687206038; cv=none;
        d=google.com; s=arc-20160816;
        b=P19ach3iSZ7gWDgO2Y4ZaR05R70Hy+tt9qZfo6JXRjR6seXz0iE1I1XglFk3iQBXSI
         w5L8epxN4uHeWQqukImfSvBVSNiEShLZWTSKbgwVQDw52RWF9C++SVVmAXP4etKYcPgS
         FDMhJHw/AysLW6wEdPq+6uue6Syf1tQNuOC0Gleim+TmVjFs6xeTxslT+Lzci4asgHLT
         8Vbu1hEXoBMQ3q8nxq7pOtAWvsZwGWCkth/4Lnz6v7MyC0/UXvfy80snh76vNYtdxAg9
         TLYEkQ6Lhx19ilaw0yjaCdy8DW0rAU90ofSRT8rLufzp45ZdeJok/exHeKim0N36peMi
         rzPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=2mZiRdSqt+8wYLSRq7eLPC9b4RpYVG9iNh28AaCGdYw=;
        b=ps4zscnxAlyv9lIxlpqv3gLVjgDVEfZb8G4i6j/ROksxRqg6/6ESrxK1CCm5saJPdD
         pv5vxOHSQMVjYw4PLOZZPV0m1XifXIY4toLMKC/P0wkl8hLNxYJDvLm/PaP0Z/ONU0DG
         0B1QgZaN9UWflHPfscnN+nvPfr+DWkEprds2tu/BmMi99UdyM+Wfg8nNOnjXkezv+w2L
         yoBSNxG9hGLDCufkiJhZNvQpOaCf91Rj8CZ95QyXucn+635LtKmRQkVOqHG3oFBks+Ir
         /mbtyke0KHN3VcbtreYk418c983853+cu2jtBAeK2zuBOT9TKQ/jiiSjtF57YUoP6KiH
         3BYA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=VbyQLRYN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id jn9-20020a170903050900b001b3a001a0dbsi379309plb.361.2023.06.19.13.20.26;
        Mon, 19 Jun 2023 13:20:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=VbyQLRYN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229595AbjFSTpt (ORCPT <rfc822;ahmad.hassan612@gmail.com>
        + 99 others); Mon, 19 Jun 2023 15:45:49 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47574 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229641AbjFSTps (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Jun 2023 15:45:48 -0400
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD01911A
        for <linux-kernel@vger.kernel.org>; Mon, 19 Jun 2023 12:45:45 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-6685421cdb3so1398543b3a.1
        for <linux-kernel@vger.kernel.org>; Mon, 19 Jun 2023 12:45:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1687203945; x=1689795945;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=2mZiRdSqt+8wYLSRq7eLPC9b4RpYVG9iNh28AaCGdYw=;
        b=VbyQLRYNz3Mu4xhjfuwM6hsK60V4+prvJC2X+UK9XAc/Elig3W+lZfOdm3lsaFffXc
         aLwRhEXpqpl49PVYjZsMWtH3rA+TStqTAEBqKAhOrHyss+uM65w2xGYEfuipVtRsXjG5
         f8D6Fx7Bv1krhLICrN7S8Z1r0/mK+azg85Gk8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687203945; x=1689795945;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2mZiRdSqt+8wYLSRq7eLPC9b4RpYVG9iNh28AaCGdYw=;
        b=b0RR28m/R4En1VPZLcmzYNG8gknbk2nykKnn6Nbcn+BV0j3DJyjkVRRfwEjcE+qMdR
         wZVZ6G/DOS3glwQVARX5ffw7B6trSD49s491gMJdZ3eh1GpSsBYmS3JC90d1bcuUQVPk
         yvXmUfM5KmIXEdLGgUfmE6sM4dg/QrldzsNC3+7taLL1GTaVAlRAXPAy39RnTVBKLN8s
         HWceQLq+29hd2EpztgPXMV3j/IR0rSV/6cuJNrJFtJX4w4Si1UJqX7HoybJkmoFaJfA/
         HjGp3+EzgIrEMVOPmUXLu5vG0egqi5UVeTXcuW7LDWOsuxBPAqaHk0m38+ERcy3d2sHF
         UE+w==
X-Gm-Message-State: AC+VfDyq3vnF9NptXJUeIovHftS/pKgLm8s0ke2WY2+Vr0LwfbWJ0oPk
        Qsl14Kzub2D4Uzkg7FlzgYA66A==
X-Received: by 2002:a05:6a20:9389:b0:121:637e:f0e5 with SMTP id x9-20020a056a20938900b00121637ef0e5mr6130614pzh.5.1687203945205;
        Mon, 19 Jun 2023 12:45:45 -0700 (PDT)
Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241])
        by smtp.gmail.com with ESMTPSA id h18-20020a63f912000000b00519c3475f21sm76437pgi.46.2023.06.19.12.45.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jun 2023 12:45:44 -0700 (PDT)
Date:   Mon, 19 Jun 2023 12:45:43 -0700
From:   Kees Cook <keescook@chromium.org>
To:     Kent Overstreet <kent.overstreet@linux.dev>
Cc:     Andy Lutomirski <luto@kernel.org>,
        Johannes Thumshirn <Johannes.Thumshirn@wdc.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
        "linux-bcachefs@vger.kernel.org" <linux-bcachefs@vger.kernel.org>,
        Kent Overstreet <kent.overstreet@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Uladzislau Rezki <urezki@gmail.com>,
        "hch@infradead.org" <hch@infradead.org>,
        "linux-mm@kvack.org" <linux-mm@kvack.org>,
        "linux-hardening@vger.kernel.org" <linux-hardening@vger.kernel.org>
Subject: Re: [PATCH 07/32] mm: Bring back vmalloc_exec
Message-ID: <202306191228.6A98FD25@keescook>
References: <20230509165657.1735798-1-kent.overstreet@linux.dev>
 <20230509165657.1735798-8-kent.overstreet@linux.dev>
 <3508afc0-6f03-a971-e716-999a7373951f@wdc.com>
 <202305111525.67001E5C4@keescook>
 <ZF6Ibvi8U9B+mV1d@moria.home.lan>
 <202305161401.F1E3ACFAC@keescook>
 <ZGPzocRpSlg+4vgN@moria.home.lan>
 <1d249326-e3dd-9c9d-7b53-2fffeb39bfb4@kernel.org>
 <ZI3Sh6p8b4FcP0Y2@moria.home.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZI3Sh6p8b4FcP0Y2@moria.home.lan>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Jun 17, 2023 at 11:34:31AM -0400, Kent Overstreet wrote:
> On Fri, Jun 16, 2023 at 09:13:22PM -0700, Andy Lutomirski wrote:
> > On 5/16/23 14:20, Kent Overstreet wrote:
> > > On Tue, May 16, 2023 at 02:02:11PM -0700, Kees Cook wrote:
> > > > For something that small, why not use the text_poke API?
> > > 
> > > This looks like it's meant for patching existing kernel text, which
> > > isn't what I want - I'm generating new functions on the fly, one per
> > > btree node.
> > 
> > Dynamically generating code is a giant can of worms.
> > 
> > Kees touched on a basic security thing: a linear address mapped W+X is a big
> > no-no.  And that's just scratching the surface -- ideally we would have a
> > strong protocol for generating code: the code is generated in some
> > extra-secure context, then it's made immutable and double-checked, then
> > it becomes live.
> 
> "Double checking" arbitrary code is is fantasy. You can't "prove the
> security" of arbitrary code post compilation.

I think there's a misunderstanding here about the threat model I'm
interested in protecting against for JITs. While making sure the VM of a
JIT is safe in itself, that's separate from what I'm concerned about.

The threat model is about flaws _elsewhere_ in the kernel that can
leverage the JIT machinery to convert a "write anything anywhere anytime"
exploit primitive into an "execute anything" primitive. Arguments can
be made to say "a write anything flaw means the total collapse of the
security model so there's no point defending against it", but both that
type of flaw and the slippery slope argument don't stand up well to
real-world situations.

The kinds of flaws we've seen are frequently limited in scope (write
1 byte, write only NULs, write only in a specific range, etc), but
when chained together, the weakest link is what ultimately compromises
the kernel. As such, "W^X" is a basic building block of the kernel's
self-defense methods, because it is such a potent target for a
write->execute attack upgrades.

Since a JIT constructs something that will become executable, it needs
to defend itself against stray writes from other threads. Since Linux
doesn't (really) use per-CPU page tables, the workspace for a JIT can be
targeted by something that isn't the JIT. To deal with this, JITs need
to use 3 phases: a writing pass (into W memory), then switch it to RO
and perform a verification pass (construct it again, but compare results
to the RO version), and finally switch it executable. Or, it can use
writes to memory that only the local CPU can perform (i.e. text_poke(),
which uses a different set of page tables with different permissions).

Without basic W^X, it becomes extremely difficult to build further
defenses (e.g. protecting page tables themselves, etc) since WX will
remain the easiest target.

-Kees

-- 
Kees Cook